Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow

From: Cesar (cesarc56_at_UOL.COM.AR)
Date: 05/05/03

  • Next message: Cesar: "Microsoft Biztalk Server DTA vulnerable to SQL injection" 
    Date:         Mon, 5 May 2003 17:24:40 -0300
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    Security Advisory

    Name: Microsoft Biztalk Server ISAPI HTTP Receive
    function buffer overflow
    System Affected : Microsoft BizTalk Server 2002
    Severity : High
    Remote exploitable : Yes
    Author: Cesar Cerrudo.
    Date: 05/05/03
    Advisory Number: CC040301

    Legal Notice:

    This Advisory is Copyright (c) 2003 Cesar Cerrudo.
    You may distribute it unmodified and for free. You may
    NOT modify it and distribute it or distribute parts of
    it without the author's written permission. You may NOT
    use it for commercial intentions (this means include it
    in vulnerabilities databases, vulnerabilities scanners,
    any paid service, etc.) without the author's written
    permission. You are free to use Microsoft bulletin's
    details for commercial intentions.

    Disclaimer:

    The information in this advisory is believed to be true
    though it may be false.
    The opinions expressed in this advisory are my own and
    not of any company. The usual standard disclaimer
    applies, especially the fact that Cesar Cerrudo is not
    liable for any damages caused by direct or indirect use
    of the information or functionality provided by this
    advisory. Cesar Cerrudo bears no responsibility for
    content or misuse of this advisory or any derivatives
    thereof.

    Overview:

    Microsoft Biztalk Server is a Microsoft product for
    business-process automation
    and application-integration both within and between
    businesses. BizTalk Server
    provides a powerful Web-based development and execution
    environment that integrates
    loosely coupled, long-running business processes, both
    within and between companies.
    BizTalk Server features include integration among
    existing applications; the definition
    of document specifications and specification
    transformations; and the monitoring and
    logging of run-time activity. The server provides a
    standard gateway for sending and
    receiving documents across the Internet, as well as
    providing a range of services that
    ensure data integrity, delivery, security, and support
    for the BizTalk Framework and
    other key document formats.
    BizTalk Server 2002 provides the ability to exchange
    documents using the HTTP format.
    A buffer overflow exists in the component used to
    receive HTTP documents - the HTTP
    receiver - and could result in an attacker being able
    to execute code of their choice
    on the BizTalk Server.

    Details:

    An HTTP receive function is an Internet Server
    Application Programming Interface
    (ISAPI) extension that provides an "out-of-the-box"
    utility for immediately receiving
    documents over Hypertext Transfer Protocol (HTTP). The
    ISAPI is named BizTalkHTTPReceive.dll.
    By submiting a HTTP request with an overly long string
    as query string parameter a
    buffer overflow ocurrs:

    POST /Site/biztalkhttpreceive.dll?XXXX...(more than 250
    chars) HTTP/1.0
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
    NT 5.0; .NET CLR 1.0.3705)
    Host: servername
    Content-Length: <Data submited length>
    Proxy-Connection: Keep-Alive
    Pragma: no-cache

    <...Data submited...>

    This vulnerability can be directly exploited by an
    attacker if he has enough permissions
    (this will depends on web server configuration), if the
    attacker hasn't enough permissions
    he can exploit it through XSS or sending an
    administrator an HTML e-mail, etc. targeting
    the vulnerable server.
    Depending on the Windows user account configured to run
    COM+ Applications under for the
    vulnerable site (the user account configured always
    must have access to BizTalk Messaging
    Management database and the COM+ packages BizTalk
    Server Interchange Application and BizTalk
    Server Internal Utility), explotation of this
    vulnerability will allow an attacker to complete
    compromise OS and/or Biztalk Server files and databases.

    Workaround:

    Remove BizTalkHTTPReceive.dll ISAPI if you are using
    HTTP receive function and use another
    receive functions like Message Queuing receive function
    or file receive function.

    Vendor Status :

    Microsoft was contacted on 02/14/03, we work together
    and Microsoft released a fix.

    Patch Available :

    http://www.microsoft.com/technet/security/bulletin/MS03-
    016.asp

    _________________________________________________________________
    UOL Sinectis - Mucha m&aacutes Internet
    http://www.uol.com.ar

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by IP3 Inc.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    SECURITY QUESTIONS? We've got answers...Apply for a scholarship and become
    TICSA certified.

    Do not miss your opportunity to discover solutions to what our participants
    have identified as their top 5 IT Security Challenges. You will return to
    work better prepared to put into place an effective security strategy
    utilizing the latest security tools, bookmarks and URL's.

    <http://www.ip3seminars.com>

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Cesar: "Microsoft Biztalk Server DTA vulnerable to SQL injection"

    Relevant Pages