[NT] Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server

From: support@securiteam.com
Date: 06/27/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu, 27 Jun 2002 19:24:02 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce
Server
------------------------------------------------------------------------

SUMMARY

Commerce Server 2000 and Commerce Server 2002 are web server products for
building e-commerce sites. These products provide tools and features that
simplify developing and deploying e-commerce solutions, and provide tools
that let the site administrator analyze the usage of their e-commerce
site.

Four vulnerabilities exist in the Commerce Server products:
 * A vulnerability that results because the Profile Service contains an
unchecked buffer in a section of code that handles certain types of API
calls. The Profile Service can be used to enable users to manage their own
profile information and to research the status of their order. An attacker
who provided specially malformed data to certain calls exposed by the
Profile Service could cause the Commerce Server process to fail, or could
run code in the LocalSystem security context. This vulnerability only
affects Commerce Server 2000.
 * A buffer overrun vulnerability in the Office Web Components (OWC)
package installer used by Commerce Server. An attacker who provided
especially malformed data as input to the OWC package installer could
cause the process to fail, or could run code in the LocalSystem security
context. This vulnerability only affects Commerce Server 2000.
 * A vulnerability in the Office Web Components (OWC) package installer
used by Commerce Server. An attacker who invoked the OWC package installer
in a particular manner could cause commands to be run on the Commerce
Server according to the privileges associated with the attacker's log on
credentials. This vulnerability only affects Commerce Server 2000.
 * A new variant of the ISAPI Filter vulnerability discussed in Microsoft
Security Bulletin MS02-010. This variant affects both Commerce Server 2000
and Commerce Server 2002.

DETAILS

Affected Software:
 * Microsoft Commerce Server 2000
 * Microsoft Commerce Server 2002

Mitigating factors:
Profile Service buffer overrun:
 * The affected API calls in the Profile Service are not exposed to the
Internet by default. The administrator must set up a Commerce Server site
and include Profile Service calls as part of that site.
 * The URLScan tool, if deployed using the default rule set for Commerce
Server, would make it difficult if not impossible for an attacker to
exploit the vulnerability to run code, by significantly limiting the types
of data that could be included in an URL. It however would still be
possible to conduct denial of service attacks.
 * Best practices for web site design can prevent this vulnerability from
being exposed by limiting user input that can be accepted by input fields.

OWC package buffer overrun:
 * For an attack to succeed, the attacker would need to have credentials
to log on to the Commerce Server 2000 computer on which the OWC package
installer is kept.
 * Best practices suggests that unprivileged users not be allowed to
interactively log onto business-critical servers. If this recommendation
has been followed, unprivileged users would not have access to Commerce
Server machines.

OWC package command execution:
 * For an attack to succeed, the attacker would need to have credentials
to log on to the Commerce Server 2000 computer on which the OWC package
installer is kept.
 * Best practices suggests that unprivileged users not be allowed to
interactively log onto business-critical servers. If this recommendation
has been followed, unprivileged users would not have access to Commerce
Server machines.

New variant of the ISAPI filter buffer overrun:
 * Although Commerce Server does rely on IIS for its base web services,
the AuthFilter ISAPI filter is only available as part of Commerce Server.
Customers using IIS are at no risk from this vulnerability.
 * The URLScan tool , if deployed using the default rule set for Commerce
Server, would make it difficult if not impossible for an attacker to
exploit the vulnerability to run code, by significantly limiting the types
of data that could be included in a URL. It however would still be
possible to conduct denial of service attacks.
 * An attacker's ability to extend control from a compromised web server
to other machines would depend heavily on the specific configuration of
the network. Best practices recommend that the network architecture
account for the inherent high-risk that machines in an uncontrolled
environment, like the Internet, face by minimizing overall exposure though
measures like DMZ's, operating with minimal services and isolating contact
with internal networks. Steps like this can limit overall exposure and
impede an attacker's ability to broaden the scope of a possible
compromise.
 * While the ISAPI filter is installed by default, it is not loaded on any
web site by default. It must be enabled through the Commerce Server
Administration Console in the Microsoft Management Console (MMC).

Patch availability:
Download locations for this patch
 * Microsoft Commerce Server 2000:
    <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39591>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39591
 * Microsoft Commerce Server 2002:
    <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39550>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39550

What vulnerabilities are addressed by this patch?
This patch addresses four vulnerabilities:
 * A vulnerability that could allow an attacker to run code of their
choice via the Profile Service, affecting only Commerce Server 2000.
 * A buffer overrun vulnerability associated with the OWC package
installer that could allow an attacker to run code of their choice,
affecting only Commerce Server 2000.
 * A vulnerability associated with the OWC package installer that could
allow an attacker to run commands of their choice, affecting only Commerce
Server 2000.
 * A new variant of the ISAPI Filter vulnerability discussed in Microsoft
Security Bulletin MS02-010. This variant affects both Commerce Server 2000
and Commerce Server 2002.

What's Microsoft Commerce Server?
Commerce Server is a web server product that is tailored for building
e-commerce sites. It provides tools and features that simplify developing
and deploying e-commerce solutions, and provides tools that let the site
administrator analyze the usage of the site.

I'm running Site Server 3.0 Commerce Edition. Am I affected by these
vulnerabilities?
No. Site Server 3.0 and Site Server 3.0 Commerce Edition, the predecessor
product to Commerce Server 2000, are not affected by these
vulnerabilities.

Profile Service buffer overrun:
What's the scope of the first vulnerability?
This is a buffer-overrun vulnerability. An attacker who successfully
exploited this vulnerability could gain complete control over an affected
IIS server. This would give the attacker the ability to add, delete or
change any data on the server, reformat the hard drive, or take other
actions.

For an attack to succeed, the attacker would need to have credentials to
log on to the Commerce Server web site, and so would have either to be a
registered user or go to a Commerce Server web site that allows
self-registration.

If the site is using URLScan or follows best practices with regard to
limiting user input, then the risks of a successful attack against a
Commerce Server site would be significantly reduced.

What causes the vulnerability?
The vulnerability results because an API method in the Profile Service
contains an unchecked buffer. The administrator setting up the Commerce
Server site may choose to include the Profile Service and the affected
API.

What is the Profile Service used for?
Using the Commerce Server Profile Service, web sites can provide users
with the ability to manage their own profile information. Users could
research the status of orders, be presented with custom catalogs, and
receive discounts and advertising tailored for them. The Profile Service
also helps organizations to store and manage customer information to
provide better service and offerings for their customers.

Is the Profile Service installed by default?
The Profile Service is installed by default, but not enabled by default.
The administrator setting up the Commerce Server site may choose to use
the capabilities provided by Profile Services on the site.

For example, Commerce Server 2000 comes with three Solution Sites, which
are development reference sites that provide an integrated set of features
included in Commerce Server. The administrator setting up Commerce Server
could use the Retail Solution Site to set up a business-to-consumer web
site. This Solution Site includes the ability for users to manage their
own profile information and to view their order status.

What would this vulnerability enable an attacker to do?
Depending on the specific data the attacker chose, either of two effects
could occur:
 * If the data were randomly selected, the IIS process would fail.
 * If the data were carefully selected, it could be possible for the
attacker to run code of their choice on the Commerce Server system.

How might an attacker exploit the vulnerability?
An attacker would first have to logon to a Commerce Server site-using
credentials that are valid for the site. Either means they would need to
already have valid credentials or the site would have to allow users to
set up credentials on their own, using self-registration that has been set
up by the Commerce Server administrator. They would then have to visit a
page that is using the affected Profile Service APIs. The attacker would
supply especially malformed data to an input field that is using an
affected Profile Service API.

Could an attack be carried out across the Internet?
Yes, as long as the attacker had credentials on the Commerce Server, as
discussed above, he could seek to exploit this vulnerability remotely
across the Internet.

Could this vulnerability be exploited by accident?
No. The attacker would have to submit specially malformed data as input to
the affected Profile Service calls.

I've installed the URLScan tool on my server. Will it prevent attacks via
this vulnerability?
By default, the URLScan tool would prevent an attacker from using the
vulnerability to gain control over the server. This is because the default
rule set for Commerce Server outlaws certain types of data, without which
it would not be possible to modify the Commerce Server process to take
meaningful action. By default, only ASCII data is allowed to pass.

On the other hand, even with URLScan installed, an attacker could still
cause the Commerce Server process to fail. As a result, even customers who
are using URLScan should install the patch.

What does the patch do?
The patch eliminates the vulnerability by instituting proper buffer
handling within the Profile Service.

OWC package buffer overrun:
What's the scope of the second vulnerability?
This is a buffer-overrun vulnerability. An attacker who successfully
exploited this vulnerability would gain complete control over the machine.
This would allow the attacker to take any desired action on the machine,
such as adding, deleting, or modifying data on the system, creating or
deleting user accounts, and adding accounts to the local administrators
group.

For an attack to succeed, the attacker would need to have credentials to
log on to the computer and access to the directory where the OWC package
is held. Best practices suggests that unprivileged users not be allowed to
interactively log onto business-critical servers; so if best practices
were followed, systems such as a Commerce Server computer would not be at
risk from this vulnerability.

What causes the vulnerability?
The vulnerability results because the OWC Package contains an unchecked
buffer.

What is the OWC Package for?
This installer package contains the Office Web Components that are shipped
for use with Commerce Server. Running this executable puts the Office Web
Components onto the computer for use with Commerce Server. The Office Web
Components are installed by default when you set up Commerce Server 2000.

How are Office Web Components used by Commerce Server?
The Office Web Components are used by Commerce Server Business Desk.
Commerce Server Business Desk is a Web-based site management tool included
with Microsoft Commerce Server 2000. Business Desk hosts business
management modules that you use to configure, manage, and analyze your
Commerce Server site.

What would this enable an attacker to do?
Depending on the specific data the attacker chose, either of two effects
could occur:
 * If the data were randomly selected, the IIS process would fail.
 * If the data were carefully selected, it could be possible for the
attacker to run code of their choice on the Commerce Server system in the
LocalSystem context.

How might an attacker exploit the vulnerability?
An attacker would need to access the Commerce Server system-using log on
credentials and then run the OWC package installer with especially
malformed data supplied as an input parameter.

What does the patch do?
The patch mitigates the vulnerability by changing the IIS permissions on
the directory containing the OWC package installer from "script and
executables" to "none". This disallows remote execution of programs from
the directory.

But I thought you said this was a buffer overrun vulnerability, why
doesn't the patch fix the unchecked buffer?
There is a security investigation currently underway regarding the Office
Web Components. Because of that, we felt it was not appropriate to ship a
security patch that contained a component that potentially suffers from a
different, unrelated security issue. On the other hand, we felt it was not
appropriate for these issues to remain unaddressed while we continue that
investigation.

For that reason, we felt it best to address this vulnerability with a
near-term solution that mitigates the exposure to this issue. The
investigation into OWC is continuing as quickly as possible and a
remediation that fully addresses the unchecked buffer will be available as
soon as that is completed.

If the patch mitigates the vulnerability, is there anything I can do to
eliminate it entirely?
Yes, the OWC package installer is named BDOWC.EXE and can be erased. The
OWC package is only used for installation of the Office Web Components.
The BDOWC.EXE program resides in the subdirectory

/Program Files/Microsoft Commerce Server/widgets/owc
And can be erased using Windows Explorer.

OWC package command execution:
What's the scope of the third vulnerability?
This vulnerability could allow an attacker to remotely issue commands. An
attacker who successfully exploited this vulnerability would be able to
execute a command of their choosing via the OWC Package installer.

For an attack to succeed, the attacker would need to have credentials to
log on to the computer and access to the directory where the OWC package
is held. Best practices suggest that unprivileged users not be allowed to
interactively log onto business-critical servers; if best practices were
followed, systems such as a Commerce Server computer would not be at risk
from this vulnerability.

What causes the vulnerability?
The vulnerability results because of a feature of the OWC package
installer. By design, the OWC package installer can allow a command to be
passed as input. This is intended to enable administrators to be able to
customize the installation of the OWC. Because of the permissions on the
folder it resides in, it could actually be executed by any user who can
access the Commerce Site server with valid log on credentials.

What would this enable an attacker to do?
An attacker could use this vulnerability to execute a command on the
system by passing the command as input to the OWC package installer. This
could lead to running a program of the attacker's choice within the
privileges associated with the attacker's credentials.

What does the patch do?
As with the second vulnerability described above, the patch mitigates the
vulnerability by changing the IIS permissions on the directory containing
the OWC package installer from "script and executables" to "none". This
disallows remote execution of programs from the directory.

New variant of the ISAPI filter buffer overrun:
What's the scope of the fourth vulnerability?
This is a new variant of the ISAPI filter buffer overrun vulnerability
discussed in MS02-010. An attacker who successfully exploited this
vulnerability could gain complete control over an affected commerce web
server. This would give the attacker the ability to take any desired
action on the server, including changing web pages, reformatting the hard
drive or adding new users to the local administrators group.

The vulnerability only affects web sites that use Microsoft Commerce
Server; those using IIS are not at risk. In addition, if the recommended
tool has been applied to the server, the seriousness of the vulnerability
would be significantly reduced. Specifically, if the URLScan tool were in
use, the vulnerability could only be used to cause the service to fail,
after which point it would automatically restart itself. The URLScan tool
is not installed by default.

Are there any differences between this vulnerability and the one discussed
in MS02-010?
The new variant is the same as the original one, except for the specific
way in which it could be exploited.

Where can I get more information on the ISAPI filter vulnerability?
Microsoft Security Bulletin MS02-010 discusses this vulnerability in
detail.

What does the patch do?
The patch eliminates the vulnerability by instituting proper buffer
handling for the new variant within the AuthFilter ISAPI filter.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_33004_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages