[NT] Unchecked Buffer in Content Management Server Could Enable Server Compromise

From: support@securiteam.com
Date: 08/08/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Thu,  8 Aug 2002 08:12:14 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Unchecked Buffer in Content Management Server Could Enable Server
Compromise
------------------------------------------------------------------------

SUMMARY

Microsoft Content Management Server (MCMS) 2001 is a .Net Enterprise
Server product that simplifies developing and managing e-business web
sites. Microsoft has learned of three security vulnerabilities affecting
it:

 * A buffer overrun in a low-level function that performs user
authentication. At least one web page included with MCMS 2001 passes
inputs directly to the function, thereby potentially providing a way for
an attacker to overrun the buffer. The result of exploiting the
vulnerability would be to either cause MCMS to fail, or run code in the
context of the MCMS service (which runs as Local System).

 * A vulnerability resulting from the confluence of two flaws affecting a
function that allows files to be uploaded to the server. The first flaw
lies in how the function authenticates requests, and would allow any user
to submit an upload request. The second results because it is possible to
override the upload location; where the function should upload files to a
folder that only privileged users can access, it can be overridden to
upload it to a temporary folder that does allow unprivileged users to call
it. By exploiting the two flaws in tandem, an attacker could upload an
ASP or other file to the server, in a location from which it could be
executed.

 * A SQL injection vulnerability affecting a function that services
requests for image files and other resources. Exploiting the vulnerability
could enable an attacker to run SQL commands on the server, which would
not only allow data in the MCMS database to be added, changed or deleted,
but also would enable the attacker to run operating system commands on the
server.

DETAILS

Affected Software:
 * Microsoft Content Management Server 2001

Mitigating factors:

Buffer Overrun in MCMS Authentication Operation:
 * The scope of the vulnerability could be significantly reduced if the
URLScan tool were deployed on the server. It is likely that in this case,
the vulnerability could only be used for denial of service attacks.

Program Execution via MCMS Authoring Function:
 * Exploiting the vulnerability would not grant the attacker
administrative privileges on the server. Instead, the attacker's code
would execute in the security context of the Web Application Manager (the
IWAM_computername account), which has similar privileges to those of an
interactively logged-on user.

SQL Injection via MCMS Resource Request:
 * Exploiting the vulnerability would not grant the attacker
administrative privileges on the server. Instead, any operating system
commands would be levied in the security context of the SQL Server 2000
service, which by default has only Domain User privileges.

Patch availability:
Download locations for this patch
 * Microsoft Content Management Server 2001:
     <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41266>
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41266

What vulnerabilities does this patch eliminate?
This patch eliminates three vulnerabilities involving Microsoft Content
Management Server 2001 (MCMS).

What is Microsoft Content Management Server?
Microsoft Content Management Server (MCMS) enables companies to quickly
and efficiently build, deploy, and maintain web sites. Using MCMS,
companies can create, publish, and manage web content, as well as managing
the server resources that are available to the site.

MCMS operates in conjunction with several other Microsoft products. IIS
5.0 provides the underlying web server functionality, and SQL Server 7.0
or 2000 provides the underlying database support.

What are the vulnerabilities?
There are three vulnerabilities:
 * The first vulnerability could enable an attacker to gain complete
control over an affected server.
 * The second vulnerability could enable an attacker to gain significant,
but less than complete, control over a server.
 * The third vulnerability could enable an attacker to execute SQL
commands on an MCMS server.

Buffer Overrun in MCMS Authentication Operation:
What is the scope of this vulnerability?
This is a buffer-overrun vulnerability. By sending a specially chosen
request to an affected server, an attacker could either disrupt web
services or gain the ability to run a program on the server. Such a
program would run with full system privileges, and be capable of taking
any action the attacker desired.

The URLScan tool, when deployed with the default ruleset, would make it
difficult to use the vulnerability to gain control of the server, and
likely reduce it to a denial of service attack only.

What causes the vulnerability?
The vulnerability results because a function that supports user
authentication in MCMS contains an unchecked buffer. By providing
malformed authentication to a web page that calls the function, it could
be possible to overrun the buffer.

What do you mean by "a function that supports user authentication"? MCMS
offers the ability to host web pages that can only be visited by certain
users. For instance, a company might host a members-only web site, and
require that authenticate before being given access to the site. MCMS
supports a variety of authentication methods, including web sign-in pages,
pop-up dialogues, and so forth.

Some of these methods include their own capability to adjudicate a user's
credentials; in other cases, a two-step process is used, wherein the site
first gathers the user's credentials and then submits them to an MCMS
system function for adjudication. The vulnerability here lies in one of
the system functions.

What's wrong with the function?
The function contains an unchecked buffer. If a user's credentials
exceeded a certain length, they would overrun the buffer.

What would the vulnerability enable an attacker to do?
An attacker who exploited this vulnerability could use it for either of
two purposes.

 * Service disruption. By overrunning the buffer with random data, the
attacker could corrupt program code and cause the MCMS authentication
service to fail, thereby preventing legitimate users from accessing the
web site.

 * Change the operation of the MCMS authentication service. By overrunning
the buffer with carefully selected data, the attack could overwrite
program code on the service with new program code, in essence modifying
its functionality.

Who could exploit the vulnerability?
The vulnerability could be exploited by any user who was able to connect
to an affected server and access a web page that not only collects
authentication data and passes it to the affected system function, but
also does not check the length of the inputs. That is, the web page would
need to have the same flaw as the system function. This is less of a
barrier than it might initially seem, though, as it is true of one of the
web pages included with MCMS by default.

If the vulnerability were exploited to cause the MCMS Authentication
service to fail, what would be needed to restore normal operation?
The administrator would just need to restart the service.

If the vulnerability were exploited to change the operation of the server
software, what would the attacker be able to do?
The attacker could gain complete control over the server. The service
within which the system function runs does so with LocalSystem privileges
- that is, the privileges of the operating system itself.

Would the URLScan tool protect my system against this vulnerability?
It would not offer total protection, but it would significantly reduce the
scope of the vulnerability. By default, URLScan blocks all URLs that
contain non-ASCII data. This would not prevent an attacker from causing
the service to fail - overrunning the buffer with virtually any data would
accomplish that goal. However, it would make it difficult to exploit the
vulnerability to alter the operation of the server software, because the
attacker would need to construct valid executable code using only ASCII
data.

How does the patch eliminate the vulnerability?
The patch restores proper input checking to the system function. In
addition, it institutes proper length checking in the web page that calls
it.

Program Execution via MCMS Authoring Function:
What is the scope of this vulnerability?
This vulnerability could enable an attacker to load a program onto an
affected web server and then execute it. Under default conditions, the
program would have the same privileges as a user who could interactively
log onto the server. While this would not give the attacker control over
the server, it could serve as a beachhead from which the attack could try
to gain additional privileges.

What causes the vulnerability?
The vulnerability results because of a pair of flaws in the way MCMS
handles a particular type of web authoring command. One flaw makes it
possible to spoof the command's authentication; the other makes it
possible to upload executable content instead of the intended type of
content.

What do you mean by web authoring?
One of the purposes of MCMS is to allow authorized users to upload new web
pages that they have created. This process is known as web authoring. The
user submits a command to the server, which then uploads the file to the
server and makes it available for use by other users. In the case of this
vulnerability, the web authoring command is one that is normally used to
upload image files and other non-executable files to the server.

What's wrong with the function?
There are two problems. The first involves how MCMS authenticates the user
levying the request. The function should identify the user, then confirm
the user's permissions to allow him or her to post information to the
server. However, a coding flaw causes MCMS to use the wrong identity when
confirming the user's permission - one that always passes the test. As a
result, any user submitting the request would be authenticated
successfully.

By itself, this flaw would not pose a security vulnerability. The function
is designed to only allow certain types of files to be uploaded, and even
then only to certain locations on the server - ones from which they cannot
be executed. However, a second flaw allows these restrictions to be
bypassed.

What's the second flaw?
The second flaw involves the way the web authoring function uploads files.
By design, a newly uploaded file is first moved to a temporary location.
Almost immediately thereafter, it is stored permanently in a database on
the server, and the temporary copy is deleted. The flaw could enable the
person levying the web-authoring request to change the temporary location
to any desired folder on the server.

Why does the second flaw pose a security problem?
By using the second flaw, an attacker could change the temporary storage
location. Under normal conditions, MCMS stores the file in a folder that
does not allow users to execute it. However, an attacker who exploited the
vulnerability could choose a different folder - one that did allow files
within it to be executed.

Even after exploiting the vulnerability, some timing would be required in
order to actually execute the file - recall that the file only exists in
the temporary location for a short time before it is deleted. Because of
this, the attacker would need to upload the file, then time the attempt to
execute it fairly precisely.

What would these flaws enable an attacker to do?
The two flaws, if exploited in combination, would let an attacker upload
an executable file such as an .asp file and then immediately execute it.

Would the attacker's code run with full control over the system?
No. MCMS uses IIS 5.0 as its core web server engine. On IIS 5.0, asp files
and other executables run out-of-process by default - that is, in the
security context of a special user account called the Web Application
Manager. (Web administrators may know this account better as
IWAM_computername, where computername is the name of the server). This
account has significantly fewer privileges than the IIS service itself,
and does not have full control over the system.

What privileges does the Web Application Manager have?
Essentially, the account has the same privileges as those of an
unprivileged user who was able to log onto the server interactively. It
would not enable an attacker to take administrative action, reconfigure
the server, or access important files such as the Security Account Manager
database.

Nevertheless, it is important not to underestimate the damage that could
be caused using even these privileges. Even these privileges could be used
to cause significant damage. Worse, the vulnerability could potentially
give an attacker a beachhead from which to conduct additional attacks and
try to obtain additional privileges.

Who could exploit the vulnerability?
Any user who could submit a web-authoring request to an affected server
could exploit the vulnerability. In most cases, this would mean that any
user who had connectivity to the server could exploit the vulnerability.

What if web authoring were disabled on the server?
The vulnerability could not be exploited if web authoring were disabled.
This can be done by using the MCMS Server Configuration Application (SCA),
selecting the "Web" tab, pressing the "configure" button and setting
"Without Authoring" to true.

How does the patch eliminate the vulnerability?
The patch causes MCMS to properly authenticate web-authoring requests, and
prevents users from being able to change the upload folder.

SQL Injection via MCMS Resource Request:
What is the scope of this vulnerability?
This vulnerability could enable an attacker to take action on the MCMS
database, as well as potentially allowing the attacker to run operating
system commands on it. Although the vulnerability would give the attacker
complete control over the database, it would only provide limited
privileges at the operating system level.

What causes the vulnerability?
The vulnerability results because a command used to request resources from
an MCMS server is vulnerable to a SQL injection attack.

What is SQL Injection?
The easiest way to explain SQL Injection is via a scenario. Suppose a web
site hosted an application for allowing visitors to the site to search an
online database for particular words. Further, suppose that the
application operated by simply taking whatever input a user provided,
inserting it into a database query, and running the query. In such a case,
it could be possible for an attacker to provide SQL statements instead of
text, with the result that when the web application ran its query, the
attacker's commands would be executed as part of the query. Such a
vulnerability is known as SQL Injection vulnerability.

What part of MCMS contains the vulnerability?
The vulnerability lies in a part of MCMS that allows users and web pages
to request resources such as image files from the server. Such files are
stored within a database on the server, but the function used t retrieve
them does not adequately validate input data before using it. The result
is SQL injection vulnerability.

What could an attacker do via the vulnerability?
By exploiting the SQL injection vulnerability, an attacker could, in
essence, modify the database query that MCMS submits when it responds to a
resource request. This would give the attacker the ability to add any
desired SQL commands to it.

This would give the attacker the ability to take any desired action on the
database, including adding, changing, or deleting data. In addition, it
would also give the attacker a way to run operating system commands as
well. SQL commands exist that allow the caller, if sufficiently
privileged, to pass commands to the operating system.

What could the attacker do by levying operating system commands?
Under default conditions, the attacker would not gain significant
privileges on the system. The commands would execute with the privileges
of the SQL Server 2000 service. While SQL Server does have complete
control over the database, it only has limited privileges by default at
the operating system level. Specifically, it has only the privileges of a
Domain User. These are roughly akin to the privileges of a user who could
log onto the server at the keyboard.

Who could exploit the vulnerability?
By default, any user who could establish a connection with an affected
system could levy the request and exploit the vulnerability.

How does the patch eliminate the vulnerability?
The patch eliminates the vulnerability by causing the affected function to
validate the parameters in a resource request and strip out SQL commands
if they are provided.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:0_34979_E51E4D7D-DECD-43AE-9A29-36080E8D4C3C_US@Newsletters.Microsoft.com> Microsoft Product Security.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.