[NT] Microsoft BizTalk Server Documentation and Repository Sites Weak Permissions

From: SecuriTeam (support_at_securiteam.com)
Date: 09/21/03

  • Next message: SecuriTeam: "[EXPL] hztty Buffer Overflow Exploit Code (-I)" 
    To: list@securiteam.com
Date: 21 Sep 2003 14:43:48 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft BizTalk Server Documentation and Repository Sites Weak
    Permissions
    ------------------------------------------------------------------------

    SUMMARY

    Microsoft BizTalk Server is a Microsoft product for business-process
    automation and application-integration both within and between businesses.
    BizTalk Server provides a powerful Web-based development and execution
    environment that integrates loosely coupled, long-running business
    processes, both within and between companies. BizTalk Server features
    include integration among existing applications; the definition of
    document specifications and specification transformations; and the
    monitoring and logging of run-time activity. The server provides a
    standard gateway for sending and receiving documents across the Internet,
    as well as providing a range of services that ensure data integrity,
    delivery, security, and support for the BizTalk Framework and other key
    document formats. When installed some IIS virtual directories are created
    with weak permissions.

    DETAILS

    By default Microsoft BizTalk Server installs and configures some virtual
    directories in IIS, there are two virtual directories configured with weak
    permissions, one site holds documentation information
    (http://server/BizTalkServerDocs/) and the other site is a WebDAV
    repository for XML files (http://server/BizTalkServerRepository/).

    Virtual directory "http://server/BizTalkServerDocs/" by default has the
    next configuration on IIS:
     * Authenticate users by Windows authentication
     * Write and browse directories permissions, not execute permissions
     * Not default document configured

    NTFS permissions are full control to users group on physical folder
    "...\Microsoft BizTalk Server\Documentation\".

    Virtual directory "http://server/BizTalkServerRepository/" by default has
    the next configuration on IIS:
     * Anonymous web access
     * Write and browse directories permission, not execute permissions
     * Not default document configured

    NTFS permissions are full control to users group on physical folder
    "...\Microsoft BizTalk Server\BizTalkServerRepository\".

    Note: Site "http://server/BizTalkServerRepository/" needs write
    permissions because it is a WebDAV repository that allow users to upload,
    edit, etc. XML files.

    These weak permissions can be exploited by an attacker in many ways, some
    samples:
     * In case of site "http://server/BizTalkServerDocs/" an attacker can
    upload and replace HTML documentation pages with pages with dangerous
    ActiveX controls, scripts, etc
     * In case of site "http://server/BizTalkServerRepository/" an attacker
    can replace XML files with others XML files making BizTalk Server to fail
    when using altered XML files

    Vendor Status:
    Microsoft was contacted several months ago and now they release a
    Knowledge Base Article:
    <http://support.microsoft.com/default.aspx?scid=kb;en-us;824935>
    http://support.microsoft.com/default.aspx?scid=kb;en-us;824935.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cesarc56@yahoo.com> Cesar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[EXPL] hztty Buffer Overflow Exploit Code (-I)"

    Relevant Pages