[NT] Microsoft BizTalk Server ISAPI HTTP Receive Function Buffer Overflow (biztalkhttpreceive.dll)

From: SecuriTeam (support_at_securiteam.com)
Date: 09/24/03

  • Next message: SecuriTeam: "[UNIX] ProFTPD ASCII File Remote Compromise Vulnerability" 
    To: list@securiteam.com
Date: 24 Sep 2003 10:58:00 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft BizTalk Server ISAPI HTTP Receive Function Buffer Overflow
    (biztalkhttpreceive.dll)
    ------------------------------------------------------------------------

    SUMMARY

    Microsoft BizTalk Server is a Microsoft product for business-process
    automation and application-integration both within and between businesses.
    BizTalk Server provides a powerful Web-based development and execution
    environment that integrates loosely coupled, long-running business
    processes, both within and between companies.

    BizTalk Server features include integration among existing applications;
    the definition of document specifications and specification
    transformations; and the monitoring and logging of run-time activity. The
    server provides a standard gateway for sending and receiving documents
    across the Internet, as well as providing a range of services that ensure
    data integrity, delivery, security, and support for the BizTalk Framework
    and other key document formats. BizTalk Server 2002 provides the ability
    to exchange documents using the HTTP format.

    A buffer overflow exists in the component used to receive HTTP documents -
    the HTTP receiver - and could result in an attacker being able to execute
    code of their choice on the BizTalk Server.

    DETAILS

    An HTTP receive function is an Internet Server Application Programming
    Interface (ISAPI) extension that provides an "out-of-the-box" utility for
    immediately receiving documents over Hypertext Transfer Protocol (HTTP).
    The ISAPI is named BizTalkHTTPReceive.dll. By submitting a HTTP request
    with an overly long string as query string parameter a buffer overflow
    occurs:

    POST /Site/biztalkhttpreceive.dll?XXXX...(more than250 chars) HTTP/1.0
    Accept: */*
    User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
    NT 5.0; .NET CLR 1.0.3705)
    Host: servername
    Content-Length:
    Proxy-Connection: Keep-Alive
    Pragma: no-cache

    <...Data submited...>

    This vulnerability can be directly exploited by an attacker if he has
    enough permissions (this will depends on web server configuration), if the
    attacker hasn't enough permissions he can exploit it through XSS or
    sending an administrator an HTML e-mail, etc. targeting the vulnerable
    server.

    Depending on the Windows user account configured to run COM+ Applications
    under for the vulnerable site (the user account configured always must
    have access to BizTalk Messaging Management database and the COM+ packages
    BizTalk Server Interchange Application and BizTalk Server Internal
    Utility), exploitation of this vulnerability will allow an attacker to
    complete compromise OS and/or BizTalk Server files and databases.

    Workaround:
    Remove BizTalkHTTPReceive.dll ISAPI if you are using HTTP receive function
    and use another receive functions like Message Queuing receive function or
    file receive function.

    Vendor status:
    Microsoft was contacted on 02/14/03, and released a fix.

    Solution:
    See the following page:
    <http://www.microsoft.com/technet/security/bulletin/MS03-016.asp>
    http://www.microsoft.com/technet/security/bulletin/MS03-016.asp.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:cesarc56@yahoo.com> Cesar.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] ProFTPD ASCII File Remote Compromise Vulnerability"

    Relevant Pages