The following security advisory is sent to the securiteam mailing list, and can be found at
the SecuriTeam web site: http://www.securiteam.com

• • promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

---

Microsoft BizTalk Server ISAPI HTTP Receive Function Buffer Overflow
(biztalkhttpreceive.dll)

SUMMARY

Microsoft BizTalk Server is a Microsoft product for business-process
automation and application-integration both within and between businesses.
BizTalk Server provides a powerful Web-based development and execution
environment that integrates loosely coupled, long-running business
processes, both within and between companies.

BizTalk Server features include integration among existing applications;
the definition of document specifications and specification
transformations; and the monitoring and logging of run-time activity. The
server provides a standard gateway for sending and receiving documents
across the Internet, as well as providing a range of services that ensure
data integrity, delivery, security, and support for the BizTalk Framework
and other key document formats. BizTalk Server 2002 provides the ability
to exchange documents using the HTTP format.

A buffer overflow exists in the component used to receive HTTP documents -
the HTTP receiver - and could result in an attacker being able to execute
code of their choice on the BizTalk Server.

DETAILS

An HTTP receive function is an Internet Server Application Programming
Interface (ISAPI) extension that provides an "out-of-the-box" utility for
immediately receiving documents over Hypertext Transfer Protocol (HTTP).
The ISAPI is named BizTalkHTTPReceive.dll. By submitting a HTTP request
with an overly long string as query string parameter a buffer overflow
occurs:

POST /Site/biztalkhttpreceive.dll?XXXX…(more than250 chars) HTTP/1.0
Accept: /
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0; .NET CLR 1.0.3705)
Host: servername
Content-Length:
Proxy-Connection: Keep-Alive
Pragma: no-cache

<…Data submited…>

This vulnerability can be directly exploited by an attacker if he has
enough permissions (this will depends on web server configuration), if the
attacker hasn't enough permissions he can exploit it through XSS or
sending an administrator an HTML e-mail, etc. targeting the vulnerable
server.

Depending on the Windows user account configured to run COM+ Applications
under for the vulnerable site (the user account configured always must
have access to BizTalk Messaging Management database and the COM+ packages
BizTalk Server Interchange Application and BizTalk Server Internal
Utility), exploitation of this vulnerability will allow an attacker to
complete compromise OS and/or BizTalk Server files and databases.

Workaround:
Remove BizTalkHTTPReceive.dll ISAPI if you are using HTTP receive function
and use another receive functions like Message Queuing receive function or
file receive function.

Vendor status:
Microsoft was contacted on 02/14/03, and released a fix.

Solution:
See the following page:
<http://www.microsoft.com/technet/security/bulletin/MS03-016.asp&gt;
http://www.microsoft.com/technet/security/bulletin/MS03-016.asp.

ADDITIONAL INFORMATION

The information has been provided by <mailto:[email protected]> Cesar.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
[email protected]
In order to subscribe to the mailing list, simply forward this email to:
[email protected]

====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect,
incidental, consequential, loss of business profits or special damages.