Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Multiple buffer overflows in Microsoft Commerce Server

  Remotely Exploitable Buffer Overruns in Microsoft's Commerce Server 2000/2 (#NISRNISR0306200
2)

From:MICROSOFT <secure_(at)_microsoft.com>
Date:27.06.2002
Subject:Security Bulletin MS02-033: Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server (Q322273)

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in Profile Service Could Allow Code
           Execution in Commerce Server (Q322273)
Date:       June 26, 2002
Software:   Microsoft Commerce Server 2000, Commerce Server 2002
Impact:     Four vulnerabilities, each of which could run code of
           attacker's choice.
Max Risk:   Critical
Bulletin:   MS02-033

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-033.asp.
- ----------------------------------------------------------------------

Issue:
======
Commerce Server 2000 and Commerce Server 2002 are web server products
for building e-commerce sites. These products provides tools and
features that simplify developing and deploying e-commerce solutions,
and provide tools that let the site administrator analyze the usage
of their e-commerce site.

Four vulnerabilities exist in the Commerce Server products:

- A vulnerability that results because the Profile Service contains
  an unchecked buffer in a section of code that handles certain
  types of API calls. The Profile Service can be used to enable
  users to manage their own profile information and to research
  the status of their order. An attacker who provided specially
  malformed data to certain calls exposed by the Profile Service
  could cause the Commerce Server process to fail, or could run
  code in the LocalSystem security context. This vulnerability
  only affects Commerce Server 2000.

- A buffer overrun vulnerability in the Office Web Components (OWC)
  package installer used by Commerce Server. An attacker who
  provided specially malformed data as input to the OWC package
  installer could cause the process to fail, or could run code in
  the LocalSystem security context. This vulnerability only affects
  Commerce Server 2000.

- A vulnerability in the Office Web Components (OWC) package
  installer used by Commerce Server. An attacker who invoked the
  OWC package installer in a particular manner could cause commands
  to be run on the Commerce Server according to the privileges
  associated with the attacker's log on credentials. This
  vulnerability only affects Commerce Server 2000.

- A new variant of the ISAPI Filter vulnerability discussed in
  Microsoft Security Bulletin MS02-010. This variant affects both
  Commerce Server 2000 and Commerce Server 2002.

Mitigating Factors:
====================
Profile Service buffer overrun:

- The affected API calls in the Profile Service are not exposed to
  the Internet by default. The administrator must set up a Commerce
  Server site and include Profile Service calls as part of that
  site.

- The URLscan tool, if deployed using the default ruleset for
  Commerce Server, would make it difficult if not impossible for an
  attacker to exploit the vulnerability to run code, by
  significantly limiting the types of data that could be included in
  a URL. It would, however, still be possible to conduct denial of
  service attacks.

- Best practices for web site design can prevent this vulnerability
  from being exposed by limiting user input that can be accepted by
  input fields.

OWC package buffer overrun:

- For an attack to succeed, the attacker would need to have
  credentials to log on to the Commerce Server 2000 computer on
  which the OWC package installer is kept.

- Best practices suggests that unprivileged users not be allowed to
  interactively log onto business-critical servers. If this
  recommendation has been followed, unprivileged users would not
  have access to Commerce Server machines.

OWC package command execution:

- For an attack to succeed, the attacker would need to have
  credentials to log on to the Commerce Server 2000 computer on
  which the OWC package installer is kept.

- Best practices suggests that unprivileged users not be allowed
  to interactively log onto business-critical servers. If this
  recommendation has been followed, unprivileged users would not
  have access to Commerce Server machines.

New variant of the ISAPI filter buffer overrun:

- Although Commerce Server does rely on IIS for its base web
  services, the AuthFilter ISAPI filter is only available as part
  of Commerce Server. Customers using IIS are at no risk from this
  vulnerability.

- The URLScan tool , if deployed using the default ruleset for
  Commerce Server, would make it difficult if not impossible for
  an attacker to exploit the vulnerability to run code, by
  significantly limiting the types of data that could be included
  in an URL. It would, however, still be possible to conduct denial
  of service attacks.

- An attacker's ability to extend control from a compromised web
  server to other machines would depend heavily on the specific
  configuration of the network. Best practices recommend that the
  network architecture account for the inherent high-risk that
  machines in an uncontrolled environment, like the Internet, face
  by minimizing overall exposure though measures like DMZ's,
  operating with minimal services and isolating contact with
  internal networks. Steps like this can limit overall exposure
  and impede an attacker's ability to broaden the scope of a
  possible compromise.

- While the ISAPI filter is installed by default, it is not
  loaded on any web site by default. It must be enabled through
  the Commerce Server Administration Console in the Microsoft
  Management Console (MMC).

Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None

Patch Availability:
===================
- A patch is available for these vulnerabilities. Please read the
  Security Bulletin at
  http://www.microsoft.com/technet/security/bulletin/ms02-033.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- Mark Litchfield of Next Generation Security Software Ltd.
  (http://www.nextgenss.com/) for reporting the Profile Service
  and OWC package issues.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod