Title: Unchecked Buffer in Content Management Server Could
Enable Server Compromise (Q326075)
Date: 07 August 2002
Software: Microsoft Content Management Server
Impact: Three vulnerabilities, the most serious of which could
enable an attacker to run code of an attackers choice.
Max Risk: Critical
Bulletin: MS02-041
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-041.asp .
Microsoft Content Management Server (MCMS) 2001 is a .Net Enterprise
Server product that simplifies developing and managing e-business
web sites. Microsoft has learned of three security vulnerabilities
affecting it:
A buffer overrun in a low-level function that performs user
authentication. At least one web page included with MCMS 2001
passes inputs directly to the function, thereby potentially
providing a way for an attacker to overrun the buffer. The
result of exploiting the vulnerability would be to either
cause MCMS to fail, or run code in the context of the MCMS
service (which runs as Local System).
A vulnerability resulting from the confluence of two flaws
affecting a function that allows files to be uploaded to the
server. The first flaw lies in how the function authenticates
requests, and would allow any user to submit an upload request.
The second results because it is possible to override the upload
location; where the function should upload files to a folder that
only privileged users can access, it can be overridden to upload
it to a temporary folder that does allow unprivileged users to
call it. By exploiting the two flaws in tandem, an attacker
could upload an .ASP or other file to the server, in a location
from which it could be executed.
A SQL injection vulnerability affecting a function that services
requests for image files and other resources. Exploiting the
vulnerability could enable an attacker to run SQL commands on the
server, which would not only allow data in the MCMS database to
be added, changed or deleted, but also would enable the attacker
to run operating system commands on the server.
Buffer Overrun in MCMS Authentication Operation:
Program Execution via MCMS Authoring Function:
SQL Injection via MCMS Resource Request:
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.