Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3331
HistoryAug 08, 2002 - 12:00 a.m.

Security Bulletin MS02-041: Unchecked Buffer in Content Management Server Could Enable Server Compromise (Q326075)

2002-08-0800:00:00
vulners.com
23
JSON

Title: Unchecked Buffer in Content Management Server Could
Enable Server Compromise (Q326075)
Date: 07 August 2002
Software: Microsoft Content Management Server
Impact: Three vulnerabilities, the most serious of which could
enable an attacker to run code of an attackers choice.
Max Risk: Critical
Bulletin: MS02-041

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-041.asp .

Issue:

Microsoft Content Management Server (MCMS) 2001 is a .Net Enterprise
Server product that simplifies developing and managing e-business
web sites. Microsoft has learned of three security vulnerabilities
affecting it:

  • A buffer overrun in a low-level function that performs user
    authentication. At least one web page included with MCMS 2001
    passes inputs directly to the function, thereby potentially
    providing a way for an attacker to overrun the buffer. The
    result of exploiting the vulnerability would be to either
    cause MCMS to fail, or run code in the context of the MCMS
    service (which runs as Local System).

  • A vulnerability resulting from the confluence of two flaws
    affecting a function that allows files to be uploaded to the
    server. The first flaw lies in how the function authenticates
    requests, and would allow any user to submit an upload request.
    The second results because it is possible to override the upload
    location; where the function should upload files to a folder that
    only privileged users can access, it can be overridden to upload
    it to a temporary folder that does allow unprivileged users to
    call it. By exploiting the two flaws in tandem, an attacker
    could upload an .ASP or other file to the server, in a location
    from which it could be executed.

  • A SQL injection vulnerability affecting a function that services
    requests for image files and other resources. Exploiting the
    vulnerability could enable an attacker to run SQL commands on the
    server, which would not only allow data in the MCMS database to
    be added, changed or deleted, but also would enable the attacker
    to run operating system commands on the server.

Mitigating Factors:

Buffer Overrun in MCMS Authentication Operation:

  • The scope of the vulnerability could be significantly reduced
    if the URLScan tool were deployed on the server. It is likely
    that in this case, the vulnerability could only be used for
    denial of service attacks.

Program Execution via MCMS Authoring Function:

  • Exploiting the vulnerability would not grant the attacker
    administrative privileges on the server. Instead, the
    attacker's code would execute in the security context of the
    Web Application Manager (the IWAM_computername account),
    which has similar privileges to those of an interactively
    logged-on user.

SQL Injection via MCMS Resource Request:

  • Exploiting the vulnerability would not grant the attacker
    administrative privileges on the server. Instead, any
    operating system commands would be levied in the security
    context of the SQL Server 2000 service, which by default
    has only Domain User privileges.

Risk Rating:

  • Internet systems: Critical
  • Intranet systems: Critical
  • Client systems: None

Patch Availability:

Acknowledgment:

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

JSON