Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Buffer overflows in Content Managment Server

From:MICROSOFT <secure_(at)_microsoft.com>
Date:08.08.2002
Subject:Security Bulletin MS02-041: Unchecked Buffer in Content Management Server Could Enable Server Compromise (Q326075)

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in Content Management Server Could
           Enable Server Compromise (Q326075)
Date:       07 August 2002
Software:   Microsoft Content Management Server
Impact:     Three vulnerabilities, the most serious of which could
           enable an attacker to run code of an attackers choice.
Max Risk:   Critical
Bulletin:   MS02-041

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-041.asp .
- ----------------------------------------------------------------------

Issue:
======
Microsoft Content Management Server (MCMS) 2001 is a .Net Enterprise
Server product that simplifies developing and managing e-business
web sites. Microsoft has learned of three security vulnerabilities
affecting it:

- A buffer overrun in a low-level function that performs user
  authentication. At least one web page included with MCMS 2001
  passes inputs directly to the function, thereby potentially
  providing a way for an attacker to overrun the buffer. The
  result of exploiting the vulnerability would be to either
  cause MCMS to fail, or run code in the context of the MCMS
  service (which runs as Local System).

- A vulnerability resulting from the confluence of two flaws
  affecting a function that allows files to be uploaded to the
  server. The first flaw lies in how the function authenticates
  requests, and would allow any user to submit an upload request.
  The second results because it is possible to override the upload
  location; where the function should upload files to a folder that
  only privileged users can access, it can be overridden to upload
  it to a temporary folder that does allow unprivileged users to
  call it. By exploiting the two flaws in tandem, an attacker
  could upload an .ASP or other file to the server, in a location
  from which it could be executed.

- A SQL injection vulnerability affecting a function that services
  requests for image files and other resources. Exploiting the
  vulnerability could enable an attacker to run SQL commands on the
  server, which would not only allow data in the MCMS database to
  be added, changed or deleted, but also would enable the attacker
  to run operating system commands on the server.

Mitigating Factors:
====================
Buffer Overrun in MCMS Authentication Operation:

- The scope of the vulnerability could be significantly reduced
  if the URLScan tool were deployed on the server. It is likely
  that in this case, the vulnerability could only be used for
  denial of service attacks.

Program Execution via MCMS Authoring Function:
- Exploiting the vulnerability would not grant the attacker
  administrative privileges on the server. Instead, the
  attacker's code would execute in the security context of the
  Web Application Manager (the IWAM_computername account),
  which has similar privileges to those of an interactively
  logged-on user.

SQL Injection via MCMS Resource Request:
- Exploiting the vulnerability would not grant the attacker
  administrative privileges on the server. Instead, any
  operating system commands would be levied in the security
  context of the SQL Server 2000 service, which by default
  has only Domain User privileges.

Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None

Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
  Security Bulletin at
  http://www.microsoft.com/technet/security/bulletin/ms02-041.asp
  for information on obtaining this patch.

Acknowledgment:
===============
- Joao Gouveia (tharbad@kaotik.org)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod