Published:
27 June 2002
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2002.316 -- Microsoft Security Bulletin MS02-033
Unchecked Buffer in Profile Service Could Allow Code Execution
in Commerce Server (Q322273)
28 June 2002
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Commerce Server 2000
Commerce Server 2002
Vendor: Microsoft
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access Required: Remote
Comments: Microsoft PGP signature is bad for this advisory,
but content correlates with:
http://www.microsoft.com/technet/security/bulletin/MS02-033.asp
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
- - ----------------------------------------------------------------------
Title: Unchecked Buffer in Profile Service Could Allow Code
Execution in Commerce Server (Q322273)
Date: June 26, 2002
Software: Microsoft Commerce Server 2000, Commerce Server 2002
Impact: Four vulnerabilities, each of which could run code of
attacker's choice.
Max Risk: Critical
Bulletin: MS02-033
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-033.asp.
- - ----------------------------------------------------------------------
Issue:
======
Commerce Server 2000 and Commerce Server 2002 are web server products
for building e-commerce sites. These products provides tools and
features that simplify developing and deploying e-commerce solutions,
and provide tools that let the site administrator analyze the usage
of their e-commerce site.
Four vulnerabilities exist in the Commerce Server products:
- A vulnerability that results because the Profile Service contains
an unchecked buffer in a section of code that handles certain
types of API calls. The Profile Service can be used to enable
users to manage their own profile information and to research
the status of their order. An attacker who provided specially
malformed data to certain calls exposed by the Profile Service
could cause the Commerce Server process to fail, or could run
code in the LocalSystem security context. This vulnerability
only affects Commerce Server 2000.
- A buffer overrun vulnerability in the Office Web Components (OWC)
package installer used by Commerce Server. An attacker who
provided specially malformed data as input to the OWC package
installer could cause the process to fail, or could run code in
the LocalSystem security context. This vulnerability only affects
Commerce Server 2000.
- A vulnerability in the Office Web Components (OWC) package
installer used by Commerce Server. An attacker who invoked the
OWC package installer in a particular manner could cause commands
to be run on the Commerce Server according to the privileges
associated with the attacker's log on credentials. This
vulnerability only affects Commerce Server 2000.
- A new variant of the ISAPI Filter vulnerability discussed in
Microsoft Security Bulletin MS02-010. This variant affects both
Commerce Server 2000 and Commerce Server 2002.
Mitigating Factors:
====================
Profile Service buffer overrun:
- The affected API calls in the Profile Service are not exposed to
the Internet by default. The administrator must set up a Commerce
Server site and include Profile Service calls as part of that
site.
- The URLscan tool, if deployed using the default ruleset for
Commerce Server, would make it difficult if not impossible for an
attacker to exploit the vulnerability to run code, by
significantly limiting the types of data that could be included in
a URL. It would, however, still be possible to conduct denial of
service attacks.
- Best practices for web site design can prevent this vulnerability
from being exposed by limiting user input that can be accepted by
input fields.
OWC package buffer overrun:
- For an attack to succeed, the attacker would need to have
credentials to log on to the Commerce Server 2000 computer on
which the OWC package installer is kept.
- Best practices suggests that unprivileged users not be allowed to
interactively log onto business-critical servers. If this
recommendation has been followed, unprivileged users would not
have access to Commerce Server machines.
OWC package command execution:
- For an attack to succeed, the attacker would need to have
credentials to log on to the Commerce Server 2000 computer on
which the OWC package installer is kept.
- Best practices suggests that unprivileged users not be allowed
to interactively log onto business-critical servers. If this
recommendation has been followed, unprivileged users would not
have access to Commerce Server machines.
New variant of the ISAPI filter buffer overrun:
- Although Commerce Server does rely on IIS for its base web
services, the AuthFilter ISAPI filter is only available as part
of Commerce Server. Customers using IIS are at no risk from this
vulnerability.
- The URLScan tool , if deployed using the default ruleset for
Commerce Server, would make it difficult if not impossible for
an attacker to exploit the vulnerability to run code, by
significantly limiting the types of data that could be included
in an URL. It would, however, still be possible to conduct denial
of service attacks.
- An attacker's ability to extend control from a compromised web
server to other machines would depend heavily on the specific
configuration of the network. Best practices recommend that the
network architecture account for the inherent high-risk that
machines in an uncontrolled environment, like the Internet, face
by minimizing overall exposure though measures like DMZ's,
operating with minimal services and isolating contact with
internal networks. Steps like this can limit overall exposure
and impede an attacker's ability to broaden the scope of a
possible compromise.
- While the ISAPI filter is installed by default, it is not
loaded on any web site by default. It must be enabled through
the Commerce Server Administration Console in the Microsoft
Management Console (MMC).
Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None
Patch Availability:
===================
- A patch is available for these vulnerabilities. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-033.asp
for information on obtaining this patch.
Acknowledgment:
===============
- Mark Litchfield of Next Generation Security Software Ltd.
(http://www.nextgenss.com/) for reporting the Profile Service
and OWC package issues.
- - ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES
SO THE FOREGOING LIMITATION MAY NOT APPLY.
- -----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQEVAwUBPRpP+I0ZSRQxA/UrAQFfvAf+PAu67bZtYbEIkQe0lJuaszv7JnnaDPSy
CfX2gwkSr7HCVzbVWAv9u+OJ8Jcf70zq/sXqJkuCGOjA8mw0zTm3c0DSwqOSgpUI
R3FP2i6rSYURrTuFwFz0VRDYaCob/SBzXad+/2bjoLtrfQ9a3a2uJFFlgla1Ao57
piMdVfd+ghEol8O7bv5Kc8Ju8SGbgCAf8DueaDnpbZdw11aJyVJDd+Gg9H5WkhQC
+lfJp43sv9GM/tlJBvIp50oNsgH3WKuxYcaj+oT+oTLLK98/dS/PQVkmPvcpz86S
AAjhvDplc55+jZIiDj0szmRRb9P4NXXiH4KKza2LQhB/VbRSF69Z7w==
=VkpO
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBPRyE6Ch9+71yA2DNAQEEbAQAhoQEfDRRJT8Www2SrDzKjm5NoKb53MYf
c10zgdLKnRDsqdI0hPVNoVd3+SCdcm1lD9nB7sjR3s3X463SI+yYD+FgOHsdVoRX
EgIEcVEY9ecZcogjJY0bJFVwXviOszI5GRtDrSPbiEyP/v76MuzBOJI7L6wgrHLO
IqRW1Rxckok=
=kmcO
-----END PGP SIGNATURE-----