Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Microsoft Commerce Server 2000 AuthFilter Buffer Overflow Lets Remote Users Execute Arbitrary Code on the Server With LocalSystem Privileges to Gain Full Control of the Server
SecurityTracker Alert ID: 1003629|
SecurityTracker URL: http://securitytracker.com/id/1003629
(Links to External Site)
Date: Feb 22 2002
Denial of service via network, Execution of arbitrary code via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Microsoft reported a buffer overflow vulnerability in their Commerce Server 2000. A remote user could execute arbitrary code on the system.|
It is reported that the commerce server uses a DLL with an ISAPI filter called AuthFilter that contains an unchecked buffer in a section of code that handles certain types of authentication requests.
A remote user could supply specially crafted authentication data to trigger the overflow and cause the Commerce Server process to crash or to execute arbitrary code. The code would run in the security context of the Commerce Server process (i.e., with LocalSystem privileges).
Microsoft has assigned this a "Critical" risk rating for Internet and Intranet systems.
A remote user could execute arbitrary code with LocalSystem privileges and gain full control of the server.|
The vendor has released a fix for Microsoft Commerce Server 2000, available at:|
This patch can reportedly be installed on systems running Commerce Server 2000 SP2.
Microsoft reportedly plans to include this fix in Commerce Server 2000 SP3.
Microsoft plans to issue Knowledge Base article Q317615 on this topic shortly.
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-010.asp (Links to External Site)
Windows (2000), Windows (XP)|
Source Message Contents
Date: Thu, 21 Feb 2002 17:50:01 -0800|
Subject: Microsoft Security Bulletin MS02-010
-----BEGIN PGP SIGNED MESSAGE-----
Title: Unchecked Buffer in ISAPI Filter Could Allow Commerce
Date: 21 February 2002
Software: Commerce Server 2000
Impact: Run code of attacker's choice.
Max Risk: Critical
Microsoft encourages customers to review the Security Bulletin at:
By default, Commerce Server 2000 installs a .dll with an ISAPI
filter that allows the server to provide extended functionality in
response to events on the server. This filter, called AuthFilter,
provides support for a variety of authentication methods.
Commerce Server 2000 can also be configured to use other
A security vulnerability results because AuthFilter contains an
unchecked buffer in a section of code that handles certain types
of authentication requests. An attacker who provided
authentication data that overran the buffer could cause the
Commerce Server process to fail, or could run code in the
security context of the Commerce Server process. The
process runs with LocalSystem privileges, so exploiting the
vulnerability would give the attacker complete control of
- Although Commerce Server 2000 does rely on IIS for its base
web services, the AuthFilter ISAPI filter is only available
as part of Commerce Server. Customers using IIS are at no
risk from this vulnerability.
- The URLScan tool, if deployed using the default ruleset for
Commerce Server, would make it difficult if not impossible
for an attacker to exploit the vulnerability to run code,
by significantly limiting the types of data that could be
included in an URL. It would, however, still be possible
to conduct denial of service attacks.
- An attacker's ability to extend control from a compromised
web server to other machines would depend heavily on the
specific configuration of the network. Best practices recommend
that the network architecture account for the inherent high-risk
that machines in an uncontrolled environment, like the Internet,
face by minimizing overall exposure though measures like DMZ's,
operating with minimal services and isolating contact with
internal networks. Steps like this can limit overall exposure
and impede an attacker's ability to broaden the scope of a
- While the ISAPI filter is installed by default, it is not loaded
on any web site by default. It must be enabled through the
Commerce Server Administration Console in the Microsoft
Management Console (MMC).
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
for information on obtaining this patch.
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
-----END PGP SIGNATURE-----
You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service.
For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
Go to the Top of This SecurityTracker Archive Page