Microsoft Commerce Server Buffer Overflows and Other Flaws Let Remote Users Execute Arbitrary Code with LocalSystem Privileges


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in Profile Service Could Allow Code 
            Execution in Commerce Server (Q322273)
Date:       June 26, 2002
Software:   Microsoft Commerce Server 2000, Commerce Server 2002 
Impact:     Four vulnerabilities, each of which could run code of 
            attacker's choice.
Max Risk:   Critical
Bulletin:   MS02-033

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-033.asp.
- ----------------------------------------------------------------------

Issue:
======
Commerce Server 2000 and Commerce Server 2002 are web server products
for building e-commerce sites. These products provides tools and 
features that simplify developing and deploying e-commerce solutions,
and provide tools that let the site administrator analyze the usage 
of their e-commerce site. 

Four vulnerabilities exist in the Commerce Server products: 

 - A vulnerability that results because the Profile Service contains 
   an unchecked buffer in a section of code that handles certain 
   types of API calls. The Profile Service can be used to enable 
   users to manage their own profile information and to research 
   the status of their order. An attacker who provided specially 
   malformed data to certain calls exposed by the Profile Service 
   could cause the Commerce Server process to fail, or could run 
   code in the LocalSystem security context. This vulnerability 
   only affects Commerce Server 2000. 

 - A buffer overrun vulnerability in the Office Web Components (OWC) 
   package installer used by Commerce Server. An attacker who 
   provided specially malformed data as input to the OWC package 
   installer could cause the process to fail, or could run code in 
   the LocalSystem security context. This vulnerability only affects 
   Commerce Server 2000. 

 - A vulnerability in the Office Web Components (OWC) package 
   installer used by Commerce Server. An attacker who invoked the
   OWC package installer in a particular manner could cause commands
   to be run on the Commerce Server according to the privileges 
   associated with the attacker's log on credentials. This 
   vulnerability only affects Commerce Server 2000. 

 - A new variant of the ISAPI Filter vulnerability discussed in 
   Microsoft Security Bulletin MS02-010. This variant affects both 
   Commerce Server 2000 and Commerce Server 2002. 

Mitigating Factors:
====================
Profile Service buffer overrun: 

 - The affected API calls in the Profile Service are not exposed to 
   the Internet by default. The administrator must set up a Commerce 
   Server site and include Profile Service calls as part of that 
   site. 

 - The URLscan tool, if deployed using the default ruleset for 
   Commerce Server, would make it difficult if not impossible for an 
   attacker to exploit the vulnerability to run code, by 
   significantly limiting the types of data that could be included in
   a URL. It would, however, still be possible to conduct denial of 
   service attacks. 

 - Best practices for web site design can prevent this vulnerability 
   from being exposed by limiting user input that can be accepted by 
   input fields. 

OWC package buffer overrun: 

 - For an attack to succeed, the attacker would need to have 
   credentials to log on to the Commerce Server 2000 computer on 
   which the OWC package installer is kept. 

 - Best practices suggests that unprivileged users not be allowed to 
   interactively log onto business-critical servers. If this 
   recommendation has been followed, unprivileged users would not 
   have access to Commerce Server machines. 

OWC package command execution: 

 - For an attack to succeed, the attacker would need to have 
   credentials to log on to the Commerce Server 2000 computer on 
   which the OWC package installer is kept. 

 - Best practices suggests that unprivileged users not be allowed 
   to interactively log onto business-critical servers. If this 
   recommendation has been followed, unprivileged users would not 
   have access to Commerce Server machines. 

New variant of the ISAPI filter buffer overrun: 

 - Although Commerce Server does rely on IIS for its base web 
   services, the AuthFilter ISAPI filter is only available as part 
   of Commerce Server. Customers using IIS are at no risk from this 
   vulnerability. 

 - The URLScan tool , if deployed using the default ruleset for 
   Commerce Server, would make it difficult if not impossible for 
   an attacker to exploit the vulnerability to run code, by 
   significantly limiting the types of data that could be included 
   in an URL. It would, however, still be possible to conduct denial 
   of service attacks. 

 - An attacker's ability to extend control from a compromised web 
   server to other machines would depend heavily on the specific 
   configuration of the network. Best practices recommend that the 
   network architecture account for the inherent high-risk that 
   machines in an uncontrolled environment, like the Internet, face 
   by minimizing overall exposure though measures like DMZ's, 
   operating with minimal services and isolating contact with 
   internal networks. Steps like this can limit overall exposure 
   and impede an attacker's ability to broaden the scope of a 
   possible compromise. 

 - While the ISAPI filter is installed by default, it is not 
   loaded on any web site by default. It must be enabled through 
   the Commerce Server Administration Console in the Microsoft 
   Management Console (MMC). 

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: None

Patch Availability:
===================
 - A patch is available for these vulnerabilities. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-033.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Mark Litchfield of Next Generation Security Software Ltd. 
   (http://www.nextgenss.com/) for reporting the Profile Service 
   and OWC package issues.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES 
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY 
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPRpP+I0ZSRQxA/UrAQFfvAf+PAu67bZtYbEIkQe0lJuaszv7JnnaDPSy
CfX2gwkSr7HCVzbVWAv9u+OJ8Jcf70zq/sXqJkuCGOjA8mw0zTm3c0DSwqOSgpUI
R3FP2i6rSYURrTuFwFz0VRDYaCob/SBzXad+/2bjoLtrfQ9a3a2uJFFlgla1Ao57
piMdVfd+ghEol8O7bv5Kc8Ju8SGbgCAf8DueaDnpbZdw11aJyVJDd+Gg9H5WkhQC
+lfJp43sv9GM/tlJBvIp50oNsgH3WKuxYcaj+oT+oTLLK98/dS/PQVkmPvcpz86S
AAjhvDplc55+jZIiDj0szmRRb9P4NXXiH4KKza2LQhB/VbRSF69Z7w==
=VkpO
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
 below:
Send an email to unsubscribe to the Service by following these steps: 
a. Send an e-mail to securrem@microsoft.com. The subject line and the message body are not used to process the subscription request,
 and can be anything you like. 
b. Send the e-mail. 
c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK"
 in the message body. (Without the quotes). Send the reply. 
d. You will receive an e-mail telling you that your name has been removed from the subscriber list.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

Go to the Top of This SecurityTracker Archive Page