SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Commerce)  >   Microsoft Commerce Server Vendors:   Microsoft
Microsoft Commerce Server Buffer Overflows and Other Flaws Let Remote Users Execute Arbitrary Code with LocalSystem Privileges
SecurityTracker Alert ID:  1004637
SecurityTracker URL:  http://securitytracker.com/id/1004637
CVE Reference:   CVE-2002-0620, CVE-2002-0621, CVE-2002-0622, CVE-2002-0623   (Links to External Site)
Date:  Jun 27 2002
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Commerce Server 2000 and 2002
Description:   Microsoft reported several buffer overflow vulnerabilities in Microsoft Commerce Server. A remote user could execute arbitrary code on the system with LocalSystem privileges.

Four separate vulnerabilities were reported.

A buffer overflow in the Profile Service of Commerce Server 2000 in processing certain types of API calls may allow a remote authenticated user to supply specially crafted data to certain calls to cause the service to crash or to execute arbitrary code with LocalSystem privileges. This would give the remote user complete control over the system. Note that the Profile Service is installed by default but is not enabled by default. So, these calls are not exposed to the Internet by default. Also, the remote user must be authenticated to the Commerce Server web site (or the site must allow self-registration).

A buffer overflow in the Office Web Components (OWC) package installer component of Commerce Server 2000 may allow a remote authenticated user to supply specially crafted data as input to the OWC package installer to cause the process to crash or to execute arbitrary code with LocalSystem privileges.

Another bug in the the Office Web Components (OWC) package installer used by Commerce Server 2000 could allow a remote authenticated user to invoke the OWC package installer in a particular manner to cause commands to be executed on the system with the same privileges as the user.

A buffer overflow in the ISAPI AuthFilter code that processes certain types of authentication requests in Commerce Server 2000 and 2002 allows a remote user to execute arbitrary code on the system to take full control of the system. This flaw is reportedly similar to the ISAPI filter buffer overrun vulnerability discussed in MS02-010. However, Microsoft states that only Commerce Server users are affected and Internet Information Server (IIS) are not affected [the previous MS02-010 bug affected IIS]. The ISAPI filter is installed by default but is not loaded on any Commerce Server web site by default. According to the report, it must be enabled through the Commerce Server Administration Console in the Microsoft Management Console (MMC).

The vendor notes that Site Server 3.0 and Site Server 3.0 Commerce Edition are not affected by any of these vulnerabilities.

Microsoft credits Mark Litchfield of Next Generation Security Software Ltd. for reporting the Profile Service and OWC package vulnerabilities.

Impact:   A remote user can execute arbitrary code on the system with LocalSystem privileges to gain full control over the system. A remote user may also be able to crash the Commerce Server service.
Solution:   The vendor has released patches, available at the following locations.

For Microsoft Commerce Server 2000:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39591

For Microsoft Commerce Server 2002:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39550

The Commerce Server 2000 patch can be applied to systems running Commerce Server 2000 SP2. The Commerce Server 2002 patch can be installed on top of Commerce Server 2002 Gold.

Microsoft reports that the fix will be included in Commerce Server 2000 SP3 and Commerce Server 2002 SP1.

This patch supersedes the one referenced in Microsoft Security Bulletin MS02-010.

Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-033.asp (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Microsoft Security Bulletin MS02-033: Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server (Q322273)


-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in Profile Service Could Allow Code 
            Execution in Commerce Server (Q322273)
Date:       June 26, 2002
Software:   Microsoft Commerce Server 2000, Commerce Server 2002 
Impact:     Four vulnerabilities, each of which could run code of 
            attacker's choice.
Max Risk:   Critical
Bulletin:   MS02-033

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-033.asp.
- ----------------------------------------------------------------------

Issue:
======
Commerce Server 2000 and Commerce Server 2002 are web server products
for building e-commerce sites. These products provides tools and 
features that simplify developing and deploying e-commerce solutions,
and provide tools that let the site administrator analyze the usage 
of their e-commerce site. 

Four vulnerabilities exist in the Commerce Server products: 

 - A vulnerability that results because the Profile Service contains 
   an unchecked buffer in a section of code that handles certain 
   types of API calls. The Profile Service can be used to enable 
   users to manage their own profile information and to research 
   the status of their order. An attacker who provided specially 
   malformed data to certain calls exposed by the Profile Service 
   could cause the Commerce Server process to fail, or could run 
   code in the LocalSystem security context. This vulnerability 
   only affects Commerce Server 2000. 

 - A buffer overrun vulnerability in the Office Web Components (OWC) 
   package installer used by Commerce Server. An attacker who 
   provided specially malformed data as input to the OWC package 
   installer could cause the process to fail, or could run code in 
   the LocalSystem security context. This vulnerability only affects 
   Commerce Server 2000. 

 - A vulnerability in the Office Web Components (OWC) package 
   installer used by Commerce Server. An attacker who invoked the
   OWC package installer in a particular manner could cause commands
   to be run on the Commerce Server according to the privileges 
   associated with the attacker's log on credentials. This 
   vulnerability only affects Commerce Server 2000. 

 - A new variant of the ISAPI Filter vulnerability discussed in 
   Microsoft Security Bulletin MS02-010. This variant affects both 
   Commerce Server 2000 and Commerce Server 2002. 

Mitigating Factors:
====================
Profile Service buffer overrun: 

 - The affected API calls in the Profile Service are not exposed to 
   the Internet by default. The administrator must set up a Commerce 
   Server site and include Profile Service calls as part of that 
   site. 

 - The URLscan tool, if deployed using the default ruleset for 
   Commerce Server, would make it difficult if not impossible for an 
   attacker to exploit the vulnerability to run code, by 
   significantly limiting the types of data that could be included in
   a URL. It would, however, still be possible to conduct denial of 
   service attacks. 

 - Best practices for web site design can prevent this vulnerability 
   from being exposed by limiting user input that can be accepted by 
   input fields. 

OWC package buffer overrun: 

 - For an attack to succeed, the attacker would need to have 
   credentials to log on to the Commerce Server 2000 computer on 
   which the OWC package installer is kept. 

 - Best practices suggests that unprivileged users not be allowed to 
   interactively log onto business-critical servers. If this 
   recommendation has been followed, unprivileged users would not 
   have access to Commerce Server machines. 

OWC package command execution: 

 - For an attack to succeed, the attacker would need to have 
   credentials to log on to the Commerce Server 2000 computer on 
   which the OWC package installer is kept. 

 - Best practices suggests that unprivileged users not be allowed 
   to interactively log onto business-critical servers. If this 
   recommendation has been followed, unprivileged users would not 
   have access to Commerce Server machines. 

New variant of the ISAPI filter buffer overrun: 

 - Although Commerce Server does rely on IIS for its base web 
   services, the AuthFilter ISAPI filter is only available as part 
   of Commerce Server. Customers using IIS are at no risk from this 
   vulnerability. 

 - The URLScan tool , if deployed using the default ruleset for 
   Commerce Server, would make it difficult if not impossible for 
   an attacker to exploit the vulnerability to run code, by 
   significantly limiting the types of data that could be included 
   in an URL. It would, however, still be possible to conduct denial 
   of service attacks. 

 - An attacker's ability to extend control from a compromised web 
   server to other machines would depend heavily on the specific 
   configuration of the network. Best practices recommend that the 
   network architecture account for the inherent high-risk that 
   machines in an uncontrolled environment, like the Internet, face 
   by minimizing overall exposure though measures like DMZ's, 
   operating with minimal services and isolating contact with 
   internal networks. Steps like this can limit overall exposure 
   and impede an attacker's ability to broaden the scope of a 
   possible compromise. 

 - While the ISAPI filter is installed by default, it is not 
   loaded on any web site by default. It must be enabled through 
   the Commerce Server Administration Console in the Microsoft 
   Management Console (MMC). 

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: None

Patch Availability:
===================
 - A patch is available for these vulnerabilities. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-033.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Mark Litchfield of Next Generation Security Software Ltd. 
   (http://www.nextgenss.com/) for reporting the Profile Service 
   and OWC package issues.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS 
ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES 
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY 
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPRpP+I0ZSRQxA/UrAQFfvAf+PAu67bZtYbEIkQe0lJuaszv7JnnaDPSy
CfX2gwkSr7HCVzbVWAv9u+OJ8Jcf70zq/sXqJkuCGOjA8mw0zTm3c0DSwqOSgpUI
R3FP2i6rSYURrTuFwFz0VRDYaCob/SBzXad+/2bjoLtrfQ9a3a2uJFFlgla1Ao57
piMdVfd+ghEol8O7bv5Kc8Ju8SGbgCAf8DueaDnpbZdw11aJyVJDd+Gg9H5WkhQC
+lfJp43sv9GM/tlJBvIp50oNsgH3WKuxYcaj+oT+oTLLK98/dS/PQVkmPvcpz86S
AAjhvDplc55+jZIiDj0szmRRb9P4NXXiH4KKza2LQhB/VbRSF69Z7w==
=VkpO
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described
 below:
Send an email to unsubscribe to the Service by following these steps: 
a. Send an e-mail to securrem@microsoft.com. The subject line and the message body are not used to process the subscription request,
 and can be anything you like. 
b. Send the e-mail. 
c. You will receive a response, asking you to verify that you really want to cancel your subscription. Compose a reply, and put "OK"
 in the message body. (Without the quotes). Send the reply. 
d. You will receive an e-mail telling you that your name has been removed from the subscriber list.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC