NGSSoftware Insight Security Research Advisory

Name:    Microsoft Commerce Server 2000 & Commerce Server 2002
Systems Affected:  WinNT, Win2K, XP
Severity:  High Risk
Category:               Buffer Overrun & Command Execution
Vendor URL:   http://www.microsoft.com/
Authors:  Mark Litchfield (mark@ngssoftware.com) & David Litchfield
(david@ngssoftware.com)
Advisory URL: http://www.ngssoftware.com/advisories/ms-comsrvr.txt
Date:   3rd July 2002
Advisory number: #NISR03062002
VNA Reference:  http://www.ngssoftware.com/vna/ms-comsrvr.txt


Description
***********
Microsoft's Commerce Server 2000 and 2002 are web server products for
building e-commerce sites. These products provide tools and features that
simplify the development and deployment of e-commerce solutions and
analyzing site usage and performance. There are several remotely exploitable
buffer overruns in Commerce Server in disparate locations and a CGI
executable that allows the execution of arbitrary commands.


Details
*******
The Profile Service of Microsoft Commerce Server 2000 allows remote
attackers to cause the server to fail or run arbitrary attacker supplied
code in the security context of the Local SYSTEM account. Several areas in
this service contain vulnerable code.

The Office Web Components (OWC) package installer used by Microsoft Commerce
Server 2000 allows remote attackers to cause the process to run arbitray
code in the LocalSystem security context by via input to the OWC package
installer. By default users have to authenticate to access this executable
so the risk posed is less severe in nature.

Again, the Office Web Components (OWC) package installer for Microsoft
Commerce Server 2000 allows remote attackers to execute commands by passing
the commands as input to the OWC package installer with a '/C' option.


Fix Information
***************
NGSSoftware alerted Microsoft to these problems on the 6th March 2002. The
patches are available from:
Microsoft Commerce Server 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39591
Microsoft Commerce Server 2002:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39550

A check for these issues has been added to Typhon II, of which more
information is available from the NGSSite, http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf
http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf