Microsoft Security Bulletin MS02-033 - Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server. Four vulnerablities exist: A vulnerability that results because the Profile Service contains an unchecked buffer in a section of code that handles certain types of API calls. The Profile Service can be used to enable users to manage their own profile information and to research the status of their order. An attacker who provided specially malformed data to certain calls exposed by the Profile Service could cause the Commerce Server process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000. A buffer overrun vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who provided specially malformed data as input to the OWC package installer could cause the process to fail, or could run code in the LocalSystem security context. This vulnerability only affects Commerce Server 2000. A vulnerability in the Office Web Components (OWC) package installer used by Commerce Server. An attacker who invoked the OWC package installer in a particular manner could cause commands to be run on the Commerce Server according to the privileges associated with the attacker's log on credentials. This vulnerability only affects Commerce Server 2000. A new variant of the ISAPI Filter vulnerability discussed in Microsoft Security Bulletin MS02-010. This variant affects both Commerce Server 2000 and Commerce Server 2002.
96d13da1a198a112865b89ca08e207b35426732fbdf38072cb67eb9b7c39bd01 TechNet Home > Security > Bulletins
Microsoft Security Bulletin MS02-033
[Print] Print
Unchecked Buffer in Profile Service Could Allow Code Execution in
Commerce Server (Q322273)
Originally posted: June 26, 2002
Summary
Who should read this bulletin: System administrators using
Microsoft® Commerce Server 2000 or Commerce Server 2002
Impact of vulnerability: Four vulnerabilities, each of which
could run code of attacker’s choice.
Maximum Severity Rating: Critical
Recommendation: System administrators should install the patch
immediately.
Affected Software:
* Microsoft Commerce Server 2000
* Microsoft Commerce Server 2002
Technical details
Technical description:
Commerce Server 2000 and Commerce Server 2002 are web server
products for building e-commerce sites. These products
provides tools and features that simplify developing and
deploying e-commerce solutions, and provide tools that let the
site administrator analyze the usage of their e-commerce site.
Four vulnerabilities exist in the Commerce Server products:
* A vulnerability that results because the Profile Service
contains an unchecked buffer in a section of code that
handles certain types of API calls. The Profile Service
can be used to enable users to manage their own profile
information and to research the status of their order. An
attacker who provided specially malformed data to certain
calls exposed by the Profile Service could cause the
Commerce Server process to fail, or could run code in the
LocalSystem security context. This vulnerability only
affects Commerce Server 2000.
* A buffer overrun vulnerability in the Office Web
Components (OWC) package installer used by Commerce
Server. An attacker who provided specially malformed data
as input to the OWC package installer could cause the
process to fail, or could run code in the LocalSystem
security context. This vulnerability only affects
Commerce Server 2000.
* A vulnerability in the Office Web Components (OWC)
package installer used by Commerce Server. An attacker
who invoked the OWC package installer in a particular
manner could cause commands to be run on the Commerce
Server according to the privileges associated with the
attacker's log on credentials. This vulnerability only
affects Commerce Server 2000.
* A new variant of the ISAPI Filter vulnerability discussed
in Microsoft Security Bulletin MS02-010. This variant
affects both Commerce Server 2000 and Commerce Server
2002.
Mitigating factors:
Profile Service buffer overrun:
* The affected API calls in the Profile Service are not
exposed to the Internet by default. The administrator
must set up a Commerce Server site and include Profile
Service calls as part of that site.
* The URLscan tool, if deployed using the default ruleset
for Commerce Server, would make it difficult if not
impossible for an attacker to exploit the vulnerability
to run code, by significantly limiting the types of data
that could be included in an URL. It would, however,
still be possible to conduct denial of service attacks.
* Best practices for web site design can prevent this
vulnerability from being exposed by limiting user input
that can be accepted by input fields.
OWC package buffer overrun:
* For an attack to succeed, the attacker would need to have
credentials to log on to the Commerce Server 2000
computer on which the OWC package installer is kept.
* Best practices suggests that unprivileged users not be
allowed to interactively log onto business-critical
servers. If this recommendation has been followed,
unprivileged users would not have access to Commerce
Server machines.
OWC package command execution:
* For an attack to succeed, the attacker would need to have
credentials to log on to the Commerce Server 2000
computer on which the OWC package installer is kept.
* Best practices suggests that unprivileged users not be
allowed to interactively log onto business-critical
servers. If this recommendation has been followed,
unprivileged users would not have access to Commerce
Server machines.
New variant of the ISAPI filter buffer overrun:
* Although Commerce Server does rely on IIS for its base
web services, the AuthFilter ISAPI filter is only
available as part of Commerce Server. Customers using IIS
are at no risk from this vulnerability.
* The URLScan tool , if deployed using the default ruleset
for Commerce Server, would make it difficult if not
impossible for an attacker to exploit the vulnerability
to run code, by significantly limiting the types of data
that could be included in a URL. It would, however, still
be possible to conduct denial of service attacks.
* An attacker’s ability to extend control from a
compromised web server to other machines would depend
heavily on the specific configuration of the network.
Best practices recommend that the network architecture
account for the inherent high-risk that machines in an
uncontrolled environment, like the Internet, face by
minimizing overall exposure though measures like DMZ’s,
operating with minimal services and isolating contact
with internal networks. Steps like this can limit overall
exposure and impede an attacker’s ability to broaden the
scope of a possible compromise.
* While the ISAPI filter is installed by default, it is not
loaded on any web site by default. It must be enabled
through the Commerce Server Administration Console in the
Microsoft Management Console (MMC).
Severity Rating:
Profile Service buffer overrun:
Internet Intranet
Servers Servers Client Systems
Commerce Server
2000 Critical Critical None
OWC package buffer overrun:
Internet Intranet
Servers Servers Client Systems
Commerce Server
2000 Moderate Moderate None
OWC package command execution:
Internet Intranet
Servers Servers Client Systems
Commerce Server
2000 Moderate Moderate None
New variant of the ISAPI filter buffer overrun:
Internet Intranet
Servers Servers Client Systems
Commerce Server
2000 Critical Critical None
Commerce Server
2002 Critical Critical None
Aggregate severity of all vulnerabilities eliminated by patch:
Internet Intranet
Servers Servers Client Systems
Commerce Server
2000 Critical Critical None
Commerce Server
2002 Critical Critical None
The above assessment is based on the types of systems affected
by the vulnerability, their typical deployment patterns, and
the effect that exploiting the vulnerability would have on
them. The affected API in the Profile Service is not exposed
to the Internet by default. The OWC package installer requires
credentials for access. The AuthFilter ISAPI filter is
installed but not enabled by default: administrators must
choose to enable this component.
Vulnerability identifier:
* Profile service buffer overrun: CAN-2002-0620
* OWC package buffer overrun: CAN-2002-0621
* OWC package command execution: CAN-2002-0622
* New variant of the ISAPI filter buffer overrun:
CAN-2002-0623
Tested Versions:
Microsoft tested Commerce Server 2000, and Commerce 2002 to
assess whether they are affected by these vulnerabilities.
These vulnerabilities do not affect Microsoft Site Server 3.0
or Microsoft Site Server 3.0 Commerce Edition as these
products do not include the affected components.
Frequently asked questions
What vulnerabilities are addressed by this patch?
This patch addresses four vulnerabilities:
* A vulnerability that could allow an attacker to run code
of their choice via the Profile Service, affecting only
Commerce Server 2000.
* A buffer overrun vulnerability associated with the OWC
package installer that could allow an attacker to run
code of their choice, affecting only Commerce Server
2000.
* A vulnerability associated with the OWC package installer
that could allow an attacker to run commands of their
choice, affecting only Commerce Server 2000.
* A new variant of the ISAPI Filter vulnerability discussed
in Microsoft Security Bulletin MS02-010. This variant
affects both Commerce Server 2000 and Commerce Server
2002.
What’s Microsoft Commerce Server?
Commerce Server is a web server product that’s tailored for
building e-commerce sites. It provides tools and features that
simplify developing and deploying e-commerce solutions, and
also provides tools that let the site administrator analyze
the usage of the site.
I’m running Site Server 3.0 Commerce Edition. Am I affected by
these vulnerabilities?
No. Site Server 3.0 and Site Server 3.0 Commerce Edition, the
predecessor product to Commerce Server 2000, are not affected
by these vulnerabilities.
Profile Service buffer overrun (CVE-CAN-2002-0620)
What’s the scope of the first vulnerability?
This is a buffer overrun vulnerability. An attacker who
successfully exploited this vulnerability could gain complete
control over an affected IIS server. This would give the
attacker the ability to add, delete or change any data on the
server, reformat the hard drive, or take other actions.
For an attack to succeed, the attacker would need to have
credentials to log on to the Commerce Server web site, and so
would either have to be a registered user or go to a Commerce
Server web site that allows self-registration.
If the site is using URLscan or follows best practices with
regard to limiting user input, then the risks of a successful
attack against a Commerce Server site would be significantly
reduced.
What causes the vulnerability?
The vulnerability results because an API method in the Profile
Service contains an unchecked buffer. The administrator
setting up the Commerce Server site may choose to include the
Profile Service and the affected API.
What is the Profile Service used for?
Using the Commerce Server Profile Service, web sites can
provide users with the ability to manage their own profile
information. Users could research the status of orders, be
presented with custom catalogs, and receive discounts and
advertising tailored for them. The Profile Service also helps
organizations to store and manage customer information so as
to provide better service and offerings for their customers.
Is the Profile Service installed by default?
The Profile Service is installed by default, but not enabled
by default. The administrator setting up the Commerce Server
site may choose to use the capabilities provided by Profile
Services on the site.
For example, Commerce Server 2000 comes with three Solution
Sites, which are development reference sites that provide an
integrated set of features included in Commerce Server. The
administrator setting up Commerce Server could use the Retail
Solution Site to set up a business-to-consumer web site. This
Solution Site includes the ability for users to manage their
own profile information and to view their order status.
What would this vulnerability enable an attacker to do?
Depending on the specific data the attacker chose, either of
two effects could occur:
* If the data were randomly selected, the IIS process would
fail.
* If the data were carefully selected, it could be possible
for the attacker to run code of their choice on the
Commerce Server system.
How might an attacker exploit the vulnerability?
An attacker would first have to logon to a Commerce Server
site using credentials that are valid for the site. This means
they would need to either already have valid credentials or
the site would have to allow users to set up credentials on
their own, using self-registration that has been set up by the
Commerce Server administrator. They would then have to visit a
page that is using the affected Profile Service APIs. The
attacker would supply specially malformed data to an input
field that is using an affected Profile Service API.
Could an attack be carried out across the Internet?
Yes, as long as the attacker had credentials on the Commerce
Server, as discussed above, he could seek to exploit this
vulnerability remotely across the Internet.
Could this vulnerability be exploited by accident?
No. The attacker would have to submit specially malformed data
as input to the affected Profile Service calls.
I’ve installed the URLScan tool on my server. Will it prevent
attacks via this vulnerability?
By default, the URLscan tool would prevent an attacker from
using the vulnerability to gain control over the server. This
is because the default ruleset for Commerce Server outlaws
certain types of data, without which it wouldn’t be possible
to modify the Commerce Server process to take meaningful
action. By default, only ASCII data is allowed to pass.
On the other hand, even with URLScan installed, an attacker
could still cause the Commerce Server process to fail. As a
result, even customers who are using URLScan should install
the patch.
What does the patch do?
The patches eliminates the vulnerability by instituting proper
buffer handling within the Profile Service.
OWC package buffer overrun (CVE-CAN-2002-0621)
What’s the scope of the second vulnerability?
This is a buffer overrun vulnerability. An attacker who
successfully exploited this vulnerability would gain complete
control over the machine. This would allow the attacker to
take any desired action on the machine, such as adding,
deleting, or modifying data on the system, creating or
deleting user accounts, and adding accounts to the local
administrators group.
For an attack to succeed, the attacker would need to have
credentials to log on to the computer and access to the
directory where the OWC package is held. Best practices
suggests that unprivileged users not be allowed to
interactively log onto business-critical servers; so if best
practices were followed, systems such as a Commerce Server
computer would not be at risk from this vulnerability.
What causes the vulnerability?
The vulnerability results because the OWC Package contains an
unchecked buffer.
What is the OWC Package for?
This installer package contains the Office Web Components that
are shipped for use with Commerce Server. Running this
executable puts the Office Web Components onto the computer
for use with Commerce Server. The Office Web Components are
installed by default when you set up Commerce Server 2000.
How are Office Web Components used by Commerce Server?
The Office Web Components are used by Commerce Server Business
Desk. Commerce Server Business Desk is a Web-based site
management tool included with Microsoft Commerce Server 2000.
Business Desk hosts business management modules that you use
to configure, manage, and analyze your Commerce Server site.
What would this enable an attacker to do?
Depending on the specific data the attacker chose, either of
two effects could occur:
* If the data were randomly selected, the IIS process would
fail.
* If the data were carefully selected, it could be possible
for the attacker to run code of their choice on the
Commerce Server system in the LocalSystem context.
How might an attacker exploit the vulnerability?
An attacker would need to access the Commerce Server system
using log on credentials and then run the OWC package
installer with specially malformed data supplied as an input
parameter.
What does the patch do?
The patch mitigates the vulnerability by changing the IIS
permissions on the directory containing the OWC package
installer from "script and executables" to "none". This
disallows remote execution of programs from the directory.
But I thought you said this was a buffer overrun
vulnerability, why doesn't the patch fix the unchecked buffer?
There is a security investigation currently underway regarding
the Office Web Components. Because of that, we felt it was not
appropriate to ship a security patch that contained a
component that potentially suffers from a different, unrelated
security issue. On the other hand, we felt it was not
appropriate for these issues to remain unaddressed while we
continue that investigation.
For that reason, we felt it best to address this vulnerability
with a near-term solution that mitigates the exposure to this
issue. The investigation into OWC is continuing as quickly as
possible and a remediation that fully addresses the unchecked
buffer will be available as soon as that is completed.
If the patch mitigates the vulnerability, is there anything I
can do to eliminate it entirely?
Yes, the OWC package installer is named BDOWC.EXE and can be
erased. The OWC package is only used for installation of the
Office Web Components. The BDOWC.EXE program resides in the
subdirectory
/Program Files/Microsoft Commerce Server/widgets/owc
and can be erased using Windows Explorer.
OWC package command execution (CVE-CAN-2002-0622)
What’s the scope of the third vulnerability?
This is a vulnerability that could allow an attacker to
remotely issue commands. An attacker who successfully
exploited this vulnerability would be able to execute a
command of their choosing via the OWC Package installer.
For an attack to succeed, the attacker would need to have
credentials to log on to the computer and access to the
directory where the OWC package is held. Best practices
suggest that unprivileged users not be allowed to
interactively log onto business-critical servers; if best
practices were followed, systems such as a Commerce Server
computer would not be at risk from this vulnerability.
What causes the vulnerability?
The vulnerability results because of a feature of the OWC
package installer. By design, the OWC package installer can
allow a command to be passed as input. This is intended to
enable administrators to be able to customize the installation
of the OWC. Because of the permissions on the folder it
resides in, it could actually be executed by any user who can
access the Commerce Site server with valid log on credentials.
What would this enable an attacker to do?
An attacker could use this vulnerability to execute a command
on the system by passing the command as input to the OWC
package installer. This could lead to running a program of the
attacker’s choice within the privileges associated with the
attackers credentials.
What does the patch do?
As with the second vulnerabilty described above, the patches
mitigates the vulnerability by changing the IIS permissions on
the directory containing the OWC package installer from
"script and executables" to "none". This disallows remote
execution of programs from the directory.
New variant of the ISAPI filter buffer overrun
(CVE-CAN-2002-0623)
What’s the scope of the fourth vulnerability?
This is a new variant of the ISAPI filter buffer overrun
vulnerability discussed in MS02-010. An attacker who
successfully exploited this vulnerability could gain complete
control over an affected commerce web server. This would give
the attacker the ability to take any desired action on the
server, including changing web pages, reformatting the hard
drive or adding new users to the local administrators group.
The vulnerability only affects web sites that use Microsoft
Commerce Server; those using IIS are not at risk. Also, if a
recommended tool has been applied to the server, the
seriousness of the vulnerability would be significantly
reduced. Specifically, if the URLScan tool were in use, the
vulnerability could only be used to cause the service to fail,
after which point it would automatically restart itself. The
URLScan tool is not installed by default.
Are there any differences between this vulnerability and the
one discussed in MS02-010?
The new variant is exactly the same as the original one,
except for the specific way in which it could be exploited.
Where can I get more information on the ISAPI filter
vulnerability?
Microsoft Security Bulletin MS02-010 discusses this
vulnerability in detail.
What does the patch do?
The patch eliminates the vulnerability by instituting proper
buffer handling for the new variant within the AuthFilter
ISAPI filter.
Patch availability
Download locations for this patch
* Microsoft Commerce Server 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39591
* Microsoft Commerce Server 2002:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39550
Additional information about this patch
Installation platforms:
Commerce Server 2000
* This patch can be installed on systems running Commerce
Server 2000 Service Pack 2
Commerce Server 2002
* This patch can be installed on systems running Commerce
Server 2002 Gold
Inclusion in future service packs:
Commerce Server 2000
* The fix for this issue will be included in Commerce
Server 2000 Service Pack 3.
Commerce Server 2002
* The fix for this issue will be included in Commerce
Server 2002 Service Pack 1.
Reboot needed: Yes
Superseded patches: This patch supersedes the one provided in
Microsoft Security Bulletin MS02-010.
Verifying patch installation:
Commerce Server 2000
* To verify that the patch has been installed on the
machine, confirm that the following registry key has been
created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Commerce
Server 2000\SP3\Q322273
Commerce Server 2002
* To verify that the patch has been installed on the
machine, confirm that the following registry key has been
created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Commerce
Server 2002\SP1\Q322273
Caveats:
None
Localization:
Localized versions of this patch are currently available at
the locations listed above in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the
following locations:
* Security patches are available from the Microsoft
Download Center, and can be most easily found by doing a
keyword search for "security_patch".
* Patches for consumer platforms are available from the
WindowsUpdate web site
* All patches available via WindowsUpdate also are
available in a redistributable form from the
WindowsUpdate Corporate site.
Other information:
Acknowledgments
Microsoft thanks Mark Litchfield of Next Generation Security
Software Ltd. for reporting the Profile Service and OWC
package issues and working with us to protect customers.
Support:
* Microsoft Knowledge Base article Q322273 discusses this
issue and will be available approximately 24 hours after
the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product
Support Services. There is no charge for support calls
associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site
provides additional information about security in Microsoft
products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is
provided "as is" without warranty of any kind. Microsoft
disclaims all warranties, either express or implied, including
the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or
its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
* V1.0 (June 26, 2002): Bulletin Created.
Contact Us | E-mail this Page | TechNet Newsletter
© 2002 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement Accessibility
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed