Microsoft Security Bulletin MS02-041 - Unchecked Buffer in Content Management Server Could Enable Server Compromise. Three security vulnerabilities: A buffer overrun in a low-level function that performs user authentication, a vulnerability resulting from the confluence of two flaws affecting a function that allows files to be uploaded to the server, and a SQL injection vulnerability affecting a function that services requests for image files and other resources.
6e540b40befc61c59dcfc09856719d609a1bd1b820d42e2c173b0ddf3fac1347 TechNet Home > Security > Bulletins
Microsoft Security Bulletin MS02-041
[Print] Print
Unchecked Buffer in Content Management Server Could Enable Server
Compromise (Q326075)
Originally posted: August 7, 2002
Summary
Who should read this bulletin: System administrators using
Microsoft® Content Management Server 2001.
Impact of vulnerability: Three vulnerabilities, the most
serious of which could enable an attacker to gain full control
over the server
Maximum Severity Rating: Critical
Recommendation: System administrators should apply the patch
immediately.
Affected Software:
* Microsoft Content Management Server 2001
Technical details
Technical description:
Microsoft Content Management Server (MCMS) 2001 is a .Net
Enterprise Server product that simplifies developing and
managing e-business web sites. Microsoft has learned of three
security vulnerabilities affecting it:
* A buffer overrun in a low-level function that performs
user authentication. At least one web page included with
MCMS 2001 passes inputs directly to the function, thereby
potentially providing a way for an attacker to overrun
the buffer. The result of exploiting the vulnerability
would be to either cause MCMS to fail, or run code in the
context of the MCMS service (which runs as Local System).
* A vulnerability resulting from the confluence of two
flaws affecting a function that allows files to be
uploaded to the server. The first flaw lies in how the
function authenticates requests, and would allow any user
to submit an upload request. The second results because
it is possible to override the upload location; where the
function should upload files to a folder that only
privileged users can access, it can be overridden to
upload it to a temporary folder that does allow
unprivileged users to call it. By exploiting the two
flaws in tandem, an attacker could upload an .ASP or
other file to the server, in a location from which it
could be executed.
* A SQL injection vulnerability affecting a function that
services requests for image files and other resources.
Exploiting the vulnerability could enable an attacker to
run SQL commands on the server, which would not only
allow data in the MCMS database to be added, changed or
deleted, but also would enable the attacker to run
operating system commands on the server.
Mitigating factors:
Buffer Overrun in MCMS Authentication Operation:
* The scope of the vulnerability could be significantly
reduced if the URLScan tool were deployed on the server.
It is likely that in this case, the vulnerability could
only be used for denial of service attacks.
Program Execution via MCMS Authoring Function:
* Exploiting the vulnerability would not grant the attacker
administrative privileges on the server. Instead, the
attacker’s code would execute in the security context of
the Web Application Manager (the IWAM_computername
account), which has similar privileges to those of an
interactively logged-on user.
SQL Injection via MCMS Resource Request:
* Exploiting the vulnerability would not grant the attacker
administrative privileges on the server. Instead, any
operating system commands would be levied in the security
context of the SQL Server™ 2000 service, which by default
has only Domain User privileges.
Severity Rating:
Buffer Overrun in MCMS Authentication Operation:
Internet Intranet Client
Servers Servers Systems
Microsoft Content
Management Server 2001 Critical Critical None
Program Execution via MCMS Authoring Function:
Internet Intranet Client
Servers Servers Systems
Microsoft Content
Management Server 2001 Moderate Moderate None
SQL Injection via MCMS Resource Request:
Internet Intranet Client
Servers Servers Systems
Microsoft Content
Management Server 2001 Moderate Moderate None
The above assessment is based on the types of systems affected
by the vulnerability, their typical deployment patterns, and
the effect that exploiting the vulnerability would have on
them.
Vulnerability identifiers:
* Buffer Overrun in MCMS Authentication Operation:
CAN-2002-0700
* Program Execution via MCMS Authoring Function:
CAN-2002-0718
* SQL Injection via MCMS Resource Request:
CAN-2002-0719
Tested Versions:
Microsoft tested Microsoft Content Management Server 2001 to
assess whether it is affected by these vulnerabilities.
Previous versions are no longer supported, and may or may not
be affected by these vulnerabilities.
Frequently asked questions
What vulnerabilities does this patch eliminate?
This patch eliminates three vulnerabilities involving
Microsoft Content Management Server 2001 (MCMS).
What is Microsoft Content Management Server?
Microsoft Content Management Server (MCMS) enables companies
to quickly and efficiently build, deploy, and maintain web
sites. Using MCMS, companies can create, publish and manage
web content, as well as managing the server resources that are
available to the site.
MCMS operates in conjunction with several other Microsoft
products. IIS 5.0 provides the underlying web server
functionality, and SQL Server 7.0 or 2000 provides the
underlying database support.
What are the vulnerabilities?
There are three vulnerabilities:
* The first vulnerability could enable an attacker to gain
complete control over an affected server.
* The second vulnerability could enable an attacker to gain
significant, but less than complete, control over a
server.
* The third vulnerability could enable an attacker to
execute SQL commands on an MCMS server.
Buffer Overrun in MCMS Authentication Operation
(CAN-2002-0700):
What’s the scope of this vulnerability?
This is a buffer overrun vulnerability. By sending a specially
chosen request to an affected server, an attacker could either
disrupt web services or gain the ability to run a program on
the server. Such a program would run with full system
privileges, and be capable of taking any action the attacker
desired.
The URLScan tool, when deployed with the default ruleset,
would make it difficult to use the vulnerability to gain
control of the server, and likely reduce it to a denial of
service attack only.
What causes the vulnerability?
The vulnerability results because a function that supports
user authentication in MCMS contains an unchecked buffer. By
providing specially malformed authentication to a web page
that calls the function, it could be possible to overrun the
buffer.
What do you mean by "a function that supports user
authentication"? MCMS offers the ability to host web pages
that can only be visited by certain users. For instance, a
company might host a members-only web site, and require that
authenticate before being given access to the site. MCMS
supports a variety of authentication methods, including web
sign-in pages, pop-up dialogues, and so forth.
Some of these methods include their own capability to
adjudicate a user’s credentials; in other cases, a two-step
process is used, wherein the site first gathers the user’s
credentials and then submits them to an MCMS system function
for adjudication. The vulnerability here lies in one of the
system functions.
What’s wrong with the function?
The function contains an unchecked buffer. If a user’s
credentials exceeded a certain length, they would overrun the
buffer.
What would the vulnerability enable an attacker to do?
An attacker who exploited this vulnerability could use it for
either of two purposes.
* Service disruption. By overrunning the buffer with random
data, the attacker could corrupt program code and cause
the MCMS authentication service to fail, thereby
preventing legitimate users from accessing the web site.
* Change the operation of the MCMS authentication service.
By overrunning the buffer with carefully selected data,
the attack could overwrite program code on the service
with new program code, in essence modifying its
functionality.
Who could exploit the vulnerability?
The vulnerability could be exploited by any user who was able
to connect to an affected server and access a web page that
not only collects authentication data and passes it to the
affected system function, but also doesn’t check the length of
the inputs. That is, the web page would need to have the same
flaw as the system function. This is less of a barrier than it
might initially seem, though, as it’s true of one of the web
pages included with MCMS by default.
If the vulnerability were exploited to cause the MCMS
Authentication service to fail, what would be needed to
restore normal operation?
The administrator would just need to restart the service.
If the vulnerability were exploited to change the operation of
the server software, what would the attacker be able to do?
The attacker could gain complete control over the server. The
service within which the system function runs does so with
LocalSystem privileges – that is, the privileges of the
operating system itself.
Would the URLScan tool protect my system against this
vulnerability?
It wouldn’t offer total protection, but it would significantly
reduce the scope of the vulnerability. By default, URLScan
blocks all URLs that contain non-ASCII data. This would not
prevent an attacker from causing the service to fail –
overrunning the buffer with virtually any data would
accomplish that goal. However, it would make it difficult to
exploit the vulnerability to alter the operation of the server
software, because the attacker would need to construct valid
executable code using only ASCII data.
How does the patch eliminate the vulnerability?
The patch restores proper input checking to the system
function. In addition, it institutes proper length checking in
the web page that calls it.
Program Execution via MCMS Authoring Function (CAN-2002-0718):
What’s the scope of this vulnerability?
This vulnerability could enable an attacker to load a program
onto an affected web server and then execute it. Under default
conditions, the program would have the same privileges as a
user who could interactively log onto the server. While this
would not give the attacker control over the server, it could
serve as a beachhead from which the attack could try to gain
additional privileges.
What causes the vulnerability?
The vulnerability results because of a pair of flaws in the
way MCMS handles a particular type of web authoring command.
One flaw makes it possible to spoof the command’s
authentication; the other makes it possible to upload
executable content instead of the intended type of content.
What do you mean by web authoring?
One of the purposes of MCMS is to allow authorized users to
upload new web pages that they’ve created. This process is
known as web authoring. The user submits a command to the
server, which then uploads the file to the server and makes it
available for use by other users. In the case of this
vulnerability, the web authoring command is one that’s
normally used to upload image files and other non-executable
files to the server.
What’s wrong with the function?
There are two problems. The first involves how MCMS
authenticates the user levying the request. The function
should identify the user, then confirm the user’s permissions
to allow him or her to post information to the server.
However, a coding flaw causes MCMS to use the wrong identity
when confirming the user’s permission – one that always passes
the test. As a result, any user submitting the request would
be authenticated successfully.
By itself, this flaw would not pose a security vulnerability.
The function is designed to only allow certain types of files
to be uploaded, and even then only to certain locations on the
server – ones from which they can’t be executed. However, a
second flaw allows these restrictions to be bypassed.
What’s the second flaw?
The second flaw involves the way the web authoring function
uploads files. By design, a newly uploaded file is first moved
to a temporary location. Almost immediately thereafter, it’s
stored permanently in a database on the server, and the
temporary copy is deleted. The flaw could enable the person
levying the web authoring request to change the temporary
location to any desired folder on the server.
Why does the second flaw pose a security problem?
By using the second flaw, an attacker could change the
temporary storage location. Under normal conditions, MCMS
stores the file in a folder that doesn’t allow users to
execute it. However, an attacker who exploited the
vulnerability could choose a different folder – one that did
allow files within it to be executed.
Even after exploiting the vulnerability, some timing would be
required in order to actually execute the file – recall that
the file only exists in the temporary location for a short
time before it’s deleted. Because of this, the attacker would
need to upload the file, then time the attempt to execute it
fairly precisely.
What would these flaws enable an attacker to do?
The two flaws, if exploited in combination, would let an
attacker upload an executable file such as an .asp file and
then immediately execute it.
Would the attacker’s code run with full control over the
system?
No. MCMS uses IIS 5.0 as its core web server engine. On IIS
5.0, asp files and other executables run out-of-process by
default – that is, in the security context of a special user
account called the Web Application Manager. (Web
administrators may know this account better as
IWAM_computername, where computername is the name of the
server). This account has significantly fewer privileges than
the IIS service itself, and does not have full control over
the system.
What privileges does the Web Application Manager have?
Essentially, the account has the same privileges as those of
an unprivileged user who was able to log onto the server
interactively. It would not enable an attacker to take
administrative action, reconfigure the server, or access
important files such as the Security Account Manager database.
Nevertheless, it is important not to underestimate the damage
that could be caused using even these privileges. Even these
privileges could be used to cause significant damage. Worse,
the vulnerability could potentially give an attacker a
beachhead from which to conduct additional attacks and try to
obtain additional privileges.
Who could exploit the vulnerability?
Any user who could submit a web authoring request to an
affected server could exploit the vulnerability. In most
cases, this would mean that any user who had connectivity to
the server could exploit the vulnerability.
What if web authoring were disabled on the server?
The vulnerability couldn’t be exploited if web authoring were
disabled. This can be done by using the MCMS Server
Configuration Application (SCA), selecting the "Web" tab,
pressing the "configure" button and setting "Without
Authoring" to true.
How does the patch eliminate the vulnerability?
The patch causes MCMS to properly authenticate web authoring
requests, and prevents users from being able to change the
upload folder.
SQL Injection via MCMS Resource Request (CAN-2002-0719):
What’s the scope of this vulnerability?
This vulnerability could enable an attacker to take action on
the MCMS database, as well as potentially allowing the
attacker to run operating system commands on it. Although the
vulnerability would give the attacker complete control over
the database, it would only provide limited privileges at the
operating system level.
What causes the vulnerability?
The vulnerability results because a command used to request
resources from an MCMS server is vulnerable to a SQL injection
attack.
What’s SQL Injection?
The easiest way to explain SQL Injection is via a scenario.
Suppose a web site hosted an application for the purpose of
allowing visitors to the site to search an online database for
particular words. Further, suppose that the application
operated by simply taking whatever input a user provided,
inserting it into a database query, and running the query. In
such a case, it could be possible for an attacker to provide
SQL statements instead of text, with the result that when the
web application ran its query, the attacker’s commands would
be executed as part of the query. Such a vulnerability is
known as a SQL Injection vulnerability.
What part of MCMS contains the vulnerability?
The vulnerability lies in a part of MCMS that allows users and
web pages to request resources such as image files from the
server. Such files are stored within a database on the server,
but the function used t retrieve them doesn’t adequately
validate input data before using it. The result is a SQL
injection vulnerability.
What could an attacker do via the vulnerability?
By exploiting the SQL injection vulnerability, an attacker
could, in essence, modify the database query that MCMS submits
when it responds to a resource request. This would give the
attacker the ability to add any desired SQL commands to it.
This would give the attacker the ability to take any desired
action on the database, including adding, changing or deleting
data. But it would also give the attacker a way to run
operating system commands as well. SQL commands exist that
allow the caller, if sufficiently privileged, to pass commands
to the operating system.
What could the attacker do by levying operating system
commands?
Under default conditions, the attacker wouldn’t gain
significant privileges on the system. The commands would
execute with the privileges of the SQL Server 2000 service.
While SQL Server does have complete control over the database,
it only has limited privileges by default at the operating
system level. Specifically, it has only the privileges of a
Domain User. These are roughly akin to the privileges of a
user who could log onto the server at the keyboard.
Who could exploit the vulnerability?
By default, any user who could establish a connection with an
affected system could levy the request and exploit the
vulnerability.
How does the patch eliminate the vulnerability?
The patch eliminates the vulnerability by causing the affected
function to validate the parameters in a resource request and
strip out SQL commands if they are provided.
Patch availability
Download locations for this patch
* Microsoft Content Management Server 2001:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=41266
Additional information about this patch
Installation platforms:
This patch can be installed on systems running Microsoft
Content Management Server 2001 Service Pack 1
Inclusion in future service packs:
The fix for this issue will be included in Microsoft Content
Management Server 2001 Service Pack 2.
Reboot needed: No
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
* To verify that the patch has been installed on the
machine, confirm that the following registry key has been
created on the machine:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\MCMS
2001\Q326075
Caveats:
None
Localization:
Microsoft Content Management Server 2001 is English only, so
localized patches are not required.
Obtaining other security patches:
Patches for other security issues are available from the
following locations:
* Security patches are available from the Microsoft
Download Center, and can be most easily found by doing a
keyword search for "security_patch".
* Patches for consumer platforms are available from the
WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks Joao Gouveia for reporting this issue to us
and working with us to protect customers.
Support:
* Microsoft Knowledge Base article Q326075 discusses this
issue and will be available approximately 24 hours after
the release of this bulletin. Knowledge Base articles can
be found on the Microsoft Online Support web site.
* Technical support is available from Microsoft Product
Support Services. There is no charge for support calls
associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site
provides additional information about security in Microsoft
products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is
provided "as is" without warranty of any kind. Microsoft
disclaims all warranties, either express or implied, including
the warranties of merchantability and fitness for a particular
purpose. In no event shall Microsoft Corporation or its
suppliers be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business
profits or special damages, even if Microsoft Corporation or
its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation
of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
* V1.0 (August 7, 2002): Bulletin Created.
Contact Us | E-mail this Page | TechNet Newsletter
© 2002 Microsoft Corporation. All rights reserved. Terms of Use Privacy Statement Accessibility
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed