From nisr@nextgenss.com Thu Jul 11 01:27:00 2002 From: NGSSoftware Insight Security Research To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Wed, 3 Jul 2002 16:22:28 +0100 Subject: [VulnWatch] Remotely Exploitable Buffer Overruns in Microsoft's Commerce Server 2000/2 (#NISRNISR03062002) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NGSSoftware Insight Security Research Advisory Name: Microsoft Commerce Server 2000 & Commerce Server 2002 Systems Affected: WinNT, Win2K, XP Severity: High Risk Category: Buffer Overrun & Command Execution Vendor URL: http://www.microsoft.com/ Authors: Mark Litchfield (mark@ngssoftware.com) & David Litchfield (david@ngssoftware.com) Advisory URL: http://www.ngssoftware.com/advisories/ms-comsrvr.txt Date: 3rd July 2002 Advisory number: #NISR03062002 VNA Reference: http://www.ngssoftware.com/vna/ms-comsrvr.txt Description *********** Microsoft's Commerce Server 2000 and 2002 are web server products for building e-commerce sites. These products provide tools and features that simplify the development and deployment of e-commerce solutions and analyzing site usage and performance. There are several remotely exploitable buffer overruns in Commerce Server in disparate locations and a CGI executable that allows the execution of arbitrary commands. Details ******* The Profile Service of Microsoft Commerce Server 2000 allows remote attackers to cause the server to fail or run arbitrary attacker supplied code in the security context of the Local SYSTEM account. Several areas in this service contain vulnerable code. The Office Web Components (OWC) package installer used by Microsoft Commerce Server 2000 allows remote attackers to cause the process to run arbitray code in the LocalSystem security context by via input to the OWC package installer. By default users have to authenticate to access this executable so the risk posed is less severe in nature. Again, the Office Web Components (OWC) package installer for Microsoft Commerce Server 2000 allows remote attackers to execute commands by passing the commands as input to the OWC package installer with a '/C' option. Fix Information *************** NGSSoftware alerted Microsoft to these problems on the 6th March 2002. The patches are available from: Microsoft Commerce Server 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39591 Microsoft Commerce Server 2002: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39550 A check for these issues has been added to Typhon II, of which more information is available from the NGSSite, http://www.ngssoftware.com. Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf