Microsoft Security Bulletin MS03-016
Cumulative Patch for BizTalk Server (815206)
Originally posted: April 30, 2003
Summary
Who should read this bulletin:
Systems Administrators using Microsoft BizTalk 2000 Server and BizTalk 2002 Server
Impact of vulnerability:
Two vulnerabilities, the most serious of which could allow an attacker to run code of their choice
Maximum Severity Rating:
Important
Recommendation:
Systems Administrators using Microsoft BizTalk should consider applying the patch.
Affected Software:
- Microsoft BizTalk Server 2000
- Microsoft BizTalk Server 2002
General Information
Technical details
Technical description:
Microsoft BizTalk Server is an Enterprise Integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk is used in intranet environments to transfer business documents between different back-end systems as well as extranet environments to exchange structured messages with trading partners. This patch addresses two newly reported vulnerabilities in BizTalk Server.
The first vulnerability affects Microsoft BizTalk Server 2002 only. BizTalk Server 2002 provides the ability to exchange documents using the HTTP format. A buffer overrun exists in the component used to receive HTTP documents - the HTTP receiver - and could result in an attacker being able to execute code of their choice on the BizTalk Server.
The second vulnerability affects both Microsoft BizTalk Server 2000 and BizTalk Server 2002. BizTalk Server provides the ability for administrators to manage documents via a Document Tracking and Administration (DTA) web interface. A SQL injection vulnerability exists in some of the pages used by DTA that could allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user were to then navigate to the URL sent by the attacker, he or she could execute a malicious embedded SQL statement in the query string.
Mitigating factors:
HTTP Receiver Buffer Overflow
- The HTTP Receiver is only present in Microsoft BizTalk Server 2002. BizTalk Server 2000 is not affected by this vulnerability.
- The HTTP receiver is not enabled by default. HTTP must be explicitly enabled as a receive transport during the setup of a BizTalk site.
- If the vulnerability was exploited to run arbitrary code, the code would run in the security context of the IIS Server. If the IIS Server is running under a user account, the attacker's permissions will be limited to those of this user account.
DTA SQL Injection
- DTA users by default are not highly privileged SQL users such as database owners, since they are only required to be members of "BizTalk Server Report Users" security group in order to use DTA web interface. In this case, a successful attacker's permissions on the SQL Server will be restricted.
Severity Rating:
| Microsoft BizTalk Server 2000 | Moderate |
| Microsoft BizTalk Server 2002 | Important |
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifiers:
- HTTP Receiver Buffer Overflow: CAN-2003-0117
- DTA SQL Injection: CAN-2003-0118
Tested Versions:
Microsoft tested Microsoft BizTalk Server 2000 and BizTalk Server 2002 to assess whether they are affected by these vulnerabilities.
Frequently asked questions
HTTP Receiver Buffer Overflow
What's the scope of this vulnerability?
This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could cause IIS to fail, or could cause code of the attacker's choice to be executed with system privileges. Code running with system privileges could provide the attacker with the ability to take any desired action on the machine, such as adding, deleting, or modifying data on the system, and creating or deleting user accounts.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in the BizTalk Server 2002 HTTP Receiver function.
What is the BizTalk Server 2002 HTTP Receiver?
One of BizTalk Server's primary functions is its use to transfer business documents between back end business systems. A number of different document receive functions are available including file transfer, SMTP and MSMQ. BizTalk Server 2002 introduced the ability to use HTTP as a document transfer protocol - this is enabled using the HTTP Receiver function, which is implemented as an ISAPI extension.
The HTTP receiver is not enabled by default and must be explicitly selected as an option when initially setting up a BizTalk site.
What's an ISAPI Extension?
ISAPI (Internet Services Application Programming Interface) is a technology that enables developers to extend the functionality provided by an IIS server. An ISAPI extension is a dynamic link library (.dll) that uses ISAPI to provide a set of web functions above and beyond those natively provided by IIS. When a user needs to use one of the functions that an ISAPI extension exposes, they send a request to the server. It's possible in some cases to call an ISAPI extension directly, but it's more common for users to request files on the server that contain commands to be processed. When a user requests such a file, IIS determines which ISAPI extension should be used to parse the file by consulting a table of script mappings that list the file extensions associated with each ISAPI extension on the server.
What's wrong with the BizTalk Server HTTP Receiver?
There is a flaw in the BizTalk Server ISAPI extension used to receive HTTP documents - known as the HTTP receiver. As a result, it is possible to cause a buffer overrun condition by sending a specially malformed request to the HTTP receiver.
What could this vulnerability enable an attacker to do?
This vulnerability could enable an attacker to run code of his or her choice in the security context of the IIS Server hosting the ISAPI extension. By default IIS 5.0 runs under a user account
How could an attacker exploit this vulnerability?
An attacker could seek to exploit this vulnerability by sending a specially malformed request to the HTTP Receiver. This request could cause a buffer overflow condition that would allow the attacker to execute code of his or her choice on the server.
What does the patch do?
The patch eliminates the vulnerability by ensuring that the HTTP Receiver carries out the correct input validation checks.
DTA SQL Injection
What's the scope of this vulnerability?
This is a SQL injection vulnerability could enable an attacker to take action on the BizTalk SQL database, as well as potentially allowing an attacker to run operating system commands on it depending on the permission of the DTA user who executed the injected SQL statements. Although the vulnerability would give the attacker control over the database, it would only provide limited privileges at the operating system level.
This vulnerability affects both BizTalk Server 2000 and BizTalk Server 2002.
What causes the vulnerability?
The vulnerability results because of incomplete input parameter validation on one of the web pages used in the Document Tracking & Administration web site.
What's the Document Tracking & Administration (DTA) web site?
The DTA website is a website provided to allow administrators to track & administer documents that are being processed by BizTalk server. It allows BizTalk administrators to build queries that will run against the BizTalk tracking database via a web based tool.
By default the DTA website is restricted to members of the "BizTalk Server Report Users" security group. In order to execute queries against the database, an individual must also have the "dta_ui_role" role assigned in the BizTalk SQL database.
What's SQL Injection?
The easiest way to explain SQL Injection is via a scenario. Suppose a web site hosted an application that allowed visitors to the site to search an online database for particular words. If that application operated by simply taking whatever input a user provided, inserting it into a database query, and running the query, it could be possible for an attacker to provide SQL statements instead of text. The result would be that when the web application ran its query, the attacker's commands would be executed as part of this query. This type of vulnerability is known as a SQL Injection.
What's wrong with the DTA website?
Several of the web pages that are part of the DTA website do not carry out correct input validation. Since these pages retrieve information from the URL query string and use it to query the database, an attacker could send a specially crafted URL query string to a legitimate DTA user - if the user were to then navigate to this URL he or she could execute a malicious embedded SQL statement in the query string against the database.
What could an attacker do via the vulnerability?
By exploiting the SQL injection vulnerability an attacker could modify the database query that is submitted to the BizTalk tracking database. This would give the attacker the ability to insert malicious SQL commands embedded in a URL that would be passed to the database.
What commands could be passed to the operating system?
The level of commands that could be passed to the operating system would be proportionate to the level of permissions that the DTA User had on the server hosting the SQL database. DTA users are usually not highly privileged users since they are only required to be members of "BizTalk Server Report Users" security group in order to use DTA web interface. Therefore a user is likely to have very limited permissions to the SQL Server.
However if the user was a systems administrator for the SQL database then the attacker would have the same level of permissions as the user. This could allow an attacker to execute commands on the operating system.
Who could exploit the vulnerability?
Anyone can attempt to craft an URL query string containing malicious SQL statements for the DTA website, however this query string must be executed by a DTA user in order for an attack to be effective.
How could an attacker exploit this vulnerability?
An attacker could exploit this vulnerability by specially crafting a URL and then either sending that URL to a user, or posting it to a website. If the user were to then navigate to the URL, SQL contained in the URL could be injected into the affected web pages in the DTA Website.
Could an attacker just simply copy the web page from any BizTalk server and run it against the BizTalk tracking database?
No, this would not work as the attack requires knowledge of the security information used to connect the IIS web server that the DTA web site is running on to the BizTalk tracking SQL database. An attacker would not be able to gain access to this information unless they had been granted permissions to the IIS Server such as having existing permission on the SQL database.
What does the patch do?
The patch ensures that the affected web page in the DTA website carries out the correct input validation checks.
Patch availability
Download locations for this patch
- Microsoft BizTalk Server 2000:
- Microsoft BizTalk Server 2002:
Additional information about this patch
Installation platforms:
This patch can be installed on systems running BizTalk Server 2002 Gold and BizTalk Server 2000 Service Pack 2.
Inclusion in future service packs:
The fix for this issue will be included in Service Pack 1 for BizTalk Server 2002 and Service Pack 3 for BizTalk 2000.
Reboot needed:
- BizTalk Server 2000: No
- BizTalk Server 2002: No. However, if a file that is being replaced is open, Setup will prompt you to restart the system so the file can be safely updated
Patch can be uninstalled: Yes
Superseded patches: None.
Verifying patch installation:
- BizTalk Server 2000:
- To ensure you have the fix installed properly, verify the individual files by consulting the date/time stamp of the files listed in the file manifest in Microsoft Knowledge Base article at http://support.microsoft.com/support/misc/kblookup.asp?id= 815207
- BizTalk Server 2002 To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\...\815208\Filelist
Caveats:
BizTalk 2002:
The Biztalkhttpreceive.dll file, which is the ISAPI extension for the BizTalk HTTP Receive function, can be moved into locations other than the default location, such as an additional Virtual Directory. This is discussed more in the following MSDN Article: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/bts_2002/htm/lat_admin_server_check_hfos.asp
If your system has been configured in this way, you must copy the new version of Biztalkhttpreceive.dll into these additional locations, as discussed in Microsoft Knowledge Base article 815208
Localization:
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
Other information:
Acknowledgments
Microsoft thanks Cesar Cerrudo for reporting this issue to us and working with us to protect customers.
Support:
- Microsoft Knowledge Base article 815206 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- V1.0 (April 30, 2003): Bulletin Created.