• Article

Security Bulletin

Microsoft Security Bulletin MS02-041 - Critical

Unchecked Buffer in Content Management Server Could Enable Server Compromise (Q326075)

Published: August 07, 2002

Version: 1.0

Originally posted: August 7, 2002

Summary

Who should read this bulletin:  System administrators using Microsoft® Content Management Server 2001.

Impact of vulnerability:  Three vulnerabilities, the most serious of which could enable an attacker to gain full control over the server

Maximum Severity Rating:  Critical

Recommendation:  System administrators should apply the patch immediately.

Affected Software:

  • Microsoft Content Management Server 2001

General Information

Technical details

Technical description:

Microsoft Content Management Server (MCMS) 2001 is a .Net Enterprise Server product that simplifies developing and managing e-business web sites. Microsoft has learned of three security vulnerabilities affecting it:

  • A buffer overrun in a low-level function that performs user authentication. At least one web page included with MCMS 2001 passes inputs directly to the function, thereby potentially providing a way for an attacker to overrun the buffer. The result of exploiting the vulnerability would be to either cause MCMS to fail, or run code in the context of the MCMS service (which runs as Local System).
  • A vulnerability resulting from the confluence of two flaws affecting a function that allows files to be uploaded to the server. The first flaw lies in how the function authenticates requests, and would allow any user to submit an upload request. The second results because it is possible to override the upload location; where the function should upload files to a folder that only privileged users can access, it can be overridden to upload it to a temporary folder that does allow unprivileged users to call it. By exploiting the two flaws in tandem, an attacker could upload an .ASP or other file to the server, in a location from which it could be executed.
  • A SQL injection vulnerability affecting a function that services requests for image files and other resources. Exploiting the vulnerability could enable an attacker to run SQL commands on the server, which would not only allow data in the MCMS database to be added, changed or deleted, but also would enable the attacker to run operating system commands on the server.

Mitigating factors:

Buffer Overrun in MCMS Authentication Operation:

  • The scope of the vulnerability could be significantly reduced if the URLScan tool were deployed on the server. It is likely that in this case, the vulnerability could only be used for denial of service attacks.

Program Execution via MCMS Authoring Function:

  • Exploiting the vulnerability would not grant the attacker administrative privileges on the server. Instead, the attacker's code would execute in the security context of the Web Application Manager (the IWAM_computername account), which has similar privileges to those of an interactively logged-on user.

SQL Injection via MCMS Resource Request:

  • Exploiting the vulnerability would not grant the attacker administrative privileges on the server. Instead, any operating system commands would be levied in the security context of the SQL Server™ 2000 service, which by default has only Domain User privileges.

Severity Rating:

Buffer Overrun in MCMS Authentication Operation:

Internet Servers Intranet Servers Client Systems
Microsoft Content Management Server 2001 Critical Critical None

Program Execution via MCMS Authoring Function:

Internet Servers Intranet Servers Client Systems
Microsoft Content Management Server 2001 Moderate Moderate None

SQL Injection via MCMS Resource Request:

Internet Servers Intranet Servers Client Systems
Microsoft Content Management Server 2001 Moderate Moderate None

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifiers:

Tested Versions:

Microsoft tested Microsoft Content Management Server 2001 to assess whether it is affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What vulnerabilities does this patch eliminate?
This patch eliminates three vulnerabilities involving Microsoft Content Management Server 2001 (MCMS).

What is Microsoft Content Management Server?
Microsoft Content Management Server (MCMS) enables companies to quickly and efficiently build, deploy, and maintain web sites. Using MCMS, companies can create, publish and manage web content, as well as managing the server resources that are available to the site. MCMS operates in conjunction with several other Microsoft products. IIS 5.0 provides the underlying web server functionality, and SQL Server 7.0 or 2000 provides the underlying database support.

What are the vulnerabilities?
There are three vulnerabilities:

  • The first vulnerability could enable an attacker to gain complete control over an affected server.
  • The second vulnerability could enable an attacker to gain significant, but less than complete, control over a server.
  • The third vulnerability could enable an attacker to execute SQL commands on an MCMS server.

Buffer Overrun in MCMS Authentication Operation (CAN-2002-0700):

What's the scope of this vulnerability?
This is a buffer overrun vulnerability. By sending a specially chosen request to an affected server, an attacker could either disrupt web services or gain the ability to run a program on the server. Such a program would run with full system privileges, and be capable of taking any action the attacker desired. The URLScan tool, when deployed with the default ruleset, would make it difficult to use the vulnerability to gain control of the server, and likely reduce it to a denial of service attack only.

What causes the vulnerability?
The vulnerability results because a function that supports user authentication in MCMS contains an unchecked buffer. By providing specially malformed authentication to a web page that calls the function, it could be possible to overrun the buffer. What do you mean by "a function that supports user authentication"? MCMS offers the ability to host web pages that can only be visited by certain users. For instance, a company might host a members-only web site, and require that authenticate before being given access to the site. MCMS supports a variety of authentication methods, including web sign-in pages, pop-up dialogues, and so forth. Some of these methods include their own capability to adjudicate a user's credentials; in other cases, a two-step process is used, wherein the site first gathers the user's credentials and then submits them to an MCMS system function for adjudication. The vulnerability here lies in one of the system functions.

What's wrong with the function?
The function contains an unchecked buffer. If a user's credentials exceeded a certain length, they would overrun the buffer.

What would the vulnerability enable an attacker to do?
An attacker who exploited this vulnerability could use it for either of two purposes.

  • Service disruption. By overrunning the buffer with random data, the attacker could corrupt program code and cause the MCMS authentication service to fail, thereby preventing legitimate users from accessing the web site.
  • Change the operation of the MCMS authentication service. By overrunning the buffer with carefully selected data, the attack could overwrite program code on the service with new program code, in essence modifying its functionality.

Who could exploit the vulnerability?
The vulnerability could be exploited by any user who was able to connect to an affected server and access a web page that not only collects authentication data and passes it to the affected system function, but also doesn't check the length of the inputs. That is, the web page would need to have the same flaw as the system function. This is less of a barrier than it might initially seem, though, as it's true of one of the web pages included with MCMS by default.

If the vulnerability were exploited to cause the MCMS Authentication service to fail, what would be needed to restore normal operation?
The administrator would just need to restart the service.

If the vulnerability were exploited to change the operation of the server software, what would the attacker be able to do?
The attacker could gain complete control over the server. The service within which the system function runs does so with LocalSystem privileges - that is, the privileges of the operating system itself.

Would the URLScan tool protect my system against this vulnerability?
It wouldn't offer total protection, but it would significantly reduce the scope of the vulnerability. By default, URLScan blocks all URLs that contain non-ASCII data. This would not prevent an attacker from causing the service to fail - overrunning the buffer with virtually any data would accomplish that goal. However, it would make it difficult to exploit the vulnerability to alter the operation of the server software, because the attacker would need to construct valid executable code using only ASCII data.

How does the patch eliminate the vulnerability?
The patch restores proper input checking to the system function. In addition, it institutes proper length checking in the web page that calls it.

Program Execution via MCMS Authoring Function (CAN-2002-0718):

What's the scope of this vulnerability?
This vulnerability could enable an attacker to load a program onto an affected web server and then execute it. Under default conditions, the program would have the same privileges as a user who could interactively log onto the server. While this would not give the attacker control over the server, it could serve as a beachhead from which the attack could try to gain additional privileges.

What causes the vulnerability?
The vulnerability results because of a pair of flaws in the way MCMS handles a particular type of web authoring command. One flaw makes it possible to spoof the command's authentication; the other makes it possible to upload executable content instead of the intended type of content.

What do you mean by web authoring?
One of the purposes of MCMS is to allow authorized users to upload new web pages that they've created. This process is known as web authoring. The user submits a command to the server, which then uploads the file to the server and makes it available for use by other users. In the case of this vulnerability, the web authoring command is one that's normally used to upload image files and other non-executable files to the server.

What's wrong with the function?
There are two problems. The first involves how MCMS authenticates the user levying the request. The function should identify the user, then confirm the user's permissions to allow him or her to post information to the server. However, a coding flaw causes MCMS to use the wrong identity when confirming the user's permission - one that always passes the test. As a result, any user submitting the request would be authenticated successfully. By itself, this flaw would not pose a security vulnerability. The function is designed to only allow certain types of files to be uploaded, and even then only to certain locations on the server - ones from which they can't be executed. However, a second flaw allows these restrictions to be bypassed.

What's the second flaw?
The second flaw involves the way the web authoring function uploads files. By design, a newly uploaded file is first moved to a temporary location. Almost immediately thereafter, it's stored permanently in a database on the server, and the temporary copy is deleted. The flaw could enable the person levying the web authoring request to change the temporary location to any desired folder on the server.

Why does the second flaw pose a security problem?
By using the second flaw, an attacker could change the temporary storage location. Under normal conditions, MCMS stores the file in a folder that doesn't allow users to execute it. However, an attacker who exploited the vulnerability could choose a different folder - one that did allow files within it to be executed. Even after exploiting the vulnerability, some timing would be required in order to actually execute the file - recall that the file only exists in the temporary location for a short time before it's deleted. Because of this, the attacker would need to upload the file, then time the attempt to execute it fairly precisely.

What would these flaws enable an attacker to do?
The two flaws, if exploited in combination, would let an attacker upload an executable file such as an .asp file and then immediately execute it.

Would the attacker's code run with full control over the system?
No. MCMS uses IIS 5.0 as its core web server engine. On IIS 5.0, asp files and other executables run out-of-process by default - that is, in the security context of a special user account called the Web Application Manager. (Web administrators may know this account better as IWAM_computername, where computername is the name of the server). This account has significantly fewer privileges than the IIS service itself, and does not have full control over the system.

What privileges does the Web Application Manager have?
Essentially, the account has the same privileges as those of an unprivileged user who was able to log onto the server interactively. It would not enable an attacker to take administrative action, reconfigure the server, or access important files such as the Security Account Manager database. Nevertheless, it is important not to underestimate the damage that could be caused using even these privileges. Even these privileges could be used to cause significant damage. Worse, the vulnerability could potentially give an attacker a beachhead from which to conduct additional attacks and try to obtain additional privileges.

Who could exploit the vulnerability?
Any user who could submit a web authoring request to an affected server could exploit the vulnerability. In most cases, this would mean that any user who had connectivity to the server could exploit the vulnerability.

What if web authoring were disabled on the server?
The vulnerability couldn't be exploited if web authoring were disabled. This can be done by using the MCMS Server Configuration Application (SCA), selecting the "Web" tab, pressing the "configure" button and setting "Without Authoring" to true.

How does the patch eliminate the vulnerability?
The patch causes MCMS to properly authenticate web authoring requests, and prevents users from being able to change the upload folder.

SQL Injection via MCMS Resource Request (CAN-2002-0719):

What's the scope of this vulnerability?
This vulnerability could enable an attacker to take action on the MCMS database, as well as potentially allowing the attacker to run operating system commands on it. Although the vulnerability would give the attacker complete control over the database, it would only provide limited privileges at the operating system level.

What causes the vulnerability?
The vulnerability results because a command used to request resources from an MCMS server is vulnerable to a SQL injection attack.

What's SQL Injection?
The easiest way to explain SQL Injection is via a scenario. Suppose a web site hosted an application for the purpose of allowing visitors to the site to search an online database for particular words. Further, suppose that the application operated by simply taking whatever input a user provided, inserting it into a database query, and running the query. In such a case, it could be possible for an attacker to provide SQL statements instead of text, with the result that when the web application ran its query, the attacker's commands would be executed as part of the query. Such a vulnerability is known as a SQL Injection vulnerability.

What part of MCMS contains the vulnerability?
The vulnerability lies in a part of MCMS that allows users and web pages to request resources such as image files from the server. Such files are stored within a database on the server, but the function used t retrieve them doesn't adequately validate input data before using it. The result is a SQL injection vulnerability.

What could an attacker do via the vulnerability?
By exploiting the SQL injection vulnerability, an attacker could, in essence, modify the database query that MCMS submits when it responds to a resource request. This would give the attacker the ability to add any desired SQL commands to it. This would give the attacker the ability to take any desired action on the database, including adding, changing or deleting data. But it would also give the attacker a way to run operating system commands as well. SQL commands exist that allow the caller, if sufficiently privileged, to pass commands to the operating system.

What could the attacker do by levying operating system commands?
Under default conditions, the attacker wouldn't gain significant privileges on the system. The commands would execute with the privileges of the SQL Server 2000 service. While SQL Server does have complete control over the database, it only has limited privileges by default at the operating system level. Specifically, it has only the privileges of a Domain User. These are roughly akin to the privileges of a user who could log onto the server at the keyboard.

Who could exploit the vulnerability?
By default, any user who could establish a connection with an affected system could levy the request and exploit the vulnerability.

How does the patch eliminate the vulnerability?
The patch eliminates the vulnerability by causing the affected function to validate the parameters in a resource request and strip out SQL commands if they are provided.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Microsoft Content Management Server 2001 Service Pack 1

Inclusion in future service packs:

The fix for this issue will be included in Microsoft Content Management Server 2001 Service Pack 2.

Reboot needed: No

Patch can be uninstalled: Yes

Superseded patches: None.

Verifying patch installation:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\MCMS 2001\Q326075

Caveats:

None

Localization:

Microsoft Content Management Server 2001 is English only, so localized patches are not required.

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site

Other information:

Acknowledgments

Microsoft thanks  Joao Gouveia for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article Q326075 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (August 7, 2002): Bulletin Created.

Built at 2014-04-18T13:49:36Z-07:00