Microsoft Security Bulletin MS02-010 - Critical
Unchecked Buffer in ISAPI Filter Could Allow Commerce Server Compromise
Published: February 21, 2002 | Updated: May 09, 2003
Originally posted: February 21, 2002
Updated: May 09, 2003
Who should read this bulletin:
System administrators using Microsoft® Commerce Server 2000
Impact of vulnerability:
Run code of attacker's choice.
Maximum Severity Rating:
System administrators should install the patch immediately.
- Microsoft Commerce Server 2000
By default, Commerce Server 2000 installs a .dll with an ISAPI filter that allows the server to provide extended functionality in response to events on the server. This filter, called AuthFilter, provides support for a variety of authentication methods. Commerce Server 2000 can also be configured to use other authentication methods.
A security vulnerability results because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests. An attacker who provided authentication data that overran the buffer could cause the Commerce Server process to fail, or could run code in the security context of the Commerce Server process. The process runs with LocalSystem privileges, so exploiting the vulnerability would give the attacker complete control of the server.
- Although Commerce Server 2000 does rely on IIS for its base web services, the AuthFilter ISAPI filter is only available as part of Commerce Server. Customers using IIS are at no risk from this vulnerability.
- The URLScan tool, if deployed using the default ruleset for Commerce Server, would make it difficult if not impossible for an attacker to exploit the vulnerability to run code, by significantly limiting the types of data that could be included in an URL. It would, however, still be possible to conduct denial of service attacks.
- An attacker's ability to extend control from a compromised web server to other machines would depend heavily on the specific configuration of the network. Best practices recommend that the network architecture account for the inherent high-risk that machines in an uncontrolled environment, like the Internet, face by minimizing overall exposure though measures like DMZ's, operating with minimal services and isolating contact with internal networks. Steps like this can limit overall exposure and impede an attacker's ability to broaden the scope of a possible compromise.
- While the ISAPI filter is installed by default, it is not loaded on any web site by default. It must be enabled through the Commerce Server Administration Console in the Microsoft Management Console (MMC).
|Internet Servers||Intranet Servers||Client Systems|
|Microsoft Commerce Server 2000||Critical||Critical||None|
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The criticality is reckoned due to the possibility of remotely running code in the security context of the operating system.
Vulnerability identifier: CAN-2002-0050
Microsoft tested Commerce Server 2000, Site Server 3.0, and Site Server 3.0 Commerce Edition to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
What's the scope of the vulnerability?
An attacker who successfully exploited this vulnerability could gain complete control over an affected commerce web server. This would give the attacker the ability to take any desired action on the server, including changing web pages, reformatting the hard drive or adding new users to the local administrators group.
The vulnerability only affects web sites that use Microsoft Commerce Server; those using IIS are not at risk. Also, if a recommended tool has been applied to the server, the seriousness of the vulnerability would be significantly reduced. Specifically, if the URLScan tool were in use, the vulnerability could only be used to cause the service to fail, after which point it would automatically restart itself. The URLScan tool is not installed by default.
What causes the vulnerability?
The vulnerability results because an ISAPI filter that supports user authentication on Commerce Server 2000 contains an unchecked buffer. By providing specially malformed authentication information, an attacker could create a buffer overrun condition.
What's Microsoft Commerce Server?
Commerce Server is a web server product that's tailored for building e-commerce sites. It provides tools and features that simplify developing and deploying e-commerce solutions, and also provides tools that let the site administrator analyze the usage of the site.
Is Commerce Server different from Internet Information Server?
Yes. Commerce Server uses Internet Information Service (IIS) to provide basic web server capabilities, but also includes additional features and functions. Of particular importance in this case is the fact that the vulnerability lies within a component that ships as part of Commerce Server 2000 but not IIS. Because of this, IIS servers are at no risk from this vulnerability.
What's an ISAPI filter?
ISAPI (Internet Services Application Programming Interface) is a technology that enables developers to extend the functionality provided by a web server. An ISAPI filter is a dynamic link library (.dll) that uses ISAPI to respond to events that occur on the server.
What's the ISAPI filter associated with this vulnerability?
The vulnerability lies within the AuthFilter ISAPI filter. AuthFilter provides support for a variety of authentication methods. The vulnerability results because the code that processes the authentication data in several of these methods contains an unchecked buffer.
What would this vulnerability enable an attacker to do?
The vulnerability could enable an attacker, by providing data that overruns the buffer in AuthFilter, to overwrite memory within the Commerce Server process itself.
What would this enable an attacker to do?
Depending on the specific data the attacker chose, either of two effects could occur:
- If the data were randomly selected, the Commerce Server process would fail.
- If the data were carefully selected, it could be possible for the attacker to alter the Commerce Server software while it was running.
If the attacker provided random data, what would be required in order to restore normal operation?
Nothing. The Commerce Server process would automatically restart itself. However, any user sessions that were in process at the time of the attack could be lost.
If the attacker provided carefully selected data and altered the Commerce Server process, what could the modified process do?
The modified process would be able to take any action the attacker directed it to. The Commerce Server process runs with LocalSystem privileges, so the attacker could gain complete control over the server and taken any desired action on it.
Could this vulnerability be exploited by accident?
No. Authentication data for web sites is almost always submitted via a web form which, if properly implemented, would filter data like that used to exploit the vulnerability. (The sample web forms that ship with Commerce Server 2000 show how this should be done). The vulnerability could only be exploited by an attacker who sent malformed authentication data directly to the server, bypassing any web forms.
Is AuthFilter installed by default?
Yes. This is an appropriate default setting, because e-commerce sites virtually always require authentication support.
Commerce Server 2000 can also be configured to use other authentication methods. If another authentication method is used, then the system is not affected by this vulnerability.
I've installed the URLScan tool on my server. Will it prevent attacks via this vulnerability?
By default, URLScan would prevent an attacker from using the vulnerability to gain control over the server. This is because the default ruleset for Commerce Server outlaws certain types of data, without which it wouldn't be possible to modify the Commerce Server process to take meaningful action. On the other hand, even with URLScan installed, an attacker could still cause the Commerce Server process to fail. As a result, even customers who are using URLScan should install the patch.
How was this vulnerability discovered?
Microsoft discovered the vulnerability internally, as part of a security code review.
I heard that some sites already have the patch installed. Is this correct?
Yes. Microsoft contacted a small number of customers whose sites were at particular risk from this vulnerability and provided them with the patch, in order to give them an opportunity to secure their systems before the bulletin was released.
I'm running Site Server 3.0 Commerce Edition. Could I be affected by the vulnerability?
No. Site Server 3.0 and Site Server 3.0 Commerce Edition, the predecessor product to Commerce Server 2000, are not affected by the vulnerability.
What does the patch do?
The patch eliminates the vulnerability by instituting proper buffer handling within the AuthFilter ISAPI filter.
Download locations for this patch
- Microsoft Commerce Server 2000
Additional information about this patch
This patch can be installed on systems running Commerce Server 2000 Service Pack 2
Inclusion in future service packs:
The fix for this issue will be included in Commerce Server 2000 Service Pack 3.
Reboot needed: Yes
Superseded patches: None.
Verifying patch installation:
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Commerce Server 2000\SP3\Q317615.
- To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Commerce Server 2000\SP3\Q317615\Filelist
Localized versions of this patch are available at the locations discussed in "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q317615 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (February 21, 2002): Bulletin Created.
- V1.1 (February 28, 2003): Updated links in Frequently Asked Questions section.
- V1.2 (May 09, 2003): Updated download links to Windows Update.
Built at 2014-04-18T13:49:36Z-07:00