Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow

Security Advisory

Name: Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow
System Affected : Microsoft BizTalk Server 2002 Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 05/05/03
Advisory Number: CC040301

Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo. You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute parts of it without the author's written permission. You may NOT use it for commercial intentions (this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service, etc.) without the author's written permission. You are free to use Microsoft bulletin's details for commercial intentions.

Disclaimer:

The information in this advisory is believed to be true though it may be false.
The opinions expressed in this advisory are my own and not of any company. The usual standard disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof.

Overview:

Microsoft Biztalk Server is a Microsoft product for business-process automation
and application-integration both within and between businesses. BizTalk Server
provides a powerful Web-based development and execution environment that integrates
loosely coupled, long-running business processes, both within and between companies.
BizTalk Server features include integration among existing applications; the definition
of document specifications and specification transformations; and the monitoring and logging of run-time activity. The server provides a standard gateway for sending and
receiving documents across the Internet, as well as providing a range of services that
ensure data integrity, delivery, security, and support for the BizTalk Framework and
other key document formats.
BizTalk Server 2002 provides the ability to exchange documents using the HTTP format.
A buffer overflow exists in the component used to receive HTTP documents - the HTTP
receiver - and could result in an attacker being able to execute code of their choice
on the BizTalk Server.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Details:

An HTTP receive function is an Internet Server Application Programming Interface
(ISAPI) extension that provides an "out-of-the-box"
utility for immediately receiving
documents over Hypertext Transfer Protocol (HTTP). The ISAPI is named BizTalkHTTPReceive.dll.
By submiting a HTTP request with an overly long string as query string parameter a
buffer overflow ocurrs:

POST /Site/biztalkhttpreceive.dll?XXXX...(more than 250 chars) HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)
Host: servername
Content-Length: <Data submited length>
Proxy-Connection: Keep-Alive
Pragma: no-cache

<...Data submited...>

This vulnerability can be directly exploited by an attacker if he has enough permissions
(this will depends on web server configuration), if
the attacker hasn't enough permissions
he can exploit it through XSS or sending an administrator an HTML e-mail, etc. targeting the vulnerable server.
Depending on the Windows user account configured to run COM+ Applications under for the
vulnerable site (the user account configured always must have access to BizTalk Messaging
Management database and the COM+ packages BizTalk Server Interchange Application and BizTalk Server Internal Utility), explotation of this vulnerability will allow an attacker to complete compromise OS and/or Biztalk Server files and databases.

Workaround:

Remove BizTalkHTTPReceive.dll ISAPI if you are using HTTP receive function and use another
receive functions like Message Queuing receive function or file receive function.

Vendor Status :

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Microsoft was contacted on 02/14/03, we work together and Microsoft released a fix.

Patch Available :

http://www.microsoft.com/technet/security/bulletin/MS03-016.asp

NEW SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc., I'm starting a new mailing list.
People subscribed to the list received this advisory five days ago!!.
Join at:

sqlserversecurity-subscribe@yahoogroups.com http://groups.yahoo.com/group/sqlserversecurity/