Security Advisory

Name:  Microsoft Biztalk Server ISAPI HTTP Receive
function buffer overflow
System Affected :  Microsoft BizTalk Server 2002
Severity :  High 
Remote exploitable : Yes
Author:    Cesar Cerrudo.
Date:    05/05/03
Advisory Number:    CC040301


Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute parts of
it without the author's written permission. You may
NOT use it for commercial intentions (this means
include it in vulnerabilities databases,
vulnerabilities scanners, any paid service, etc.)
without the author's written permission. You are free
to use Microsoft bulletin's details for commercial
intentions.


Disclaimer:

The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard disclaimer
applies, especially the fact that Cesar Cerrudo is not
liable for any damages caused by direct or indirect
use of the information or functionality provided by
this advisory. Cesar Cerrudo bears no responsibility
for content or misuse of this advisory or any
derivatives thereof.


Overview:

Microsoft Biztalk Server is a Microsoft product for
business-process automation 
and application-integration both within and between
businesses. BizTalk Server  
provides a powerful Web-based development and
execution environment that integrates 
loosely coupled, long-running business processes, both
within and between companies. 
BizTalk Server features include integration among
existing applications; the definition
of document specifications and specification
transformations; and the monitoring and 
logging of run-time activity. The server provides a
standard gateway for sending and 
receiving documents across the Internet, as well as
providing a range of services that 
ensure data integrity, delivery, security, and support
for the BizTalk Framework and 
other key document formats.
BizTalk Server 2002 provides the ability to exchange
documents using the HTTP format. 
A buffer overflow exists in the component used to
receive HTTP documents - the HTTP 
receiver - and could result in an attacker being able
to execute code of their choice 
on the BizTalk Server.


Details:

An HTTP receive function is an Internet Server
Application Programming Interface 
(ISAPI) extension that provides an "out-of-the-box"
utility for immediately receiving 
documents over Hypertext Transfer Protocol (HTTP). The
ISAPI is named BizTalkHTTPReceive.dll.
By submiting a HTTP request with an overly long string
as query string parameter a 
buffer overflow ocurrs:

POST /Site/biztalkhttpreceive.dll?XXXX...(more than
250 chars) HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows
NT 5.0; .NET CLR 1.0.3705)
Host: servername
Content-Length: <Data submited length>
Proxy-Connection: Keep-Alive
Pragma: no-cache

<...Data submited...>


This vulnerability can be directly exploited by an
attacker if he has enough permissions 
(this will depends on web server configuration), if
the attacker hasn't enough permissions 
he can exploit it through XSS or sending an
administrator an HTML e-mail, etc. targeting 
the vulnerable server. 
Depending on the Windows user account configured to
run COM+ Applications under for the 
vulnerable site (the user account configured always
must have access to BizTalk Messaging 
Management database and the COM+ packages BizTalk
Server Interchange Application and BizTalk 
Server Internal Utility), explotation of this
vulnerability will allow an attacker to complete 
compromise OS and/or Biztalk Server files and
databases.



Workaround:

Remove BizTalkHTTPReceive.dll ISAPI if you are using
HTTP receive function and use another 
receive functions like Message Queuing receive
function or file receive function.


Vendor Status :

Microsoft was contacted on 02/14/03, we work together
and Microsoft released a fix.


Patch Available : 

http://www.microsoft.com/technet/security/bulletin/MS03-016.asp

NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.,
I'm starting a new mailing list.
People subscribed to the list received this advisory
five days ago!!.
Join at:

sqlserversecurity-subscribe@yahoogroups.com
http://groups.yahoo.com/group/sqlserversecurity/



__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com