COMMAND

	Microsoft Commerce Server remote buffer overflow

SYSTEMS AFFECTED

	Microsoft Commerce Server 2000 & Commerce Server 2002

PROBLEM

	In  Mark  Litchfield  [mark@ngssoftware.com]  &   David   Litchfield
	[david@ngssoftware.com]     of     NGSS     advisory     [#NISR03062002]
	[http://www.ngssoftware.com/advisories/ms-comsrvr.txt] :
	

	--snapp--
	

	The Profile Service of Microsoft  Commerce  Server  2000  allows  remote
	attackers to  cause  the  server  to  fail  or  run  arbitrary  attacker
	supplied code in the security  context  of  the  Local  SYSTEM  account.
	Several areas in this service contain vulnerable code.
	

	The Office Web Components (OWC)  package  installer  used  by  Microsoft
	Commerce Server 2000 allows remote attackers to  cause  the  process  to
	run arbitray code in the LocalSystem security context by  via  input  to
	the OWC package installer. By default  users  have  to  authenticate  to
	access this executable so the risk posed is less severe in nature.
	

	Again, the Office Web Components (OWC) package installer  for  Microsoft
	Commerce Server 2000 allows remote  attackers  to  execute  commands  by
	passing the commands as input  to  the  OWC  package  installer  with  a
	\'/C\' option.
	

	--snapp--

SOLUTION

	The patches are available from:
	

	Microsoft Commerce Server 2000
	

	 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39591

	

	Microsoft Commerce Server 2002:
	

	 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39550

	

	

	Good readings on the matters :
	

	http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

	http://www.ngssoftware.com/papers/ntbufferoverflow.html

	http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

	http://www.ngssoftware.com/papers/unicodebo.pdf