From: Russ (Russ.CooperRC.ON.CA)
Date: Wed Apr 30 2003 - 12:01:21 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://www.microsoft.com/technet/security/bulletin/MS03-016.asp

Cumulative Patch for BizTalk Server (815206)

Originally posted: April 30, 2003

Summary

Who should read this bulletin: Systems Administrators using Microsoft BizTalk 2000 Server and BizTalk 2002 Server

Impact of vulnerability: Two vulnerabilities, the most serious of which could allow an attacker to run code of their choice

Maximum Severity Rating: Important

Recommendation: Systems Administrators using Microsoft BizTalk should consider applying the patch.

Affected Software:
- Microsoft BizTalk Server 2000
- Microsoft BizTalk Server 2002

Technical description:

Microsoft BizTalk Server is an Enterprise Integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk is used in intranet environments to transfer business documents between different back-end systems as well as extranet environments to exchange structured messages with trading partners. This patch addresses two newly reported vulnerabilities in BizTalk Server.

The first vulnerability affects Microsoft BizTalk Server 2002 only. BizTalk Server 2002 provides the ability to exchange documents using the HTTP format. A buffer overrun exists in the component used to receive HTTP documents - the HTTP receiver - and could result in an attacker being able to execute code of their choice on the BizTalk Server.

The second vulnerability affects both Microsoft BizTalk Server 2000 and BizTalk Server 2002. BizTalk Server provides the ability for administrators to manage documents via a Document Tracking and Administration (DTA) web interface. A SQL injection vulnerability exists in some of the pages used by DTA that could allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user were to then navigate to the URL sent by the attacker, he or she could execute a malicious embedded SQL statement in the query string.

Mitigating factors:

HTTP Receiver Buffer Overflow
- The HTTP Receiver is only present in Microsoft BizTalk Server 2002. BizTalk Server 2000 is not affected by this vulnerability.
- The HTTP receiver is not enabled by default. HTTP must be explicitly enabled as a receive transport during the setup of a BizTalk site.
- If the vulnerability was exploited to run arbitrary code, the code would run in the security context of the IIS Server. If the IIS Server is running under a user account, the attacker's permissions will be limited to those of this user account.

DTA SQL Injection
- DTA users by default are not highly privileged SQL users such as database owners, since they are only required to be members of "BizTalk Server Report Users" security group in order to use DTA web interface. In this case, a successful attacker's permissions on the SQL Server will be restricted.

Vulnerability identifiers:
- HTTP Receiver Buffer Overflow: CAN-2003-0117
- DTA SQL Injection: CAN-2003-0118

This email is sent to NTBugtraq automatically as a service to my subscribers. (v1.18)

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?

Need assistance crafting the format or translating your advisory to English?

Need to verify it, or having problems contacting the Vendor?

Contact mailto:AdvisoriesNTBugtraq.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]