Microsoft Commerce Server 2000 & Commerce Server 2002

July 3rd, 2002

NGSSoftware Insight Security Research Advisory

Name:    Microsoft Commerce Server 2000 & Commerce Server 2002

Systems Affected:  WinNT, Win2K, XP

Severity:  High Risk

Category:               Buffer Overrun & Command Execution

Vendor URL:   http://www.microsoft.com/

Authors:  Mark Litchfield (mark@ngssoftware.com) & David Litchfield

(david@ngssoftware.com)

Advisory URL: http://www.ngssoftware.com/advisories/ms-comsrvr.txt

Date:   3rd July 2002

Advisory number: #NISR03062002

VNA Reference:  http://www.ngssoftware.com/vna/ms-comsrvr.txt

Description

***********

Microsoft’s Commerce Server 2000 and 2002 are web server products for

building e-commerce sites. These products provide tools and features that

simplify the development and deployment of e-commerce solutions and

analyzing site usage and performance. There are several remotely exploitable

buffer overruns in Commerce Server in disparate locations and a CGI

executable that allows the execution of arbitrary commands.

Details

*******

The Profile Service of Microsoft Commerce Server 2000 allows remote

attackers to cause the server to fail or run arbitrary attacker supplied

code in the security context of the Local SYSTEM account. Several areas in

this service contain vulnerable code.

The Office Web Components (OWC) package installer used by Microsoft Commerce

Server 2000 allows remote attackers to cause the process to run arbitray

code in the LocalSystem security context by via input to the OWC package

installer. By default users have to authenticate to access this executable

so the risk posed is less severe in nature.

Again, the Office Web Components (OWC) package installer for Microsoft

Commerce Server 2000 allows remote attackers to execute commands by passing

the commands as input to the OWC package installer with a ‘/C’ option.

Fix Information

***************

NGSSoftware alerted Microsoft to these problems on the 6th March 2002. The

patches are available from:

Microsoft Commerce Server 2000:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39591

Microsoft Commerce Server 2002:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=39550

A check for these issues has been added to Typhon II, of which more

information is available from the NGSSite, http://www.ngssoftware.com.

Further Information

*******************

For further information about the scope and effects of buffer overflows,

please see

http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf

http://www.ngssoftware.com/papers/ntbufferoverflow.html

http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf

http://www.ngssoftware.com/papers/unicodebo.pdf

Section Navigation


Red Nose Day 2009

Red Nose Day 2009

Customer Testimonials

Read what some of our satisfied customers are saying about us.

Speaking Events

We regularly present and speak at international security conferences throughout the world.

OWASP AppSec Europe 2008

AusCERT 2008

ITWeb Security Summit

NGS Publications

Web Application Hacker's Handbook

Oracle Hacker's Handbook

Database Hacker's Handbook

The Shellcoder's Handbook

SQL Server Security

Configuring IPCop Firewalls