Microsoft Security Bulletin MS03-016: Cumulative Patch for BizTalk Server (815206)

2003-05-03T00:00:00
ID SECURITYVULNS:DOC:4471
Type securityvulns
Reporter Securityvulns
Modified 2003-05-03T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE-----


Title: Cumulative Patch for BizTalk Server (815206) Date: 30 April 2003 Software: Microsoft BizTalk Server 2000 & BizTalk Server 2002 Impact: Two vulnerabilities, the most serious of which could allow an attacker to run code of their choice Max Risk: Important Bulletin: MS03-016

Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-016.asp http://www.microsoft.com/security/security_bulletins/ms03-016.asp


Issue:

Microsoft BizTalk Server is an Enterprise Integration product that allows organizations to integrate applications, trading partners, and business processes. BizTalk is used in intranet environments to transfer business documents between different back-end systems as well as extranet environments to exchange structured messages with trading partners. This patch addresses two newly reported vulnerabilities in BizTalk Server.

The first vulnerability affects Microsoft BizTalk Server 2002 only. BizTalk Server 2002 provides the ability to exchange documents using the HTTP format. A buffer overrun exists in the component used to receive HTTP documents - the HTTP receiver - and could result in an attacker being able to execute code of their choice on the BizTalk Server.

The second vulnerability affects both Microsoft BizTalk Server 2000 and BizTalk Server 2002. BizTalk Server provides the ability for administrators to manage documents via a Document Tracking and Administration (DTA) web interface. A SQL injection vulnerability exists in some of the pages used by DTA that could allow an attacker to send a crafted URL query string to a legitimate DTA user. If that user were to then navigate to the URL sent by the attacker, he or she could execute a malicious embedded SQL statement in the query string.

Mitigating Factors:

HTTP Receiver Buffer Overflow

  • -The HTTP Receiver is only present in Microsoft BizTalk Server
  • BizTalk Server 2000 is not affected by this vulnerability.

  • -The HTTP receiver is not enabled by default. HTTP must be explicitly enabled as a receive transport during the setup of a BizTalk site.

  • -If the vulnerability was exploited to run arbitrary code, the code would run in the security context of the IIS Server. If the IIS Server is running under a user account, the attacker's permissions will be limited to those of this user account.

DTA SQL Injection

  • -DTA users by default are not highly privileged SQL users such as database owners, since they are only required to be members of "BizTalk Server Report Users" security group in order to use DTA web interface. In this case, a successful attacker's permissions on the SQL Server will be restricted.

Risk Rating:

Important

Patch Availability:

  • A patch is available to fix this vulnerability. Please read the Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-016.asp http://www.microsoft.com/security/security_bulletins/ms03-016.asp

for information on obtaining this patch.

Acknowledgment:

  • Microsoft thanks Cesar Cerrudo for reporting this issue to us and working with us to protect customers

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE----- Version: PGP 7.1

iQEVAwUBPrAIZo0ZSRQxA/UrAQHfHQf9G5T0C7pz9B4lk6ut16LtIxuzgr/lxIZU /37CkGyvSK2qmkG+i2qSN7OQ4k6Pdlx2edKbHu+K87Cg1L8izvZ0ZMbZucn3iKnW P+/3y7iSF7CHCztpZVqQJkp6FDimjzIQeCwwxWMCO2ZeDHGhl0V8d6nki/Us2iCP Rx3UcvwRaaJpq28qhf2CVXbtw4fBvVNZBFsgMjq5WQOrGwuihtfDOtxt4ZZFk5PT 8bP1z9JkUuk6QvQP6pU5xt/UL+aihCVRqx8pcXyfTx3cOqXdYvXPl4V5R1ERw1s6 2xV05naa77E61prPK8Moj3V52hPR5qPh8mc2tdKLqyZY5boPJP8H0Q== =y1Xu -----END PGP SIGNATURE-----


You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp

If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line.

For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.