Microsoft Commerce Server 2000 Unchecked Buffer in AuthFilter

Risk
High

Date Discovered
02-21-2002

Description
Microsoft Commerce Server 2000 contains a buffer overflow vulnerability in the code that handles certain authentication requests. By exploiting this vulnerability, a remote intruder can, potentially, run arbitrary code with System privileges on the server and gain complete control over the targeted system. Microsoft Commerce Server 2000 enables business developers to rapidly develop scalable, user-centric, business-to-consumer, and business-to-business e-commerce sites. It interacts with many third-party applications to provide credit card validation and customer service support, among other features. 

By default, Microsoft Commerce Server 2000 installs a .dll with an ISAPI filter, called the AuthFilter. The filter provides extended event response functionality on the server with a variety of authentication methods. The overflow condition exists because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests. A remote attacker who sends malformed authentication data can overrun the buffer to cause the Commerce Server process to fail. If the data are carefully crafted, the remote attacker may be able to run arbitrary code in the security context of the Commerce Server process. Because this process runs with LocalSystem privileges, a successful exploit of the vulnerability would give the attacker complete administrative control over the server and all its capabilities. According to Microsoft, mitigating factors lessen the impact of this vulnerability: 

1. Although Commerce Server 2000 relies on IIS for its base Web services, the AuthFilter ISAPI filter is available only as part of Commerce Server. Customers using IIS only are at no risk from this vulnerability. 
   
   
2. The URLScan tool, if deployed using the default ruleset for Commerce Server, would make it difficult for an attacker to exploit the vulnerability and run code by significantly limiting the types of data that could be included in a URL. It would, however, still be possible to conduct denial of service attacks (DoS). 
   
   
3. An attacker's ability to extend control from a compromised Web server to other machines is heavily dependent on the specific configuration of the network. 
   
   
4. Although the AuthFilter ISAPI filter is installed by default, it is not loaded by default on the Web site. AuthFilter must be enabled through the Commerce Server Administration Console in the Microsoft Management Console (MMC).

Platforms Affected
Windows

Components Affected
Microsoft Commerce Server 2000

Recommendations

Microsoft Commerce Server 2000 Patch Q317615
This patch can be installed on systems running Commerce Server 2000 Service Pack 2 and will be included in Commerce Server 2000 Service Pack 3. 

To verify that the patch has been installed on the machine: 

1. Confirm that the following registry key has been created on the machine:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Commerce Server 2000\SP3\Q317615.
   
   
2. To verify the individual files, use the date/time and version information provided in the following registry key:
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Commerce Server 2000\SP3\Q317615\Filelist

References
Source: CVE CAN-2002-0050
URL: Mitre

Source: Microsoft MS02-010
URL: Technet

Source: Security Focus.com Microsoft Commerce Server 2000 ISAPI Buffer Overflow Vulnerability, BID4157
URL: Security Focus Vulnerability Database

Copyright (c) 2009 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.