-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Unchecked Buffer in ISAPI Filter Could Allow Commerce
            Server Compromise
Date:       21 February 2002
Software:   Commerce Server 2000
Impact:     Run code of attacker's choice.
Max Risk:   Critical
Bulletin:   MS02-010

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-010.asp.
- ----------------------------------------------------------------------

Issue:
======
By default, Commerce Server 2000 installs a .dll with an ISAPI
filter that allows the server to provide extended functionality in
response to events on the server. This filter, called AuthFilter,
provides support for a variety of authentication methods.
Commerce Server 2000 can also be configured to use other
authentication methods. 

A security vulnerability results because AuthFilter contains an
unchecked buffer in a section of code that handles certain types
of authentication requests. An attacker who provided
authentication data that overran the buffer could cause the
Commerce Server process to fail, or could run code in the
security context of the Commerce Server process. The
process runs with LocalSystem privileges, so exploiting the
vulnerability would give the attacker complete control of
the server.

Mitigating Factors:
====================
 - Although Commerce Server 2000 does rely on IIS for its base
   web services, the AuthFilter ISAPI filter is only available
   as part of Commerce Server. Customers using IIS are at no
   risk from this vulnerability. 

 - The URLScan tool, if deployed using the default ruleset for
   Commerce Server, would make it difficult if not impossible
   for an attacker to exploit the vulnerability to run code,
   by significantly limiting the types of data that could be
   included in an URL. It would, however, still be possible
   to conduct denial of service attacks. 

 - An attacker's ability to extend control from a compromised
   web server to other machines would depend heavily on the
   specific configuration of the network. Best practices recommend
   that the network architecture account for the inherent high-risk
   that machines in an uncontrolled environment, like the Internet,
   face by minimizing overall exposure though measures like DMZ's,
   operating with minimal services and isolating contact with
   internal networks. Steps like this can limit overall exposure
   and impede an attacker's ability to broaden the scope of a
   possible compromise. 

 - While the ISAPI filter is installed by default, it is not loaded
   on any web site by default. It must be enabled through the
   Commerce Server Administration Console in the Microsoft
   Management Console (MMC).

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Critical
 - Client systems: None

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-010.asp
   for information on obtaining this patch.

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES 
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF 
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS 
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO 
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR 
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPHWRCY0ZSRQxA/UrAQGE3wf9FsHKJiV0wzzZRY3byHVAliHUAOU7y4bc
ELpzwfbQ3jLeVFLlY9IH6/EOTjuYEzzssed85SlH5sH2wdkbBlCpjtXtPfdO5Igh
sBLd6lH405alQevQiicUCT6xYDagAM88vZp0umPJ6XAL1o/9VeIXQOYfG31/Uw67
FCyKNjVEqB12qoo5/20A61CGoqifTeIDLqFxJYP2HycfT+LYPSOUC4k4t7joPpUq
v4MQrNrJ9jcFF+6fJB7atVZfM5nGSEJyY54pot6nVzuLxwsQYcGxcuaD9tRropVY
x5CpAhgCpQBqBgaourCNSCv8abVT4lpgDm5xFvRTedbExZ6nDpqGhQ==
=i/9P
-----END PGP SIGNATURE-----