Reported June 26, 2002, by Microsoft.
· Microsoft Commerce Server 2002 and 2000
Multiple vulnerabilities exist in Commerce Server 2002 and 2000, each of which can run an attacker's choice of code. The vulnerabilities include:
· A vulnerability resulting from an unchecked buffer in a section of code in the Profile Service that handles certain types of API calls. With the Profile Service, users can manage their own profile information and research the status of their orders. An attacker who provides specially malformed data to certain calls that the Profile Service exposes can cause the Commerce Server process to fail or run code in the LocalSystem security context. This vulnerability affects only Commerce Server 2000.
· A buffer overrun vulnerability in the Office Web Components package that the Commerce Server installer uses. An attacker who provides specially malformed data as input to the Office Web Components package installer can cause the process to fail or can run code in the LocalSystem security context. This vulnerability affects only Commerce Server 2000.
· A vulnerability in the Office Web Components package installer that the Commerce Server uses. An attacker who invokes the Office Web Components package installer in a particular manner can run commands on the Commerce Server according to the privileges associated with an attacker's logon credentials. This vulnerability affects only Commerce Server 2000.
· A new variant of the Internet Service API (ISAPI) Filter vulnerability discussed in Microsoft Security Bulletin MS02-010 (Unchecked Buffer in ISAPI Filter Could Allow Commerce Server Compromise). This vulnerability stems from an unchecked buffer in authfilter.dll, which is not enabled by default. This variant affects both Commerce Server 2002 and 2000.
The vendor, Microsoft, has released Security Bulletin MS02-033 (Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server) to address this vulnerability and recommends that affected users download and apply the appropriate patch mentioned in the bulletin. These patches are cumulative and address all previously discovered vulnerabilities in the affected product.
Discovered by Mark Litchfield of Next Generation Security Software.