Microsoft Biztalk Server documentation and repository sites weak permissions

[Cesar <cesarc56 () yahoo com>]

Security Advisory

Name:  Microsoft Biztalk Server documentation and
repository sites weak permissions.
System Affected :  Microsoft Biztalk Server 2000 and
Microsoft Biztalk Server 2002. 
Severity :  Medium 
Remote exploitable : Yes
Author:    Cesar Cerrudo.
Date:    09/18/03
Advisory Number:    CC090308


Legal Notice:

This Advisory is Copyright (c) 2003 Cesar Cerrudo.
You may distribute it unmodified and for free. You may
NOT modify it and distribute it or distribute 
parts of it without the author's written permission.
You may NOT use it for commercial intentions 
(this means include it in vulnerabilities databases,
vulnerabilities scanners, any paid service, 
etc.) without the author's written permission. You are
free to use Microsoft details 
for commercial intentions.


Disclaimer:

The information in this advisory is believed to be
true though it may be false.
The opinions expressed in this advisory are my own and
not of any company. The usual standard 
disclaimer applies, especially the fact that Cesar
Cerrudo is not liable for any damages caused 
by direct or indirect use of the information or
functionality provided by this advisory. 
Cesar Cerrudo bears no responsibility for content or
misuse of this advisory or any derivatives thereof.



Overview:

Microsoft Biztalk Server is a Microsoft product for
business-process automation 
and application-integration both within and between
businesses. BizTalk Server  
provides a powerful Web-based development and
execution environment that integrates 
loosely coupled, long-running business processes, both
within and between companies. 
BizTalk Server features include integration among
existing applications; the definition
of document specifications and specification
transformations; and the monitoring and 
logging of run-time activity. The server provides a
standard gateway for sending and 
receiving documents across the Internet, as well as
providing a range of services that 
ensure data integrity, delivery, security, and support
for the BizTalk Framework and 
other key document formats. When installed some IIS
virtual directories  are created 
with weak permissions.


Details:

By default Microsoft Biztalk Server installs and
cofigures some virtual directories in IIS, 
there are two virtual directories configured with weak
permissions, one site holds 
documentation information
(http://server/BizTalkServerDocs/) and the other site
is a 
WebDAV repository for XML files
(http://server/BizTalkServerRepository/).

Virtual directory "http://server/BizTalkServerDocs/";
by default has the next configuration on IIS:
-Authenticate users by Windows authentication,
-Write and browse directories permissions, not execute
permssions. 
-Not default document configured. 
NTFS permissions are full control to users group on
physical folder 
"...\Microsoft BizTalk Server\Documentation\".

Virtual directory
"http://server/BizTalkServerRepository/"; by default
has the next configuration on IIS:
-Anonymous web access.
-Write and browse directories permission, not execute
permssions.
-Not default document configured.
NTFS permissions are full control to users group on
physical folder 
"...\Microsoft BizTalk
Server\BizTalkServerRepository\".

Note: Site "http://server/BizTalkServerRepository/";
needs write permissions because it
is a WebDAV repository which allow users to upload,
edit, etc. XML files.



These weak permissions can be exploited by an attacker
in many ways, some samples:
-In case of site "http://server/BizTalkServerDocs/"; an
attacker can upload and 
replace HTML documentation pages with pages with
dangerous activex controls, scripts, etc.
-In case of site
"http://server/BizTalkServerRepository/"; an attacker
can replace XML 
files with others XML files making Biztalk Server to
fail when using altered XML files.
-etc.


Vendor Status:

Microsoft was contacted several months ago and now
they release a Knowledge Base Article.


Patch Available: 

http://support.microsoft.com/default.aspx?scid=kb;en-us;824935


SQL SECURITY LIST!!!: For people interested in SQL
Server security, vulnerabilities, SQL injection, etc.
Get advisories and vulnerabilities before!!!
Join at:
sqlserversecurity-subscribe () yahoogroups com
http://groups.yahoo.com/group/sqlserversecurity/



__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html