GEN:SID | 1:2133 |
Message | WEB-IIS MS BizTalk server access |
Summary | This event is generated when an attempt is made to access a Microsoft Biztalk Server application from sources external to the protected network.
|
Impact | Arbitrary code execution and possible administrator access to the target host.
|
Detailed Information | This event indicates that an attempt has been made to access a Biztalk Server application. A buffer overrun exists in Biztalk that may lead to an attacker gaining the ability to execute arbitrary code on the host with the privileges of the user running the IIS webserver.
The flaw exists in the HTTP Receiver functionality of Biztalk and this is not enabled by default.
|
Affected Systems | Any host using Microsoft Biztalk.
|
Attack Scenarios | An attacker would need to supply an overly long HTTP POST request to biztalkhttpreceive.dll.
|
Ease of Attack | Simple.
|
Corrective Action | Apply the appropriate vendor supplied patches.
Disable the HTTP Receive functionality.
|
Additional References | Bugtraq: http://www.securityfocus.com/bid/7469 http://www.securityfocus.com/bid/7470
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0118
Microsoft: http://www.microsoft.com/technet/security/bulletin/ms03-016.asp
|
Rule References | bugtraq: 7469
bugtraq: 7470
cve: 2003-0117
cve: 2003-0118
nessus: 11638
|