Microsoft Commerce Server OWC package installer buffer overflow

mscs-owc-installer-bo (9424) The risk level is classified as HighHigh Risk

Description:

Microsoft Commerce Server is vulnerable to a buffer overflow in the Office Web Components (OWC) package installer. By supplying specially-crafted data as an input parameter before running the OWC package installer, a remote attacker with the ability to log onto the system running Commerce Server could overflow a buffer and execute arbitrary code on the system or cause the Web server to crash.


Consequences:

Gain Access

Remedy:

Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS02-033. See References.

References:

  • Microsoft Security Bulletin MS02-033: Unchecked Buffer in Profile Service Could Allow Code Execution in Commerce Server (Q322273).
  • NGSSoftware Insight Security Research Advisory #NISR03062002: Remotely Exploitable Buffer Overruns in Microsoft's Commerce Server 2000/2.
  • BID-5108: Microsoft Commerce Server OWC Package Installer Buffer Overflow Vulnerability
  • CVE-2002-0621: Buffer overflow in the Office Web Components (OWC) package installer used by Microsoft Commerce Server 2000 allows remote attackers to cause the process to fail or run arbitrary code in the LocalSystem security context via certain input to the OWC package installer.
  • OSVDB ID: 5172: Microsoft Commerce Server OWC Installer LocalSystem Arbitrary Code Execution

Platforms Affected:

  • Microsoft Commerce Server 2000
  • Microsoft Commerce Server 2002
  • Microsoft Internet Information Server 5.0

Reported:

Jun 26, 2002

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page