Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: fpse12.htm

FrontPage Server Extensions DoS

    FrontPage Server Extensions


    FrontPage Server Extensions; IIS 4, 5


    There has been several  issues with Front Page  Server Extensions.
    One of  them was  reported by  Internet Security  Systems Security
    Alert.  ISS X-Force is  aware of a serious vulnerability  that may
    allow remote attackers to  launch Denial of Service  (DoS) attacks
    against,  or  compromise  Microsoft  Internet  Information  Server
    (IIS)  installations.   This  vulnerability  exists  in the Visual
    Studio Remote Application Deployment (RAD) component of  FrontPage
    Server Extensions.

    Microsoft  FrontPage  is   a  Web  site   design  and   management
    application.   The FrontPage  Server Extensions  (FPSE) package is
    included in IIS versions 4.0  and 5.0 to help integrate  FrontPage
    with IIS.  IIS servers may be vulnerable if the Visual Studio  RAD
    component of FPSE  is installed.   This component allows  Web site
    designers  who  use  Microsoft  InterDev  to actively register and
    unregister COM components on the IIS server.

    The Visual Studio RAD component includes a vulnerable Dynamic Link
    Library (DLL), fp30reg.dll.  This DLL does not properly parse long
    arguments.   Attackers  may  supply  the  DLL  with an overly long
    request and may be  able to run arbitrary  code or bring down  the
    server.  Any  commands executed on  the server are  executed under
    the   IUSR_machinename   security   context,   and   in    certain
    circumstances under the System context.

    Following was  by NSFOCUS  Security Advisory  SA2001-03.   NSFOCUS
    security team has  found also a  buffer overflow vulnerability  in
    Microsoft FrontPage 2000 Server Extension, which can be  exploited
    to  execute  arbitrary  code  by  a  remote  attacker.   Microsoft
    FrontPage 2000 Server Extension has a Dynamic Link Library  (.DLL)
    File: "fp30reg.dll" that  exists a buffer  overflow vulnerability.
    When fp30reg.dll receives  a URL request  that is longer  than 258
    bytes,  a  stack  buffer  overflow  will  occur.   Exploiting this
    vulnerability  successfully,  an  attacker  can  remotely  execute
    arbitrary code on the server running MS FPSE 2000.

    In case  that fp30reg.dll  receives an  invalid parameter(method),
    it will return an error message:

        "The server is unable to perform the method [parameter provided by the user] at this time"

    This error message will be  saved in a fixed length  stack buffer.
    fp30reg.dll  calls  USER32.wsprintfA()  to  form  return  message.
    Because there  is no  checkup for  the length  of data supplied by
    the user, the destination buffer can be overwritten.  An  attacker
    can rewrite some important memory address like exception structure
    or saved EIP to change program flow.

    Format string used by USER32.wsprintfA() is:

        The server is unable to perform the method <b>%s</b> at this time.</BODY>

    It is also  saved in stack  and its address  is at (target  buffer
    address + 256 bytes), so the format string will be rewritten  when
    the  overflow  occurs.   The  attacker  should  manage  to  finish
    copying.  If  an attacker overwrite  the buffer with  random data,
    IIS service will fail.  In this case, IIS 5.0 can be automatically
    self-restarted, but IIS 4.0 needs to be restarted manually.

    Exploiting this vulnerability successfully, an attacker can obtain
    the  privilege  of  IWAM_machinename  account  in IIS 5.0 or Local
    SYSTEM account in IIS 4.0 by default.

    There is a copy of fp30reg.dll in another directory:

        \Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\

    whose name is fp4areg.dll.

    Exploiting  some  other  vulnerabilities  like  unicode  bug,   an
    attacker will be able to access this file.

    Overflow won't occur in case that the provided parameter has  only
    258 bytes:

        $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x258'`
        The server is unable to perform the method <b>AAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAA</b> at this time.</BODY>

    In case that it is longer than 258 bytes, an buffer overflow  will

        $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x259'`
        <html><head><title>Error</title></head><body>The remote procedure call
        failed. </body></html>

    There is a proof of concept code for this issue:


    ISS X-Force recommends that all Web site administrators review the
    appropriate  IIS  Security  Checklist  from  Microsoft, and verify
    that their IIS Web servers  have been configured securely.   These
    documents outline how to correctly configure an externally  facing
    IIS Web server.  IIS  servers that have been configured  securely,
    using the  Checklists, are  not vulnerable  to many  of the recent
    and widely publicized remote IIS exploits.

    The IIS Security Checklists are available here:

    Patch for Microsoft Windows NT version 4.0:

    For  Microsoft  Windows  2000  Professional,  Server  and Advanced

    For more information  on this vulnerability,  please refer to  the
    Microsoft Security Bulletin at:

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH