COMMAND

    fpcount.exe

SYSTEMS AFFECTED

    Win NT with Front Page and IIS

PROBLEM

    Dave Litchfield posted following.  Those of you that have IIS  and
    MS  FrontPage  on  your  server  will  most  likely  have heard of
    fpcount.exe.  Fpcount.exe has  obviously been designed so  that if
    some-one tries following the following URL:

        http://comp.com/cgi-bin/fpcount.exe?Page=Default.htm|Image=3|Digits=100000

    and tries  overloading the  program, it  will just  bomb out  with
    memory exception errors.  This  was good thinking but they  forgot
    one thing - negative numbers (note: 8 nines):

        http://comp.com/scripts/fpcount.exe?Page=Default.htm|Image=3|Digits=-99999999

    The above URL will cause the processor to run at 100% for half  an
    hour while it  calculates (tested on  P166 with MMX  and 64 Mb  of
    RAM, Service Pack 3).

    When you send a positive  number and get the exception  errors, DR
    Watson will kick in saying just that:

        http://comp.com/cgi-bin//fpcount.exe?Page=Default.htm|Image=3|Digits=100000

    Dr Watson takes  up just under  4000K of memory.   If an  attacker
    reloads  the  page  it  seems  that  after 8 reloads the IIS stops
    servicing requests.

SOLUTION

    Nothing yet.