COMMAND
FrontPage Server Extensions
SYSTEMS AFFECTED
FrontPage Server Extensions; IIS 4, 5
PROBLEM
There has been several issues with Front Page Server Extensions.
One of them was reported by Internet Security Systems Security
Alert. ISS X-Force is aware of a serious vulnerability that may
allow remote attackers to launch Denial of Service (DoS) attacks
against, or compromise Microsoft Internet Information Server
(IIS) installations. This vulnerability exists in the Visual
Studio Remote Application Deployment (RAD) component of FrontPage
Server Extensions.
Microsoft FrontPage is a Web site design and management
application. The FrontPage Server Extensions (FPSE) package is
included in IIS versions 4.0 and 5.0 to help integrate FrontPage
with IIS. IIS servers may be vulnerable if the Visual Studio RAD
component of FPSE is installed. This component allows Web site
designers who use Microsoft InterDev to actively register and
unregister COM components on the IIS server.
The Visual Studio RAD component includes a vulnerable Dynamic Link
Library (DLL), fp30reg.dll. This DLL does not properly parse long
arguments. Attackers may supply the DLL with an overly long
request and may be able to run arbitrary code or bring down the
server. Any commands executed on the server are executed under
the IUSR_machinename security context, and in certain
circumstances under the System context.
Following was by NSFOCUS Security Advisory SA2001-03. NSFOCUS
security team has found also a buffer overflow vulnerability in
Microsoft FrontPage 2000 Server Extension, which can be exploited
to execute arbitrary code by a remote attacker. Microsoft
FrontPage 2000 Server Extension has a Dynamic Link Library (.DLL)
File: "fp30reg.dll" that exists a buffer overflow vulnerability.
When fp30reg.dll receives a URL request that is longer than 258
bytes, a stack buffer overflow will occur. Exploiting this
vulnerability successfully, an attacker can remotely execute
arbitrary code on the server running MS FPSE 2000.
In case that fp30reg.dll receives an invalid parameter(method),
it will return an error message:
"The server is unable to perform the method [parameter provided by the user] at this time"
This error message will be saved in a fixed length stack buffer.
fp30reg.dll calls USER32.wsprintfA() to form return message.
Because there is no checkup for the length of data supplied by
the user, the destination buffer can be overwritten. An attacker
can rewrite some important memory address like exception structure
or saved EIP to change program flow.
Format string used by USER32.wsprintfA() is:
<HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>
The server is unable to perform the method <b>%s</b> at this time.</BODY>
It is also saved in stack and its address is at (target buffer
address + 256 bytes), so the format string will be rewritten when
the overflow occurs. The attacker should manage to finish
copying. If an attacker overwrite the buffer with random data,
IIS service will fail. In this case, IIS 5.0 can be automatically
self-restarted, but IIS 4.0 needs to be restarted manually.
Exploiting this vulnerability successfully, an attacker can obtain
the privilege of IWAM_machinename account in IIS 5.0 or Local
SYSTEM account in IIS 4.0 by default.
There is a copy of fp30reg.dll in another directory:
\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\
whose name is fp4areg.dll.
Exploiting some other vulnerabilities like unicode bug, an
attacker will be able to access this file.
Overflow won't occur in case that the provided parameter has only
258 bytes:
$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x258'`
<HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>
The server is unable to perform the method <b>AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA</b> at this time.</BODY>
In case that it is longer than 258 bytes, an buffer overflow will
occur:
$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x259'`
<html><head><title>Error</title></head><body>The remote procedure call
failed. </body></html>
There is a proof of concept code for this issue:
http://www.nsfocus.com/proof/fpse2000ex.c
SOLUTION
ISS X-Force recommends that all Web site administrators review the
appropriate IIS Security Checklist from Microsoft, and verify
that their IIS Web servers have been configured securely. These
documents outline how to correctly configure an externally facing
IIS Web server. IIS servers that have been configured securely,
using the Checklists, are not vulnerable to many of the recent
and widely publicized remote IIS exploits.
The IIS Security Checklists are available here:
http://www.microsoft.com/technet/security/iischk.asp
http://www.microsoft.com/technet/security/iis5chk.asp
Patch for Microsoft Windows NT version 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038
For Microsoft Windows 2000 Professional, Server and Advanced
Server:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30727
For more information on this vulnerability, please refer to the
Microsoft Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-035.asp
Basically, installing MS01-035 causes the IIS MMC to close when
you click on the server extensions tab under Windows 2000
Advanced Server on SP2 (with all current hotfixes). Uninstalling
MS01-035 fixes the problem, but opens up the security hole. When
the new patch is available, MS will re-release their bulletin.