COMMAND

    FrontPage Server Extensions

SYSTEMS AFFECTED

    FrontPage Server Extensions; IIS 4, 5

PROBLEM

    There has been several  issues with Front Page  Server Extensions.
    One of  them was  reported by  Internet Security  Systems Security
    Alert.  ISS X-Force is  aware of a serious vulnerability  that may
    allow remote attackers to  launch Denial of Service  (DoS) attacks
    against,  or  compromise  Microsoft  Internet  Information  Server
    (IIS)  installations.   This  vulnerability  exists  in the Visual
    Studio Remote Application Deployment (RAD) component of  FrontPage
    Server Extensions.

    Microsoft  FrontPage  is   a  Web  site   design  and   management
    application.   The FrontPage  Server Extensions  (FPSE) package is
    included in IIS versions 4.0  and 5.0 to help integrate  FrontPage
    with IIS.  IIS servers may be vulnerable if the Visual Studio  RAD
    component of FPSE  is installed.   This component allows  Web site
    designers  who  use  Microsoft  InterDev  to actively register and
    unregister COM components on the IIS server.

    The Visual Studio RAD component includes a vulnerable Dynamic Link
    Library (DLL), fp30reg.dll.  This DLL does not properly parse long
    arguments.   Attackers  may  supply  the  DLL  with an overly long
    request and may be  able to run arbitrary  code or bring down  the
    server.  Any  commands executed on  the server are  executed under
    the   IUSR_machinename   security   context,   and   in    certain
    circumstances under the System context.

    Following was  by NSFOCUS  Security Advisory  SA2001-03.   NSFOCUS
    security team has  found also a  buffer overflow vulnerability  in
    Microsoft FrontPage 2000 Server Extension, which can be  exploited
    to  execute  arbitrary  code  by  a  remote  attacker.   Microsoft
    FrontPage 2000 Server Extension has a Dynamic Link Library  (.DLL)
    File: "fp30reg.dll" that  exists a buffer  overflow vulnerability.
    When fp30reg.dll receives  a URL request  that is longer  than 258
    bytes,  a  stack  buffer  overflow  will  occur.   Exploiting this
    vulnerability  successfully,  an  attacker  can  remotely  execute
    arbitrary code on the server running MS FPSE 2000.

    In case  that fp30reg.dll  receives an  invalid parameter(method),
    it will return an error message:

        "The server is unable to perform the method [parameter provided by the user] at this time"

    This error message will be  saved in a fixed length  stack buffer.
    fp30reg.dll  calls  USER32.wsprintfA()  to  form  return  message.
    Because there  is no  checkup for  the length  of data supplied by
    the user, the destination buffer can be overwritten.  An  attacker
    can rewrite some important memory address like exception structure
    or saved EIP to change program flow.

    Format string used by USER32.wsprintfA() is:

        <HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>
        The server is unable to perform the method <b>%s</b> at this time.</BODY>

    It is also  saved in stack  and its address  is at (target  buffer
    address + 256 bytes), so the format string will be rewritten  when
    the  overflow  occurs.   The  attacker  should  manage  to  finish
    copying.  If  an attacker overwrite  the buffer with  random data,
    IIS service will fail.  In this case, IIS 5.0 can be automatically
    self-restarted, but IIS 4.0 needs to be restarted manually.

    Exploiting this vulnerability successfully, an attacker can obtain
    the  privilege  of  IWAM_machinename  account  in IIS 5.0 or Local
    SYSTEM account in IIS 4.0 by default.

    There is a copy of fp30reg.dll in another directory:

        \Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\

    whose name is fp4areg.dll.

    Exploiting  some  other  vulnerabilities  like  unicode  bug,   an
    attacker will be able to access this file.

    Overflow won't occur in case that the provided parameter has  only
    258 bytes:

        $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x258'`

        <HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>
        The server is unable to perform the method <b>AAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
        AAAAAAAAAAAAAAAAAA</b> at this time.</BODY>

    In case that it is longer than 258 bytes, an buffer overflow  will
    occur:

        $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x259'`

        <html><head><title>Error</title></head><body>The remote procedure call
        failed. </body></html>

    There is a proof of concept code for this issue:

        http://www.nsfocus.com/proof/fpse2000ex.c

SOLUTION

    ISS X-Force recommends that all Web site administrators review the
    appropriate  IIS  Security  Checklist  from  Microsoft, and verify
    that their IIS Web servers  have been configured securely.   These
    documents outline how to correctly configure an externally  facing
    IIS Web server.  IIS  servers that have been configured  securely,
    using the  Checklists, are  not vulnerable  to many  of the recent
    and widely publicized remote IIS exploits.

    The IIS Security Checklists are available here:

        http://www.microsoft.com/technet/security/iischk.asp
        http://www.microsoft.com/technet/security/iis5chk.asp

    Patch for Microsoft Windows NT version 4.0:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038

    For  Microsoft  Windows  2000  Professional,  Server  and Advanced
    Server:

        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30727

    For more information  on this vulnerability,  please refer to  the
    Microsoft Security Bulletin at:

        http://www.microsoft.com/technet/security/bulletin/MS01-035.asp

    Basically, installing MS01-035  causes the IIS  MMC to close  when
    you  click  on  the  server  extensions  tab  under  Windows  2000
    Advanced Server on SP2 (with all current hotfixes).   Uninstalling
    MS01-035 fixes the problem, but opens up the security hole.   When
    the new patch is available, MS will re-release their bulletin.