COMMAND

	FPSE

SYSTEMS AFFECTED

    Microsoft IIS 5.0

PROBLEM

    Microsoft IIS ships with Front Page Server Extensions (FPSE) which
    enables  administrators  remote  and  local  web  page and content
    management.  Browse - time support is another feature within  FPSE
    which provides users with functional web applications.

    Due to the way  FPSE handles the processing  of web forms, IIS  is
    subject to a  denial of service.   By supplying malformed  data to
    one of the FPSE functions IIS will stop responding.  A restart  of
    the service is required in order to gain normal functionality.

    It should  be noted  that the  victim only  requires to  have FPSE
    installed on the web server to be vulnerable.

    So,  any  current  NT  server  running  IIS  with Frontpage server
    extensions  (which  are  installed  by  default)  is  vulnerable a
    remote DoS (Denial of Service).

    According to  eEye team,  the vulnerability  stems from  Frontpage
    improperly handling  queries to  Frontpage Authoring  (author.dll)
    modules as  well as  shtml calls.   It is  possible for  a  remote
    attacker to  send a  malformed query  to those  modules which will
    cause  Frontpage  to  crash  which  will  then  in turn bring down
    inetinfo.exe on Windows NT 4.0  systems.  On Windows 2000  systems
    the  vulnerability  is  a  bit  different.   Inetinfo.exe  is  not
    killed, it  just simply  "freezes". You  can still  connect to the
    IIS5 web server but any further GET/HEAD/etc..  commands will  not
    be procesed.   Microsoft's advisory states  that IIS5 will  simply
    restart however we  did not experience  this in our  testing.  The
    two vulnerable pieces of Frontpage are:

        /_vti_bin/shtml.dll/_vti_rpc
        /_vti_bin/_vti_aut/author.dll

    Example Exploit:

        http://www.eEye.com/html/advisories/FPDOSNT4.txt
        http://www.eEye.com/html/advisories/FPDOSNT4NT5.txt

    This has been discovered by eEye Digital Security and posted in  a
    Microsoft Security Bulletin (MS00-100) on Dec 22, 2000.

SOLUTION

    Microsoft has released a patch which addresses this issue:

        IIS 5.0: http://download.microsoft.com/download/win2000platform/Patch/q280322/NT5/EN-US/Q280322_W2K_SP2_x86_en.EXE
        IIS 4.0: http://download.microsoft.com/download/winntsrv40/Patch/q280322/NT4/EN-US/Q280322i.EXE