OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Marc Maiffret (marcEEYE.COM)
Date: Wed Jan 03 2001 - 10:49:35 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Sorry for the delay in posting this.

    Frontpage Publishing DoS (Denial of Service)

    Release Date:
    Dec 22, 2000

    Systems Affected:
    Default Installations of Windows NT4 IIS4 SP6or<
    Default Installations of Windows 2000 IIS5 SP1or<

    Description:
    Any current NT server running IIS with Frontpage server extensions (which
    are installed by default) is vulnerable a remote DoS (Denial of Service).

    The vulnerability stems from Frontpage improperly handling queries to
    Frontpage Authoring (author.dll) modules as well as shtml calls. It is
    possible for a remote attacker to send a malformed query to those modules
    which will cause Frontpage to crash which will then in turn bring down
    inetinfo.exe on Windows NT 4.0 systems. On Windows 2000 systems the
    vulnerability is a bit different. Inetinfo.exe is not killed, it just simply
    "freezes". You can still connect to the IIS5 web server but any further
    GET/HEAD/etc.. commands will not be procesed. Microsoft's advisory states
    that IIS5 will simply restart however we did not experience this in our
    testing.
    The two vulnerable pieces of Frontpage are:
    /_vti_bin/shtml.dll/_vti_rpc
    /_vti_bin/_vti_aut/author.dll

    Example Exploit:
    Sorry we didn't take the time to wrap these into click and kill exe's.
    http://www.eEye.com/html/advisories/FPDOSNT4.txt
    http://www.eEye.com/html/advisories/FPDOSNT4NT5.txt
    Easiest if these files are opened in a word wrapped document.

    Vendor Status:
    Microsoft has released an advisory and patch for this vulnerability:
    http://www.microsoft.com/technet/security/bulletin/ms00-100.asp
    Note: There have been a few people who have recommended that if you do not
    use FrontPage to disable Frontpage Web Authoring. Disabling Web Authoring
    does not fix the problem. You must completely remove Frontpage and all of
    its files.

    Copyright (c) 1998-2000 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alerteEye.com for
    permission.

    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    mail:infoeEye.com
    http://www.eEye.com

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net