Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (Technical Details, MS03-051)
12 Nov. 2003
Summary
This bulletin addresses two new security vulnerabilities in Microsoft FrontPage Server Extensions, the most serious of which could enable an attacker to run arbitrary code on a user's system.
The first vulnerability exists because of a buffer overrun in the remote debug functionality of FrontPage Server Extensions. This functionality enables users to remotely connect to a server running FrontPage Server Extensions and remotely debug content using, for example, Visual Interdev. An attacker who successfully exploited this vulnerability could be able to run code with Local System privileges on an affected system, or could cause FrontPage Server Extensions to fail. The attacker could then take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges.
The second vulnerability is a Denial of Service vulnerability that exists in the SmartHTML interpreter. This functionality is made up of a variety of dynamic link library files, and exists to support certain types of dynamic web content. An attacker who successfully exploited this vulnerability could cause a server running Front Page Server Extensions to temporarily stop responding to requests.
Credit:
The information has been provided by Brett Moore.
Affected Software:
* Microsoft Windows 2000 Service Pack 2, Service Pack 3
* Microsoft Windows XP, Microsoft Windows XP Service Pack 1
* Microsoft Office XP, Microsoft Office XP Service Release 1
Non Affected Software:
* Microsoft Windows Millennium Edition
* Microsoft Windows NT Workstation 4.0, Service Pack 6a
* Microsoft Windows NT Server 4.0, Service Pack 6a
* Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003 (Windows SharePoint Services)
* Microsoft Windows Server 2003 64-Bit Edition (Windows SharePoint Services)
* Microsoft Office System 2003
Mitigating factors:
* Administrators that have applied Service Pack 4 on Windows 2000 systems are not affected by these vulnerabilities
* Windows XP does not have FrontPage Server Extensions installed by default
* Windows NT 4.0 does not have FrontPage Server Extensions installed by default unless you have applied Windows NT4.0 Option Pack
Patches:
* Microsoft FrontPage Server Extensions 2000 - Download the update
* Microsoft FrontPage Server Extensions 2000 (Shipped with Windows 2000) - Download the update
* Microsoft FrontPage Server Extensions 2000 (Shipped with Windows XP) - Download the update
* Microsoft FrontPage Server Extensions 2002 - Download the update
* Microsoft SharePoint Team Services 2002 (shipped with Office XP) - Download the update
Workarounds:
Microsoft has tested the following workarounds that apply across all the vulnerabilities. These workarounds help block known attack vectors, however they will not correct the underlying vulnerabilities. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below.
Customers can use the IIS Lockdown Tool to disable FrontPage Server Extensions on an IIS Server.
In addition, FrontPage Server Extensions administrators can uninstall FrontPage Server Extensions in Add or Remove programs
1. From the Start button, choose Control Panel.
2. Select Add or Remove programs.
3. Select Add/Remove Windows Components.
4. Select "Internet Information Services (IIS)" and choose "Details".
5. Uncheck "FrontPage 2000 Server Extensions" and choose OK.
6. Choose Next in the Windows Components Wizard and choose Finish.
Impact of workaround:
With FrontPage Server Extensions uninstalled or disabled webpage and server functionality relying on them will be unavailable or will not operate as expected.
Technical details:
Sending a chunked encoded post to fp30reg.dll will cause an access violation resulting in the following error log. ------------------------------------------------------------------------
Event Type: Warning
Event Source: W3SVC
Event Category: None
Event ID: 37
Description:
Out of process application '/LM/W3SVC/1/ROOT' terminated unexpectedly.
------------------------------------------------------------------------
A chunked encoded post will result in the control of ECX and EDI, with the exception occurring at a mov dword ptr [ECX+4],EDI instruction leading to remote command execution with privileges associated with the IWAM_machinename account.
Chunked Transfer-Encoding Post:
POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1
Transfer-Encoding: chunked
Many different ways to exploit this malloc/free scenario, so instead of the usual SEH redirect to a JMP instruction, we took a two step approach for higher reliability.
At the first exception error we are in control of ECX and EDI allowing us to write our JMP instruction to a known writeable space. This does not cause an exception and execution flow continues through to a CALL instruction that uses a value from our buffer. We use this CALL to reach our JMP instruction.
