[NT] Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution
From: support@securiteam.comDate: 09/26/02
- Previous message: support@securiteam.com: "[NT] Webserver 4D Weak Password Preservation Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 26 Sep 2002 11:47:16 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution
------------------------------------------------------------------------
SUMMARY
The SmartHTML Interpreter (shtml.dll) is part of the FrontPage Server
Extensions (FPSE), and provides support for web forms and other
FrontPage-based dynamic content. The interpreter contains a flaw that
could be exposed when processing a request for a particular type of web
file, if the request had certain specific characteristics. This flaw
affects the two versions of FrontPage Server Extensions differently. On
FrontPage Server Extensions 2000, such a request would cause the
interpreter to consume most or all CPU availability until the web service
was restarted. An attacker could use this vulnerability to conduct a
denial of service attack against an affected web server. On FrontPage
Server Extensions 2002, the same type of request could cause a buffer
overrun, potentially allowing an attacker to run code of his choice.
DETAILS
Affected Software:
* Microsoft FrontPage Server Extensions 2000
* Microsoft FrontPage Server Extensions 2002
* Microsoft Windows 2000 (shipped FPSE 2000)
* Microsoft Windows XP (shipped FPSE 2000)
Mitigating factors:
* The IIS Lockdown Tool, if used to configure a static web server,
disables the SmartHTML Interpreter. Servers on which this has been done
could not be affected by the vulnerability.
* FrontPage Server Extensions install on IIS 4.0, 5.0 and 5.1 by default,
but can be uninstalled if desired. Servers on which this has been done
could not be affected by the vulnerability.
Patch availability:
Download locations for this patch
* Microsoft FrontPage Server Extensions 2002 for all platforms
<http://download.microsoft.com/download/FrontPage2002/fpse1002/1/W98NT42KMeXP/EN-US/fpse1002.exe> http://download.microsoft.com/download/FrontPage2002/fpse1002/1/W98NT42KMeXP/EN-US/fpse1002.exe
* Microsoft FrontPage Server Extension 2000 for NT4
<http://download.microsoft.com/download/fp2000fd2000/Patch/1/W9XNT4Me/EN-US/fpse0901.exe> http://download.microsoft.com/download/fp2000fd2000/Patch/1/W9XNT4Me/EN-US/fpse0901.exe
* Microsoft FrontPage Server Extensions 2000 for Windows XP Windows
Update
* Microsoft FrontPage Server Extensions 2000 for Windows 2000 Windows
Update
What is the scope of the vulnerability?
This is a denial of service and buffer overruns vulnerability. It affects
FrontPage Server Extensions 2000 and 2002 differently. With FrontPage
Server Extensions 2000, the flaw could cause most CPU availability to be
consumed until the web service is restarted. An attacker could use this
vulnerability to conduct a denial of service attack against an affected
web server. With FrontPage Server Extensions 2002, the same flaw in the
interpreter causes a buffer overrun, potentially allowing an attacker to
run code of the his choice.
Web site administrators who have used the IIS Lockdown Tool to configure
their servers as static web servers are already protected against attacks
that would attempt to exploit the vulnerability.
What causes the vulnerability?
The vulnerability results because of a flaw in the FrontPage Server
Extensions SmartHTML interpreter. The interpreter can enter a mode in
which it consumes all CPU availability on a web server using FrontPage
Server Extensions 2000 or can result in a buffer overrun in FrontPage
Server Extensions 2002, if it receives a request for a particular type of
web file, along with some specific parameters.
What are the FrontPage Server Extensions?
FrontPage Server Extensions (FPSE) is a set of tools that can be installed
on a FrontPage-based web site. They serve two basic functions: to allow
authorized personnel to manage the server, add or change content, and
perform other tasks; and to add functions that are frequently used by web
pages, such as search and forms support.
FPSE installs by default as part of IIS 4.0, 5.0 and 5.1. However, it can
be uninstalled if desired. Microsoft has long recommended that web
administrators uninstall FPSE if not needed.
What is the SmartHTML interpreter?
The SmartHTML interpreter, shtml.dll, is part of FPSE, and supports
certain types of dynamic web content. For instance, using SmartHTML, a web
developer can build a web page that relies on FrontPage features, but not
actually have those features embedded within the page until a user
requests it.
For example, a web developer might want to embed the current date and time
in a web page. In order to do that, the developer might use one of the
WebBot components that come with FrontPage. A WebBot component gives an
author CGI capabilities without writing CGI applications. The web page
author inserts a WebBot into an HTML page. What actually is inserted is a
specially formatted HTML comment. A WebBot comment looks like a standard
HTML comment with special notation that identifies the WebBot and its
properties. You set the property values from a dialog box when the WebBot
is inserted. Each WebBot has its own dialog. Microsoft calls the WebBot
notation SmartHTML, and HTML pages containing those SmartHTML pages.
A WebBot is "executed" when the FrontPage Editor saves the HTML page. A
FrontPage Server Extension app scans the page for embedded WebBot
components and replaces them with standard HTML text. Because of this
scanning process, a new page is created containing the standard HTML text
generated from the WebBot components and the web visitor sees the date and
time rendered on the web page.
What is wrong with the SmartHTML interpreter?
If a request for a certain type of web file is made in a particular way,
it could have the effect on a web server using FrontPage Server Extensions
2000 of causing the SmartHTML interpreter to cycle endlessly, consuming
all of the server's CPU availability and preventing the server from
performing useful work. On a web server using FrontPage Server Extensions
2002, this same type of request could have the effect of causing a buffer
overrun and potentially allowing an attacker to run malicious code on that
server.
What could an attacker do via this vulnerability?
In the case of FrontPage Server Extensions 2000, an attacker could use
this vulnerability to monopolize a server and prevent legitimate users
from being able to use the web server. In the case of FrontPage Server
Extensions 2002, an attacker could potentially cause a buffer overrun on
the web server.
How might an attacker exploit the vulnerability?
The attack itself would only require that the attacker levy a particular
type of request on the SmartHTML interpreter. Upon attempting to process
the request (in the case of FrontPage Server Extensions 2000), the
interpreter would begin to "freewheel", and would continue to do so until
the administrator stopped and restarted the web service. In some cases, it
might be necessary to reboot the system in order to do this. In the case
of FrontPage Server Extensions 2002, the request could cause a buffer
overrun in the interpreter and allow code of the attacker's choice to run
in the context of the interpreter.
If an attacker exploited the buffer overrun in FrontPage Server Extensions
2002, in what context would the hostile code run?
In the case of the buffer overrun in FrontPage Server Extensions 2002, the
malicious code would run as system, even though getting to system would
take a convoluted exploit. Nonetheless, it is possible to that an attacker
could create such an exploit and be running as system.
What steps could an administrator take to protect against the
vulnerability?
Of course, the simplest way to eliminate the vulnerability is to install
the patch. However, even if the patch were not installed, a server would
not be at risk if FPSE had been uninstalled, or if the SmartHTML
interpreter were not in use. For instance, the IIS Lockdown Tool, if used
to configure a static web server, disables the interpreter.
How does the patch eliminate the vulnerability?
The patch causes the SmartHTML interpreter to reject the requests at issue
here, as they are not valid requests.
ADDITIONAL INFORMATION
The information has been provided by <mailto:secure@microsoft.com>
Microsoft Product Security.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] Webserver 4D Weak Password Preservation Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
