[NT] Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (Technical Details, MS03-051)

From: SecuriTeam (support_at_securiteam.com)
Date: 11/12/03

  • Next message: SecuriTeam: "[NEWS] Nokia IPSO Script Injection Vulnerability" 
    To: list@securiteam.com
Date: 12 Nov 2003 19:58:31 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code
    Execution (Technical Details, MS03-051)
    ------------------------------------------------------------------------

    SUMMARY

    This bulletin addresses two new security vulnerabilities in Microsoft
    FrontPage Server Extensions, the most serious of which could enable an
    attacker to run arbitrary code on a user's system.

    The first vulnerability exists because of a buffer overrun in the remote
    debug functionality of FrontPage Server Extensions. This functionality
    enables users to remotely connect to a server running FrontPage Server
    Extensions and remotely debug content using, for example, Visual Interdev.
    An attacker who successfully exploited this vulnerability could be able to
    run code with Local System privileges on an affected system, or could
    cause FrontPage Server Extensions to fail. The attacker could then take
    any action on the system, including installing programs, viewing, changing
    or deleting data, or creating new accounts with full privileges.

    The second vulnerability is a Denial of Service vulnerability that exists
    in the SmartHTML interpreter. This functionality is made up of a variety
    of dynamic link library files, and exists to support certain types of
    dynamic web content. An attacker who successfully exploited this
    vulnerability could cause a server running Front Page Server Extensions to
    temporarily stop responding to requests.

    DETAILS

    Affected Software:
     * Microsoft Windows 2000 Service Pack 2, Service Pack 3
     * Microsoft Windows XP, Microsoft Windows XP Service Pack 1
     * Microsoft Office XP, Microsoft Office XP Service Release 1

    Non Affected Software:
     * Microsoft Windows Millennium Edition
     * Microsoft Windows NT Workstation 4.0, Service Pack 6a
     * Microsoft Windows NT Server 4.0, Service Pack 6a
     * Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack
    6
     * Microsoft Windows 2000 Service Pack 4
     * Microsoft Windows XP 64-Bit Edition Version 2003
     * Microsoft Windows Server 2003 (Windows SharePoint Services)
     * Microsoft Windows Server 2003 64-Bit Edition (Windows SharePoint
    Services)
     * Microsoft Office System 2003

    Mitigating factors:
     * Administrators that have applied Service Pack 4 on Windows 2000 systems
    are not affected by these vulnerabilities
     * Windows XP does not have FrontPage Server Extensions installed by
    default
     * Windows NT 4.0 does not have FrontPage Server Extensions installed by
    default unless you have applied Windows NT4.0 Option Pack

    Patches:
     * Microsoft FrontPage Server Extensions 2000 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=C84C3D10-A821-4819-BF58-D3BC70A77BFA&displaylang=en> Download the update
     * Microsoft FrontPage Server Extensions 2000 (Shipped with Windows 2000)
    -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=057D5F0E-0E2B-47D2-9F0F-3B15DD8622A2&displaylang=en> Download the update
     * Microsoft FrontPage Server Extensions 2000 (Shipped with Windows XP) -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=9B302532-BFAB-489B-82DC-ED1E49A16E1C&displaylang=en> Download the update
     * Microsoft FrontPage Server Extensions 2002 -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=3E8A21D9-708E-4E69-8299-86C49321EE25&displaylang=en> Download the update
     * Microsoft SharePoint Team Services 2002 (shipped with Office XP) -
    <http://www.microsoft.com/downloads/details.aspx?FamilyId=5923FC2F-D786-4E32-8F15-36A1C9E0A340&displaylang=en> Download the update

    Workarounds:
    Microsoft has tested the following workarounds that apply across all the
    vulnerabilities. These workarounds help block known attack vectors,
    however they will not correct the underlying vulnerabilities. Workarounds
    may reduce functionality in some cases; in such cases, the reduction in
    functionality is identified below.

    Customers can use the IIS Lockdown Tool to disable FrontPage Server
    Extensions on an IIS Server.
    In addition, FrontPage Server Extensions administrators can uninstall
    FrontPage Server Extensions in Add or Remove programs

    1. From the Start button, choose Control Panel.
    2. Select Add or Remove programs.
    3. Select Add/Remove Windows Components.
    4. Select "Internet Information Services (IIS)" and choose "Details".
    5. Uncheck "FrontPage 2000 Server Extensions" and choose OK.
    6. Choose Next in the Windows Components Wizard and choose Finish.

    Impact of workaround:
    With FrontPage Server Extensions uninstalled or disabled webpage and
    server functionality relying on them will be unavailable or will not
    operate as expected.

    Technical details:
    Sending a chunked encoded post to fp30reg.dll will cause an access
    violation resulting in the following error log.
    ------------------------------------------------------------------------
    Event Type: Warning
    Event Source: W3SVC
    Event Category: None
    Event ID: 37
    Description:
    Out of process application '/LM/W3SVC/1/ROOT' terminated unexpectedly.
    ------------------------------------------------------------------------

    A chunked encoded post will result in the control of ECX and EDI, with the
    exception occurring at a mov dword ptr [ECX+4],EDI instruction leading to
    remote command execution with privileges associated with the
    IWAM_machinename account.

    Chunked Transfer-Encoding Post:
    POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1
    Transfer-Encoding: chunked

    PostLength
    PostData
    0

    Vulnerable code (ASM):
     67D46AD3 mov ecx,dword ptr [ebx+edx+8]
     67D46AD7 mov edi,dword ptr [ebx+edx+4]
     67D46ADB mov dword ptr [ecx+4],edi

    Many different ways to exploit this malloc/free scenario, so instead of
    the usual SEH redirect to a JMP instruction, we took a two step approach
    for higher reliability.

    At the first exception error we are in control of ECX and EDI allowing us
    to write our JMP instruction to a known writeable space. This does not
    cause an exception and execution flow continues through to a CALL
    instruction that uses a value from our buffer. We use this CALL to reach
    our JMP instruction.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:brett.moore@security-assessment.com> Brett Moore.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] Nokia IPSO Script Injection Vulnerability"

    Relevant Pages