NSFOCUS Security Advisory(SA2001-03)

Topic: Microsoft FrontPage 2000 Server Extensions Buffer Overflow Vulnerability

Release DateЈє 2001-6-25

CVE CAN ID : CAN-2001-0341
BUGTRAQ ID : 2841

Affected system:

Microsoft FrontPage 2000 Server Extensions

• Microsoft IIS 4.0
• Microsoft IIS 5.0

Impact:

NSFOCUS security team has found a buffer overflow vulnerability in
Microsoft FrontPage 2000 Server Extension, which can be exploited
to execute arbitrary code by a remote attacker.

DescriptionЈє

Microsoft FrontPage 2000 Server Extension has a Dynamic Link Library
(.DLL) File : "fp30reg.dll" that exists a buffer overflow
vulnerability. When fp30reg.dll receives a URL request that is longer
than 258 bytes, a stack buffer overflow will occur. Exploiting this
vulnerability successfully, an attacker can remotely execute arbitrary
code on the server running MS FPSE 2000.

In case that fp30reg.dll receives an invalid parameter(method), it will
return an error message:

"The server is unable to perform the method [parameter provided by the user]
at this time"

This error message will be saved in a fixed length stack buffer.

fp30reg.dll calls USER32.wsprintfA() to form return message. Because there
is no checkup for the length of data supplied by the user, the destination
buffer can be overwritten . An attacker can rewrite some important memory
address like exception structure or saved EIP to change program flow.

Format string used by USER32.wsprintfA() is :

"<HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>
The server is unable to perform the method <b>%s</b> at this time.</BODY>"

It is also saved in stack and its address is at (target buffer address +
256 bytes), so the format string will be rewritten when the overflow
occurs. The attacker should manage to finish copying.

If an attacker overwrite the buffer with random data, IIS service will fail.
In this case, IIS 5.0 can be automatically self-restarted, but IIS 4.0
needs to be restarted manually.

Exploiting this vulnerability successfully , an attacker can obtain
the privilege of IWAM_machinename account in IIS 5.0 or Local SYSTEM
account in IIS 4.0 by default.

Note:

There is a copy of fp30reg.dll in another directory:
"\Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin\"
whose name is fp4areg.dll.

Exploiting some other vulnerabilities like unicode bug, an attacker will
be able to access this file.

Exploit:

Overflow won't occur in case that the provided parameter has only 258 bytes:

$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?&#96;perl -e 'print "A"x258'`

<HEAD><TITLE>HTTP Error 501</TITLE></HEAD><BODY><H1>NOT IMPLEMENTED</H1>
The server is unable to perform the method <b>AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA</b> at this time.</BODY>

In case that it is longer than 258 bytes, an buffer overflow will occur:

$ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?&#96;perl -e 'print "A"x259'`

<html><head><title>Error</title></head><body>The remote procedure call
failed. </body></html>

There is a proof of concept code for this issue:
http://www.nsfocus.com/proof/fpse2000ex.c

Workaround:

Delete or forbid access of fp30reg.dll and fp4areg.dll temporarily.

Vendor Status:

2001.4.13 We informed Microsoft of this vulnerability.
2001.4.15 Microsoft replied that the bug has been reproduced.
2001.5.18 Microsoft supplied private patches for testing and the
problem had been solved.
2001.6.21 Microsoft has released one security bulletin(MS01-035)
concerning this flaw.

The bulletin is live at :

http://www.microsoft.com/technet/security/bulletin/MS01-035.asp

Patches are available at:

. Microsoft Windows NT 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=31038

. Microsoft Windows 2000:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=30727

Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has
assigned the name CAN-2001-0341 to this issue. This is a
candidate for inclusion in the CVE list (http://cve.mitre.org),
which standardizes names for security problems. Candidates
may change significantly before they become official CVE entries.

DISCLAIMS:

THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENTSHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2001 NSFOCUS. All Rights Reserved. Terms of use.

NSFOCUS Security Team <[email protected]>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)