[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Frontpage Publishing DoS

Title: Frontpage Publishing DoS
Released by: eEye
Date: 3rd January 2001
Printable version: Click here 
Sorry for the delay in posting this.



Frontpage Publishing DoS (Denial of Service)



Release Date:

Dec 22, 2000



Systems Affected:

Default Installations of Windows NT4 IIS4 SP6or<

Default Installations of Windows 2000 IIS5 SP1or<



Description:

Any current NT server running IIS with Frontpage server extensions (which

are installed by default) is vulnerable a remote DoS (Denial of Service).



The vulnerability stems from Frontpage improperly handling queries to

Frontpage Authoring (author.dll) modules as well as shtml calls. It is

possible for a remote attacker to send a malformed query to those modules

which will cause Frontpage to crash which will then in turn bring down

inetinfo.exe on Windows NT 4.0 systems. On Windows 2000 systems the

vulnerability is a bit different. Inetinfo.exe is not killed, it just simply

"freezes". You can still connect to the IIS5 web server but any further

GET/HEAD/etc.. commands will not be procesed. Microsoft's advisory states

that IIS5 will simply restart however we did not experience this in our

testing.

The two vulnerable pieces of Frontpage are:

/_vti_bin/shtml.dll/_vti_rpc

/_vti_bin/_vti_aut/author.dll



Example Exploit:

Sorry we didn't take the time to wrap these into click and kill exe's.

http://www.eEye.com/html/advisories/FPDOSNT4.txt

http://www.eEye.com/html/advisories/FPDOSNT4NT5.txt

Easiest if these files are opened in a word wrapped document.



Vendor Status:

Microsoft has released an advisory and patch for this vulnerability:

http://www.microsoft.com/technet/security/bulletin/ms00-100.asp

Note: There have been a few people who have recommended that if you do not

use FrontPage to disable Frontpage Web Authoring. Disabling Web Authoring

does not fix the problem. You must completely remove Frontpage and all of

its files.



Copyright (c) 1998-2000 eEye Digital Security

Permission is hereby granted for the redistribution of this alert

electronically. It is not to be edited in any way without express consent of

eEye. If you wish to reprint the whole or any part of this alert in any

other medium excluding electronic medium, please e-mail alert@eEye.com for

permission.



Disclaimer

The information within this paper may change without notice. Use of this

information constitutes acceptance for use in an AS IS condition. There are

NO warranties with regard to this information. In no event shall the author

be liable for any damages whatsoever arising out of or in connection with

the use or spread of this information. Any use of this information is at the

user's own risk.



Feedback

Please send suggestions, updates, and comments to:



eEye Digital Security

mail:info@eEye.com

http://www.eEye.com






(C) 1999-2000 All rights reserved.