SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Front Page Vendors:  Microsoft
Microsoft FrontPage Server Extensions SmartHTML Interpreter Bugs May Let Remote Users Execute Arbitrary Code with System Privileges
SecurityTracker Alert ID:  1005287
CVE Reference:  CAN-2002-0692   (Links to External Site)
Date:  Sep 25 2002
Impact:  Denial of service via network, Execution of arbitrary code via network, Root access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 2000, 2002
Description:  A vulnerability was reported in a component of Microsoft FrontPage Server Extensions (FSPE). A remote user could cause denial of service conditions or could execute arbitrary code on the server, depending on the version of FPSE.

It is reported that the SmartHTML Interpreter (shtml.dll) that provides support for web forms and other FrontPage-based dynamic content contains a flaw. A remote user can create a specially crafted request for a particular type of web file that will trigger the flaw.

On FrontPage Server Extensions 2000, a remote user can cause the interpreter to consume most or all CPU availability until the web service is restarted, resulting in denial of service conditions. On FrontPage Server Extensions 2002, a remote user can trigger a buffer overflow and possibly execute arbitrary code on the server with System level privileges.

Microsoft reports that FPSE is installed on Internet Information Server (IIS) versions 4.0, 5.0 and 5.1 by default.

Microsoft credits Maninder Bharadwaj of Digital Defense Services part of Digital GlobalSoft Ltd. for reporting this flaw.
Impact:  A remote user can cause denial of service conditions (FPSE 2000). A remote user can execute arbitrary code with System level privileges (FPSE 2002).
Solution:  Microsoft has issued the following patches:

For Microsoft FrontPage Server Extensions 2002 for all platforms:

http://download.microsoft.com/download/FrontPage2002/fp se1002/1/W98NT42KMeXP/EN-US/fpse1002.exe

For Microsoft FrontPage Server Extension 2000 for NT4:

http://download.microsoft.com/download/fp2000fd2000/Patch/1/W9XNT4Me /EN-US/fpse0901.exe

For Microsoft FrontPage Server Extensions 2000 for Windows XP, use Windows Update:

http://windowsupdate.microsoft.com

For Microsoft FrontPage Server Extensions 2000 for Windows 2000, use Windows Update:

http://windowsupdate.microsoft.com

Microsoft reports that the patch can be applied to systems running FrontPage Server Extensions 2002 or to NT, 2000, and XP systems running FrontPage Server Extensions 2000.

Microsoft reports that this issue will also be fixed Windows 2000 SP4, Windows XP SP2, and any future service packs for FPSE 2002.

Microsoft warns users running FrontPage Server Extensions 2002 on any supported platform who have not applied the latest update that they must apply the update (Q317296) before installing this patch:

http://support.microsoft.com/default.aspx?scid=kb;en-us; Q317296

Microsoft plans to issue Knowledge Base article Q324096 regarding discusses this issue to available shortly on the Microsoft Online Support web site:

http://support.microsoft.com/?scid=fh;en-us;kbhowto
Vendor URL:  www.microsoft.com/technet/security/bulletin/MS02-053.asp (Links to External Site)
Cause:  Boundary error, Exception handling error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)
Reported By:  secnotif@microsoft.com
Message History:   None.

 Source Message Contents
Date:  Wed, 25 Sep 2002 16:40:17 -0700
From:  secnotif@microsoft.com
Subject:  Microsoft Security Bulletin MS02-053: Buffer Overrun in SmartHTML Interpreter Could Allow Code Execution (Q324096)

 

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Buffer Overrun in SmartHTML Interpreter Could Allow 
              Code Execution (Q324096)
Released:   25 September 2002
Software:   FrontPage Server Extensions 2000 and 2002
Impact:     Denial of service or privilege elevation
Max Risk:   Critical
Bulletin:   MS02-053

Microsoft encourages customers to review the Security Bulletin at: 
http://www.microsoft.com/technet/security/bulletin/MS02-053.asp.
- ----------------------------------------------------------------------

Issue:
======
The SmartHTML Interpreter (shtml.dll) is part of the FrontPage 
Server Extensions (FPSE), and provides support for web forms and 
other FrontPage-based dynamic content. The interpreter contains a 
flaw that could be exposed when processing a request for a particular
type of web file, if the request had certain specific character-
istics. This flaw affects the two versions of FrontPage Server 
Extensions differently. On FrontPage Server Extensions 2000, such 
a request would cause the interpreter to consume most or all CPU 
availability until the web service was restarted. An attacker could 
use this vulnerability to conduct a denial of service attack against 
an affected web server. On FrontPage Server Extensions 2002, the 
same type of request could cause a buffer overrun, potentially 
allowing an attacker to run code of his choice. 

Mitigating Factors:
====================
- - The IIS Lockdown Tool, if used to configure a static web server, 
  disables the SmartHTML Interpreter. Servers on which this has 
  been done could not be affected by the vulnerability. 
- - FrontPage Server Extensions install on IIS 4.0, 5.0 and 5.1 by 
  default, but can be uninstalled if desired. Servers on which 
  this has been done could not be affected by the vulnerability. 

Risk Rating:
============
 - Internet systems: Critical
 - Intranet systems: Moderate
 - Client systems: None

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the 
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms02-053.asp
   for information on obtaining this patch.

Acknowledgment:
===============
Microsoft thanks  Maninder Bharadwaj (digital.defense@digital.com)
of Digital GlobalSoft Ltd. for reporting this issue to us and 
working with us to protect customers. 


- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
 "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY 
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN 
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPZIL7I0ZSRQxA/UrAQGtfAf+KSEvzAlpFAGH26KCQCu7wmZU2mt2rXn6
+D0aSoALY3qkZow+vdJIkNBDa9QdfuhbYmB93h/Ir+LeNfYbX+D+9/NNvwXZl3kI
bGZtwi0BGXVCyA3m9yZBoig+AZuVCpHJiO3Hfv8eauyWHn/3hdWrVmlFUr/YDXuV
56+Wkoy2XD2GcT9N8I2EbCeHiPe790meHM+anzwog14YcB3lXWM2UaU+qP0bwg/a
h0W0CqVmZAD1132TuRFaebWjrwQIuTpa93SqbMQYSNerMfNpzZPCjnnL2kXj4ioH
7cN80bl439JNyvR/vzvBa+xpsZmj70iP0baVrCK0zoNkYZG80LWuZg==
=wPUR
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security
 Notification Service.  For more
 information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft
.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile C
enter at http://register.microsoft.com/regsys/pic.asp
 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notific
ation Service via email as described
 below:
Send an email to unsubscribe to the Service by following these steps: 
a. Send an e-mail to securrem@microsoft.com. The subject line and the message body are not used to pr
ocess the subscription request,
 and can be anything you like. 
b. Send the e-mail. 
c. You will receive a response, asking you to verify that you really want to cancel your subscription
. Compose a reply, and put "OK"
 in the message body. (Without the quotes). Send the reply. 
d. You will receive an e-mail telling you that your name has been removed from the subscriber list.
 
For security-related information about Microsoft products, please visit the Microsoft Security Adviso
r web site at http://www.microsoft.com/security.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC