Security Bulletin

Microsoft Security Bulletin MS01-035 - Critical

FrontPage Server Extension Sub-Component Contains Unchecked Buffer

Published: June 21, 2001 | Updated: December 05, 2003

Version: 1.3

Summary

Who should read this bulletin:
Customers using Microsoft® Visual Studio RAD Support which is a sub-component of FrontPage® Server Extensions

Impact of vulnerability: 
Run code of attacker's choice

Recommendation: 
Customers who have installed Visual Studio RAD Support should install the patch.

Affected Software:

• Microsoft Visual Studio RAD Support in FrontPage Server Extensions

General Information

Technical details

Technical description:

FrontPage Server Extensions ship as part of IIS 4.0 and 5.0, and facilitate the development of Web sites and Web-based applications. FrontPage Server Extensions includes an additional, optional sub-component called Visual Studio RAD (Remote Application Deployment) Support. This sub-component allows Visual InterDev 6.0 users to register and unregister COM objects on an IIS 4.0 or 5.0 Server. This sub-component contains an unchecked buffer in a section that processes input information.

An attacker could exploit this vulnerability against any server with this sub-component installed by establishing a web session on with the server and passing a specially malformed packet to the server component. The attacker could use that packet to thereby load code of his choice for execution on the server. An attack that exploits this vulnerability would execute in the IUSR_machinename context (see Q142868). However, it is possible under certain circumstances to execute code in the IWAM_machinename or SYSTEM context.

It is important to note that this feature is not installed by default with FPSE. It is also not installed by default on either of IIS 4.0 or 5.0. Also, when the feature is selected during installation, a warning message is raised alerting the administrator that this feature should not be installed on production machines, especially if the production machine has Internet access. This is because this feature is only intended for facilitating internal development. The administrator must acknowledge the warning to successfully install the feature.

Mitigating factors:

• While FrontPage Server Extensions installs by default with IIS, Visual Studio RAD Deployment Support coordination is not provided with FPSE by default on an initial installation of IIS. Installation must be selected and approved by the user in charge of the server using the IIS setup process. If a user selects this sub-component during an initial installation, a warning is raised stating that this should not be installed on a production system. Users must actively acknowledge this warning to complete the installation.

Vulnerability identifier: CAN-2001-0341 

Tested Versions:

Microsoft tested Microsoft tested Visual Studio RAD Support which is a sub-component of FrontPage Server Extensions on Windows NT and Windows 2000 operating systems to assess whether they are affected by this vulnerability. Previous versions are no longer supported and may or may not be affected by this vulnerability.to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. The vulnerability could enable an attacker to run a program of his choice on the server. The program would, at the least, have the privileges associated with a user who could log onto the server at the console, and potentially could have gain system-level privileges. The vulnerability could only be exploited if a particular sub-component were installed on the server. The sub-component is not installed by default, and in order to install it, the system administrator would need to acknowledge a warning dialogue that points out that the component is not appropriate for installation on a production machine.

What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a subcomponent of FrontPage Server Extensions called the Visual InterDev RAD Remote Deployment Support sub-component. A specially-malformed packet could exploit this vulnerability and execute code on the server.

What are FrontPage Server Extensions?
FrontPage Server Extensions (FPSE) are software components that run on an IIS 4.0 or 5.0 web server. FPSE comes with Office 2000/Office XP, with Windows Server 2000 and Windows Advanced Server 2000. It can be installed to run on Windows NT 4.0, Windows Server 2000 or Windows Advanced Server 2000 and it enables the development of web sites using FrontPage and Visual InterDev. FPSE can be downloaded from here. It is important to note that while the sub-component affected by the vulnerability is a part of FrontPage Server Extensions, it is actually installed through the IIS 4.0 or IIS 5.0 setup routines. IIS 4.0 is installed from the Windows NT 4.0 Option Pack and IIS 5.0 is installed with Windows 2000.

What's Visual InterDev?
Visual InterDev is a web development tool that lets users quickly develop sophisticated web applications that bind databases, programs and web content together. It's a member of the Visual Studio family of tools.

What is Visual InterDev RAD Remote Deployment Support?
Visual InterDev RAD Remote Deployment Support is a sub-component of FrontPage Server Extensions that assists in the development of web applications via Visual InterDev by enabling the developer to register enables COM objects to be registered on a web server. This support must be installed from the IIS setup program provided in Control Panel under "Windows Components" or from the Windows NT Option Pack 4.0 setup process.

What are COM objects, and what do you mean by registering them?
COM stands for Component Object Model, and is a technology that enables software to be built in the form of reusable components. A component typically performs a single task, and the advantage of using COM is that developers can make use of pre-written components rather than developing custom ones themselves. This makes software development faster and easier. Software components that use COM are typically referred to as COM objects. Before a COM object can be used in a web application, it must be registered. The registration process loads the object onto the machine and makes it available for use. The feature at issue in this vulnerability, Visual InterDev RAD Remote Deployment Support, is intended to make it easy for developers to register COM objects on a web server from their Visual Studio 6.0 clients.

Does this mean that the feature will only be installed if I'm using Visual Studio?
No. The feature provides support for Visual Studio, but it resides on the web server rather than the client, and can be installed by the IIS setup process regardless of whether Visual Studio is in use.

Is it installed by default?
No. The feature is not appropriate for use on production machines - it's only intended to be used on machines on which software is being developed. As discussed in Knowledge Base article Q192039, the ability to register COM components on a web server should never be made available to Internet users. Not only is the RAD Remote Deployment Support sub-component not installed by default, if the administrator chooses to install it, FPSE displays a reminder warning dialog that it's not suitable for use on an Internet-exposed server. The administrator must explicitly acknowledge the warning dialogue in order to continue with the installation.

What's wrong with the RAD Remote Deployment Support sub-component?
It contains an unchecked buffer in part of the code that processes registration requests. If an attacker sent a specially-malformed request to a server on which the RAD Remote Deployment Support had been installed, he could overrun the buffer and run code of his choice on the server.

What security context would the code run in?
The code would run in the context of the IUSR_machinename account - the anonymous user account for IIS. This would grant the attacker essentially the same privileges as those of an unprivileged user who could log onto the server at the console. He could load programs onto the server and run them, modify certain files, and execute some operating system commands. In addition, it would be possible for the attacker to take additional steps that would have the effect of gaining system-level privileges. If he successfully did this, he could take any desired actions on the server.

Would the vulnerability provide a way for an attacker to remotely register a hostile COM object and run it?
The registration feature correctly checks the credentials of the person levying a request, and only allows authorized users to register COM components. With that said, however, if an attacker exploited the unchecked buffer and gained system privileges, he would possess the needed credentials to load any software he wanted on the server, including COM objects.

I don't know whether RAD Remote Deployment Support is installed on my server. How can I tell?
To determine if the feature is installed, go to the Control Panel applet for Add/Remove Programs, and double-click. Determine your operating system and follow the steps below: Windows NT 4.0 (All versions):

• The Install/Uninstall tab will be selected by default.
• If "Internet Information Server" is listed, then IIS 3.0 is installed, and this patch does not apply. However, Microsoft does not recommend using IIS 3.0 and urges customers using IIS 3.0 to upgrade to either IIS 4.0 or IIS 5.0.
• If "Windows NT 4.0 Option Pack" is listed, then IIS 4.0 is installed. Double click on the entry for Windows NT 4.0 Option Pack.
  • Double-click the entry for Windows NT 4.0 Option Pack. Click Next on the setup screen that appears.
  • Click the Add/Remove button.
  • Scroll to the bottom of the list that appears. The next to the last entry is "Visual InterDev RAD Remote Deployment Support." If this box is checked, the sub-component is installed.

Windows 2000 (All versions):

• Click on Add/Remove Windows Components
• If there is a checkmark present in the checkbox next to Internet Information Server, highlight the text and click Details.
• In the next dialog, scroll to the bottom of the list. The next to the last entry is "Visual InterDev RAD Remote Deployment Support." If this box is checked, the sub-component is installed.

RAD Remote Deployment Support is installed on my system. Can I just uninstall it rather than applying the patch?
If you've installed the sub-component, you can remove it by uninstalling. However, it is recommended that you still apply the patch to protect yourself if you decide to reinstall this feature at a later date. Once applied, the patch will ensure that the corrected component is present on your system, even if you decide to re-install the feature at a later time.

What does the patch do?
The patch eliminates the vulnerability by providing proper verification of input.

Patch availability

Download locations for this patch

• Microsoft Windows NT 4.0:
  Included in FrontPage Server Extensions Service Release 1.3 

• Microsoft Windows 2000:
  The fix for this issue is included in Windows 2000 Security Roll-up Package 1 

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Visual Studio RAD Support in FrontPage Server Extensions in conjunction with the following operating systems:

• Windows NT 4.0 Service Pack 5 or Service Pack 6a
• Windows 2000Service Pack 2.

Inclusion in future service packs:

The fix for this issue will be included in Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches:

None.

Verifying patch installation:

To verify that the patch has been installed on the machine, confirm the following file information and locations:

• FP30REG.DLL
  Binary size: 94,308.

  Version: 4.0.2.5121

  Install Location: \Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\isapi\_vti_aut

• FP4AREG.DLL
  Binary size: 94,308.

  Version: 4.0.2.5121

  Install Location: \Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin

• FP30MSFT.DLL
  Binary size: 176,186

  Version: 4.0.2.5322

  Install Location: \Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\servsupp

• FP4AWEL.DLL
  Binary size: 852,023

  Version: 4.0.2.5322

  Install Location: \Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

• Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
• Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks NSfocus (https://www.nsfocus.com) for reporting this issue to us and working with us to protect customers.

Support:

• Microsoft Knowledge Base article Q300477 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
• Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

• V1.0 (June 21, 2001): Bulletin Created.
• V1.1 (August 17, 2001): Bulletin Updated to indicate that patch has been removed
• V1.2 (February 04, 2002): Bulletin Updated with links to CFPSE 1.3 for Windows NT 4.0 and Windows 2000 SRP 1 for Windows 2000
• V1.3 (June 13, 2003): Updated download links to Windows Update.
• V1.4 (December 5, 2003): Updated technical details section to include ability to get IWAM_machine account under certain conditions.

Built at 2014-04-18T13:49:36Z-07:00