Tutorial - Potentially Vulnerable FrontPage RAD Extensions

Potentially Vulnerable FrontPage RAD Extensions

Impact

Due to an unchecked buffer in IIS FrontPage RAD extensions, a maliciously crafted HTTP fp30reg.dll request containing approx 258 bytes will allow the execution of arbitrary code. It may be found on IIS 4/5 running on Windows 2000 and Windows. NT.

Background

Microsoft FrontPage Remote Application Deployment (RAD) uses the fp30reg.dll library to formulate and submit commands to the FrontPage extensions. An unchecked buffer in the DLL will allow the execution of arbitrary code. Typically a web server would stop responding in a buffer overflow condition; however, once Windows 2000 detects an unresponsive web server it automatically performs a restart. Therefore, the administrator will be unaware of this attack.

Note that this DLL is not loaded by default and requires specific action by the Web administrator for its installation.

Resolution

Microsoft has released a patch which rectifies the issue on the Index services buffer overflow at BulletinMS01-035.

Reference: NSfocus SA2001-03.