Visual Interdev vulnerability
CVE 2000-0260
Impact
A buffer overflow condition in the Link View feature in Visual
Interdev could allow a remote attacker to crash the web server or
execute arbitrary commands with SYSTEM privileges.
Background
Visual Interdev is an environment for designing data-driven
web applications. The Link View feature allows the
designer to view a map of the web site with all of the links
between pages. It is installed by default with Windows NT 4 Option Pack,
Personal Web Server 95 and 98, and Frontpage 98 server extensions.
The Problem
The server-side component of the Link View feature (Dvwssr.dll)
contains a buffer overflow condition which could allow an attacker to
crash the server or execute arbitrary commands on the server.
Dvwssr.dll is located in a directory which, by default,
does not allow execute permission to normal users. However, if
the permissions have been changed to allow access by normal users,
then the server could be vulnerable.
All versions of Windows prior to Windows 2000 which have Visual Interdev
installed are affected by this vulnerability. Windows 2000 is not affected.
Resolution
If Visual Interdev is not being used to manage the web server,
then the file can be removed without any loss of functionality.
Simple delete /_vti_bin/_vti_aut/Dvwssr.dll. Otherwise,
make sure Dvwssr.dll is not accessible by normal
users. The following permissions are recommended for the
/_vti_bin/_vti_aut directory:
- administrators: full control
- system: full control
- the optional account specified at configuration time: RWXD
This vulnerability can also be removed by upgrading to Windows 2000,
or by installing Office 2000 Server Extensions or Frontpage 2000
Server Extensions.
Where can I read more about this?
For more information on this vulnerability, see
Microsoft Security Bulletin 00-025 and the corresponding
FAQ.