Microsoft FrontPage Vulnerabilities

Updated 10/22/02
CAN 1999-1376
CVE 2001-0341

Impact

A remote attacker could take control of the web site, and possibly the system as well.

Note: The red stoplight on this page indicates the highest severity level for this category of vulnerabilities. The severity level in this instance is indicated by the colored dot beside the link to this tutorial on the previous page.

Background

Web servers which include Microsoft FrontPage Server Extensions have special accounts to authenticate web server administrators, web page authors, and web site visitors. The account names and encrypted passwords are stored in FrontPage password files in the /_vti_pvt directory. The password files are named service.pwd on Microsoft web servers, and administrators.pwd, authors.pwd, and users.pwd on Netscape web servers.

FrontPage Server Extensions also include an optional subcomponent called Visual Studio Remote Application Deployment (RAD) support. This support allows Visual InterDev users to register objects on the web server.

The Problem

Buffer overflow in Visual Studio RAD support

CVE 2001-0341
Due to an unchecked buffer in the Visual Studio RAD sub-component of FrontPage Server Extensions, it could be possible for a remote attacker to execute arbitrary commands with IUSR_machinename privileges, or in some cases SYSTEM privileges. This vulnerability can only be exploited if the Visual Studio RAD sub-component is installed, which is not the case by default.

Password File Access

The FrontPage password file(s) indicated on the previous screen, next to the link to this tutorial, are readable by an unprivileged web user. An attacker could crack the encrypted passwords and gain unauthorized access to the web site. If any users' FrontPage passwords are the same as their system passwords, the system could be compromised as well.

fpcount.exe buffer overflow

10/22/02
CAN 1999-1376
The fpcount.exe utility which is installed with FrontPage Server Extensions versions prior to 98 contains a remotely exploitable buffer overflow vulnerability.

Resolutions

To fix the vulnerability in the Visual Studio RAD support, apply the patch indicated in Microsoft Security Bulletin 01-035.

To secure the FrontPage password file, set the permissions on the file(s) to be more restrictive. The exact permissions which should be used are not specified. Use the most restrictive permissions possible without denying access to legitimate users.

On Windows NT systems:

  1. Find the file in Windows Explorer
  2. Click on the file with the right mouse button
  3. Select Properties
  4. Click on the Security Tab
  5. Click on the Permissions button
  6. Change or remove permissions on the file as necessary.
On Unix systems:
Use the chmod command.

To fix the buffer overflow in fpcount.exe, upgrade to FrontPage Server Extensions 98 or higher.

Where can I read more about this?

For more information on the vulnerability in the Visual Studio RAD support, see Microsoft Security Bulletin 01-035 and NSFocus Security Advisory 2001-03.

See the Rhino 9 Advisory for more information about the password file vulnerability.

The fpcount.exe vulnerability was posted to Bugtraq.