1. Symantec/
  2. Security Response/
  3. Attack Signatures/
  4. Web Attack: MS FrontPage Remote Debug

Web Attack: MS FrontPage Remote Debug

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

This signature detects an attempt to exploit a flaw in Microsoft Frontpage Server Extension's Remote Debugging interface through a specially crafted URI.

Additional Information

FrontPage Server Extensions are a component for FrontPage that allows authorized users to edit and maintain content.
FrontPage Server Extensions includes remote debugging functionality, allowing users to connect to the server to debug content using software such as Visual Interdev. A remotely exploitable buffer overflow vulnerability has been reported in the remote debugging functionality provided by the software.
This issue is due to an unchecked buffer size in a .DLL (fp30reg.dll) included with the extensions. It is possible to trigger this issue by sending a malformed chunked-encoded HTTP POST request. This will allow the attacker to influence the values in the ECX and EDI registers, which may be leveraged to execute arbitrary code. Exploitation may allow a remote attacker to execute arbitrary code on a vulnerable system with Local System privileges.

Affected

  • Microsoft FrontPage Server Extensions 2000
  • Microsoft FrontPage Server Extensions 2002
  • Microsoft SharePoint Team Services 2002
  • Microsoft Windows 2000 Advanced Server SP2, SP3
  • Microsoft Windows 2000 Datacenter Server SP2, SP3
  • Microsoft Windows 2000 Professional SP2, SP3
  • Microsoft Windows 2000 Server SP2, SP3
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Professional SP1

Response

Microsoft has released updates to address this issue.
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube