What's the scope of the vulnerability?
This is a buffer overrun vulnerability. The vulnerability could enable an attacker to run a program of his choice on the server. The program would, at the least, have the privileges associated with a user who could log onto the server at the console, and potentially could have gain system-level privileges.
The vulnerability could only be exploited if a particular sub-component were installed on the server. The sub-component is not installed by default, and in order to install it, the system administrator would need to acknowledge a warning dialogue that points out that the component is not appropriate for installation on a production machine.
What causes the vulnerability?
The vulnerability results because of an unchecked buffer in a subcomponent of FrontPage Server Extensions called the Visual InterDev RAD Remote Deployment Support sub-component. A specially-malformed packet could exploit this vulnerability and execute code on the server.
What are FrontPage Server Extensions?
FrontPage Server Extensions (FPSE) are software components that run on an IIS 4.0 or 5.0 web server. FPSE comes with Office 2000/Office XP, with Windows Server 2000 and Windows Advanced Server 2000. It can be installed to run on Windows NT 4.0, Windows Server 2000 or Windows Advanced Server 2000 and it enables the development of web sites using FrontPage and Visual InterDev. FPSE can be downloaded from here.
It is important to note that while the sub-component affected by the vulnerability is a part of FrontPage Server Extensions, it is actually installed through the IIS 4.0 or IIS 5.0 setup routines. IIS 4.0 is installed from the Windows NT 4.0 Option Pack and IIS 5.0 is installed with Windows 2000.
What's Visual InterDev?
Visual InterDev is a web development tool that lets users quickly develop sophisticated web applications that bind databases, programs and web content together. It's a member of the Visual Studio family of tools.
What is Visual InterDev RAD Remote Deployment Support?
Visual InterDev RAD Remote Deployment Support is a sub-component of FrontPage Server Extensions that assists in the development of web applications via Visual InterDev by enabling the developer to register enables COM objects to be registered on a web server. This support must be installed from the IIS setup program provided in Control Panel under "Windows Components" or from the Windows NT Option Pack 4.0 setup process.
What are COM objects, and what do you mean by registering them?
COM stands for Component Object Model, and is a technology that enables software to be built in the form of reusable components. A component typically performs a single task, and the advantage of using COM is that developers can make use of pre-written components rather than developing custom ones themselves. This makes software development faster and easier.
Software components that use COM are typically referred to as COM objects. Before a COM object can be used in a web application, it must be registered. The registration process loads the object onto the machine and makes it available for use. The feature at issue in this vulnerability, Visual InterDev RAD Remote Deployment Support, is intended to make it easy for developers to register COM objects on a web server from their Visual Studio 6.0 clients.
Does this mean that the feature will only be installed if I'm using Visual Studio?
No. The feature provides support for Visual Studio, but it resides on the web server rather than the client, and can be installed by the IIS setup process regardless of whether Visual Studio is in use.
Is it installed by default?
No. The feature is not appropriate for use on production machines - it's only intended to be used on machines on which software is being developed. As discussed in Knowledge Base article Q192039, the ability to register COM components on a web server should never be made available to Internet users.
Not only is the RAD Remote Deployment Support sub-component not installed by default, if the administrator chooses to install it, FPSE displays a reminder warning dialog that it's not suitable for use on an Internet-exposed server. The administrator must explicitly acknowledge the warning dialogue in order to continue with the installation.
What's wrong with the RAD Remote Deployment Support sub-component?
It contains an unchecked buffer in part of the code that processes registration requests. If an attacker sent a specially-malformed request to a server on which the RAD Remote Deployment Support had been installed, he could overrun the buffer and run code of his choice on the server.
What security context would the code run in?
The code would run in the context of the IUSR_machinename account - the anonymous user account for IIS. This would grant the attacker essentially the same privileges as those of an unprivileged user who could log onto the server at the console. He could load programs onto the server and run them, modify certain files, and execute some operating system commands.
In addition, it would be possible for the attacker to take additional steps that would have the effect of gaining system-level privileges. If he successfully did this, he could take any desired actions on the server.
Would the vulnerability provide a way for an attacker to remotely register a hostile COM object and run it?
The registration feature correctly checks the credentials of the person levying a request, and only allows authorized users to register COM components. With that said, however, if an attacker exploited the unchecked buffer and gained system privileges, he would possess the needed credentials to load any software he wanted on the server, including COM objects.
I don't know whether RAD Remote Deployment Support is installed on my server. How can I tell?
To determine if the feature is installed, go to the Control Panel applet for Add/Remove Programs, and double-click. Determine your operating system and follow the steps below:
Windows NT 4.0 (All versions):
• | The Install/Uninstall tab will be selected by default. |
• | If "Internet Information Server" is listed, then IIS 3.0 is installed, and this patch does not apply. However, Microsoft does not recommend using IIS 3.0 and urges customers using IIS 3.0 to upgrade to either IIS 4.0 or IIS 5.0. |
• | If "Windows NT 4.0 Option Pack" is listed, then IIS 4.0 is installed. Double click on the entry for Windows NT 4.0 Option Pack. • | Double-click the entry for Windows NT 4.0 Option Pack. Click Next on the setup screen that appears. | • | Click the Add/Remove button. | • | Scroll to the bottom of the list that appears. The next to the last entry is "Visual InterDev RAD Remote Deployment Support." If this box is checked, the sub-component is installed. |
|
Windows 2000 (All versions):
• | Click on Add/Remove Windows Components |
• | If there is a checkmark present in the checkbox next to Internet Information Server, highlight the text and click Details. |
• | In the next dialog, scroll to the bottom of the list. The next to the last entry is "Visual InterDev RAD Remote Deployment Support." If this box is checked, the sub-component is installed. |
RAD Remote Deployment Support is installed on my system. Can I just uninstall it rather than applying the patch?
If you've installed the sub-component, you can remove it by uninstalling. However, it is recommended that you still apply the patch to protect yourself if you decide to reinstall this feature at a later date. Once applied, the patch will ensure that the corrected component is present on your system, even if you decide to re-install the feature at a later time.
What does the patch do?
The patch eliminates the vulnerability by providing proper verification of input.