[ SOURCE: http://www.secureroot.com/security/advisories/9786173670.html ]

Sorry for the delay in posting this.

Frontpage Publishing DoS (Denial of Service)

Release Date:
Dec 22, 2000

Systems Affected:
Default Installations of Windows NT4 IIS4 SP6or<
Default Installations of Windows 2000 IIS5 SP1or<

Description:
Any current NT server running IIS with Frontpage server extensions (which
are installed by default) is vulnerable a remote DoS (Denial of Service).

The vulnerability stems from Frontpage improperly handling queries to
Frontpage Authoring (author.dll) modules as well as shtml calls. It is
possible for a remote attacker to send a malformed query to those modules
which will cause Frontpage to crash which will then in turn bring down
inetinfo.exe on Windows NT 4.0 systems. On Windows 2000 systems the
vulnerability is a bit different. Inetinfo.exe is not killed, it just simply
"freezes". You can still connect to the IIS5 web server but any further
GET/HEAD/etc.. commands will not be procesed. Microsoft's advisory states
that IIS5 will simply restart however we did not experience this in our
testing.
The two vulnerable pieces of Frontpage are:
/_vti_bin/shtml.dll/_vti_rpc
/_vti_bin/_vti_aut/author.dll

Example Exploit:
Sorry we didn't take the time to wrap these into click and kill exe's.
http://www.eEye.com/html/advisories/FPDOSNT4.txt
http://www.eEye.com/html/advisories/FPDOSNT4NT5.txt
Easiest if these files are opened in a word wrapped document.

Vendor Status:
Microsoft has released an advisory and patch for this vulnerability:
http://www.microsoft.com/technet/security/bulletin/ms00-100.asp
Note: There have been a few people who have recommended that if you do not
use FrontPage to disable Frontpage Web Authoring. Disabling Web Authoring
does not fix the problem. You must completely remove Frontpage and all of
its files.

Copyright (c) 1998-2000 eEye Digital Security
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
mail:info@eEye.com
http://www.eEye.com