Microsoft FrontPage htimage.exe Overflow

2000-04-18T00:00:00
ID OSVDB:3384
Type osvdb
Reporter OSVDB
Modified 2000-04-18T00:00:00

Description

Vulnerability Description

Microsoft Personal Web Servers contain a flaw that allows a remote attacker to execute arbitrary code on a vulnerable server. The issue is due to a buffer overflow in htimage.exe. If the mapname portion of the request exceeds 741 characters, the web server will crash and allow the code to be executed.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: remove the htimage.exe program from the web server.

Short Description

Microsoft Personal Web Servers contain a flaw that allows a remote attacker to execute arbitrary code on a vulnerable server. The issue is due to a buffer overflow in htimage.exe. If the mapname portion of the request exceeds 741 characters, the web server will crash and allow the code to be executed.

Manual Testing Notes

http://[victim]/cgi-bin/htimage.exe/<741 A's>?0,0. Look for the following error message: HTIMAGE caused an invalid page fault in module <unknown> at 0000:41414141. Registers: [..] Bytes at CS:EIP: [..] Stack dump: [..]

References:

Related OSVDB ID: 3381 Nessus Plugin ID:10376 Microsoft Security Bulletin: MS00-028 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-04/0116.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2000-04/0159.html Keyword: aka the "Server-Side Image Map Components" vulnerability ISS X-Force ID: 4484 CVE-2000-0256 Bugtraq ID: 1117