[Snort-sigs] WEB-FRONTPAGE fp30reg.dll; WEB-FRONTPAGE rad overflow

Chris Arsenault carsenault at ...283...
Wed Jan 23 13:28:10 EST 2002


 
 
Signature Submission
 
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 
 
Rule:  WEB-FRONTPAGE fp30reg.dll
       WEB-FRONTPAGE rad overflow
--
 
Sid:  1248
 
--
 
Summary:  fp30reg.dll is a component that is installed during a custom
installation of Microsoft Visual Studio RAD.   
 
--
Impact:  The fp30reg.dll component could possibly allow an attacker to
run code of choice against the target web server.  The code could
possibly run in the context of the system account. 
 
--
Detailed Information:  The Microsoft Visual Studio Remote Application
Deployment Subcomponent can be selected during the installation of Front
Page Server Extensions.  Microsoft previously released a patch to
correct this issue, however the patch has been pulled until further
notice.   
 
--
Attack Scenarios:  A proof of concept script has been posted by the
NSFOCUS security team.  The script is available at the security focus
reference below.
 
 
--
Ease of Attack:  This component is not installed during a default
installation of Microsoft Internet Information Services.  It is also not
part of the default installation of Front Page Server Extensions or
Microsoft Visual Studio RAD.  In the event that this component was
selected during the installation of a production web server, this would
be an easy exploit.  
 
--
False Positives:  N/A
 
--
False Negatives:  N/A
 
--
Corrective Action:  Microsoft will make a fix available for this in
Windows 2000 service pack 3.  Removal of the offending component
fp30reg.dll is required in order to eliminate this vulnerability
--
Contributors:
 
Chris Arsenault - carsenault at ...283...
 
References:
 
Security Focus
 
http://www.securityfocus.com/bid/2906
 
CVE
 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0341
 
 
Microsoft
 
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS01-035.asp
 
NSFOCUS
 
http://www.nsfocus.com/english/homepage/sa01-03.htm
 
 
Chris Arsenault
Information Systems Manager
First Educators Credit Union
Senior Technical Instructor
Rice Unversity
Exchange 5.5/Exchange 2000
 
Microsoft Certified Systems Engineer
Microsoft Certified Trainer
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020123/d2d034a2/attachment.html>


More information about the Snort-sigs mailing list