Security 10816 Published by

FrontPage Server Extensions ship as part of IIS 4.0 and 5.0, and facilitate the development of Web sites and Web-based applications. FrontPage Server Extensions includes an additional, optional sub-component called Visual Studio RAD (Remote Application Deployment) Support. This sub-component allows Visual InterDev 6.0 users to register and unregister COM objects on an IIS 4.0 or 5.0 Server. This sub-component contains an unchecked buffer in a section that processes input information. An attacker could exploit this vulnerability against any server with this sub-component installed by establishing a web session on with the server and passing a specially malformed packet to the server component. The attacker could use that packet to thereby load code of his choice for execution on the server. An attack that exploits this vulnerability would execute in the IUSR_machinename context (see Q142868). However, it is possible under certain circumstances to execute code in the SYSTEM context.

It is important to note that this feature is not installed by default with FPSE. It is also not installed by default on either of IIS 4.0 or 5.0. Also, when the feature is selected during installation, a
warning message is raised alerting the administrator that this feature should not be installed on production machines, especially if the production machine has Internet access. This is because this feature is only intended for facilitating internal development. The administrator must acknowledge the warning to successfully install the feature.

A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-035.asp for information on obtaining this patch.