FrontPage htimage.exe and imagemap.exe Buffer Overflow Vulnerability

vendor:

FrontPage

by:

SecurityFocus

7.5

CVSS

HIGH

Buffer Overflow

120

CWE

Product Name: FrontPage

Affected Version From: FrontPage 5.0

Affected Version To: FrontPage 2002

Patch Exists: YES

Related CWE: CVE-2002-0607

CPE: a:microsoft:frontpage

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2002

FrontPage htimage.exe and imagemap.exe Buffer Overflow Vulnerability

The htimage.exe and imagemap.exe files included with FrontPage handle server-side image mapping functions. Under normal operations, it would be passed a map name and a set of coordinates in the format http: //target/path/htimage.exe/mapname?x,y. If the mapname portion of the request is replaced with 741 or more characters, the webserver software will crash, although the operating system will continue to function normally. Stack dumps reveal that user-supplied data occasionally makes it to the EIP register, making the execution of remote arbitrary code potentially possible.

Mitigation:

Ensure that the htimage.exe and imagemap.exe files are not accessible from the web server.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/1117/info

The htimage.exe and imagemap.exe files included with FrontPage handle server-side image mapping functions. Under normal operations, it would be passed a map name and a set of coordinates in the format http:&nbsp;//target/path/htimage.exe/mapname?x,y .

If the mapname portion of the request is replaced with 741 or more characters, the webserver software will crash, although the operating system will continue to function normally. Stack dumps reveal that user-supplied data occasionally makes it to the EIP register, making the execution of remote arbitrary code potentially possible.

To crash the server:
http:&nbsp;//target/path/htimage.exe/<741+characters>?0,0