Vulnerabilities > CVE-2002-0692 - Unspecified vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
nessus

Summary

Buffer overflow in SmartHTML Interpreter (shtml.dll) in Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to cause a denial of service (CPU consumption) or run arbitrary code, respectively, via a certain type of web file request.

Nessus

NASL familyWeb Servers
NASL idFRONTPAGE_SHTML_OVERFLOW.NASL
descriptionThe remote host has FrontPage Server Extensions (FPSE) installed. There is a denial of service / buffer overflow condition in the program
last seen2020-06-01
modified2020-06-02
plugin id11311
published2003-03-03
reporterThis script is Copyright (C) 2003-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/11311
titleMS02-053: Microsoft FrontPage Extensions shtml.exe Remote Overflow (uncredentialed check)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(11311);
 script_version("1.35");
 script_cvs_date("Date: 2018/11/15 20:50:25");

 script_cve_id("CVE-2002-0692");
 script_bugtraq_id(5804);
 script_xref(name:"MSFT", value:"MS02-053");
 script_xref(name:"MSKB", value:"324096");

 script_name(english:"MS02-053: Microsoft FrontPage Extensions shtml.exe Remote Overflow (uncredentialed check)");
 script_summary(english:"Checks for the presence of shtml.exe");

 script_set_attribute(attribute:"synopsis", value:
"An application running on the remote web server may be vulnerable to a
buffer overflow attack.");
 script_set_attribute(attribute:"description", value:
"The remote host has FrontPage Server Extensions (FPSE) installed.

There is a denial of service / buffer overflow condition in the
program 'shtml.exe' which comes with it. However, no public detail has
been given regarding this issue yet, so it's not possible to remotely
determine if you are vulnerable to this flaw or not.

If you are, an attacker may use it to crash your web server (FPSE
2000) or execute arbitrary code (FPSE 2002). Please see the Microsoft
Security Bulletin MS02-053 to determine if you are vulnerable or not.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2002/ms02-053");
 script_set_attribute(attribute:"solution", value:"Refer to the Microsoft Security Bulletin.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2002/09/25");
 script_set_attribute(attribute:"plugin_publication_date", value:"2003/03/03");

 script_set_attribute(attribute:"potential_vulnerability", value:"true");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:internet_information_server");
 script_end_attributes();

 script_category(ACT_ATTACK);
 script_family(english:"Web Servers");

 script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc.");

 script_dependencies("http_version.nasl", "www_fingerprinting_hmap.nasl", "smb_registry_full_access.nasl", "smb_reg_service_pack_W2K.nasl", "smb_reg_service_pack_XP.nasl", "frontpage_chunked_overflow.nasl");
 script_require_keys("Settings/ParanoidReport");
 script_require_ports("Services/www", 80);

 exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

if (report_paranoia < 2) audit(AUDIT_PARANOID);

port = get_http_port(default:80);

sig = get_kb_item("www/hmap/" + port + "/description");
if ( sig && "IIS" >!< sig ) exit(0);

w = http_send_recv3(method:"GET", item:"/_vti_bin/shtml.exe", port:port);
if (isnull(w)) exit(1, "The web server did not answer");
res = strcat(w[0], w[1], '\r\n', w[2]);

  if("Smart HTML" >< res){
  w = http_send_recv3(method:"GET", item:"/_vti_bin/shtml.exe/nessus.htm", port:port);
  if (isnull(w)) exit(1, "The web server did not answer");
  res = strcat(w[0], w[1], '\r\n', w[2]);
  if ("&quot;nessus.htm&quot;" >!< res ) security_hole ( port ) ;
 }