Public exploits available
On this page
The SmartHTML Interpreter (shtml.dll) is part of the FrontPage Server Extensions (FPSE) and Microsoft SharePoint Team Services, and provides support for web forms and other FrontPage-based dynamic content. The interpreter contains a flaw that could be exposed when processing a request for a particular type of web file, if the request had certain specific characteristics. This flaw affects the two versions of FrontPage Server Extensions differently.
In the case of the buffer overrun in FrontPage Server Extensions 2002, the malicious code would run as system, even though getting to system would take a convoluted exploit. Nonetheless, it is possible to that an attacker could create such an exploit and be running as system.
Technical details (analysis)
The vulnerability results because of a flaw in the FrontPage Server Extensions SmartHTML interpreter. The interpreter can enter a mode in which it consumes all CPU availability on a web server using FrontPage Server Extensions 2000 or can result in a buffer overrun in FrontPage Server Extensions 2002, if it receives a request for a particular type of web file, along with some specific parameters. This is a denial of service and buffer overrun vulnerability. It affects FrontPage Server Extensions 2000 and 2002 differently. With FrontPage Server Extensions 2000, the flaw could cause most CPU availability to be consumed until the web service is restarted. An attacker could use this vulnerability to conduct a denial of service attack against an affected web server. With FrontPage Server Extensions 2002, the same flaw in the interpreter causes a buffer overrun, potentially allowing an attacker to run code of the his choice.
Microsoft FrontPage Server Extensions 2000
Microsoft FrontPage Server Extensions 2002
Microsoft Windows 2000 (shipped FPSE 2000)
Microsoft Windows XP (shipped FPSE 2000)
Microsoft SharePoint Team Services 2002
All those applications not on the affected list.
Release Date: 2002-09-25T00:00:00
Known false positives
This signature can cause false positives if you are not running any of the affected software versions or if you've already applied the patch
The IIS Lockdown Tool, if used to configure a static web server, disables the SmartHTML Interpreter. Servers on which this has been done could not be affected by the vulnerability.
FrontPage Server Extensions install on IIS 4.0, 5.0 and 5.1 by default, but can be uninstalled if desired. Servers on which this has been done could not be affected by the vulnerability.