Microsoft FrontPage dvwssr.dll Multiple Vulnerabilities

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");


if(description)
{
 script_id(10369);
 script_version ("1.59");
 script_cve_id("CVE-2000-0260");
 script_bugtraq_id(1109);
 script_xref(name:"MSFT", value:"MS00-025");

 script_name(english:"Microsoft FrontPage dvwssr.dll Multiple Vulnerabilities");
 script_summary(english:"Checks for the presence of  /_vti_bin/_vti_aut/dvwssr.dll");
 
 script_set_attribute(
   attribute:"synopsis",
   value:"The remote web server has multiple vulnerabilities."
 );
 script_set_attribute( attribute:"description",  value:
"The version of Microsoft FrontPage running on the remote host has
the following vulnerabilities in '/_vti_bin/_vti_aut/dvwssr.dll' :

  - A security bypass vulnerability that allows anyone with
    web authoring permissions to alter other users' files.

  - A remote buffer overflow vulnerability that could allow
    a remote attacker to crash the server, or possibly
    execute arbitrary code." );
 # https://web.archive.org/web/20031207215454/www.wiretrip.net/rfp/txt/rfp2k02.txt
 script_set_attribute(
   attribute:"see_also",
   value:"http://www.nessus.org/u?3772b65c"
 );
 script_set_attribute(
   attribute:"see_also",
   value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2000/ms00-025"
 );
 script_set_attribute(attribute:"solution", value:
"Delete all copies of dvwssr.dll from the server.  Refer to the
Microsoft Security Bulletin for further information." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"plugin_publication_date", value: "2000/04/14");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/04/14");
 script_cvs_date("Date: 2018/11/15 20:50:25");

 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_family(english:"Web Servers");

 script_copyright(english:"This script is Copyright (C) 2000-2018 Tenable Network Security, Inc.");
 script_dependencie("find_service1.nasl", "http_version.nasl", "www_fingerprinting_hmap.nasl");
 script_require_ports("Services/www", 80);

 exit(0);
}

#
# The script code starts here
#

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:80);

banner = get_http_banner(port:port);
if ( ! banner ) exit(0);
if ( ! egrep(pattern:"^Server: .*IIS/[34]", string:banner ) ) exit(0);

w = http_send_recv3(method:"GET", item:"/", port:port);
if (ereg(pattern:"^HTTP/1\.. 40[14] ", string:w[0]))exit(0);

if (!ereg(pattern:"^HTTP/1\.. ", string:w[0]))exit(0);
  
w = http_send_recv3(method:"GET", item:"/_vti_bin/_vti_aut/dvwssr.dll", port:port);
code = w[0];
r = strcat(w[1], '\r\n', w[2]);

  #
  # IIS will return a 500 error for an unknown file,
  # and a 401 error when the file is present.
  #
  # According to https://web.archive.org/web/20000510063805/http://archives.neohapsis.com/archives/win2ksecadvice/2000-q2/0015.html
  # Example 3: 
  # $ nc -v -w2 target.system 80 
  # GET /_vti_bin/_vti_aut/dvwssr.dll HTTP/1.0 (hit enter twice) 
  # Connection closed by foreign host. 
  #
  # The connection closed means that you had the rights to run the DLL, but 
  # since no parameters were passed the connection was completed. 
  
  if("WWW-Authenticate:" >< r)exit(0);
  
  is200 = ereg(pattern:"^HTTP/[0-9]\.[0-9] 200 ", string:code);

  if(("HTTP/1.1 401 Access Denied" >< code) ||
      (strlen(r) == 0)  || is200 )  
  {
  if ( is200  && strlen(r))
   {
    no404 = tolower(get_kb_item(string("www/no404/",  port)));
    if(no404)
    {
     if(no404 >< tolower(r))exit(0);
    }
   }
   security_hole(port);
  }