what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

scx-sa-08.txt

scx-sa-08.txt
Posted Nov 5, 2000
Authored by Zoa_Chien | Site securax.org

Securax Security Advisory #8 - IIS 4.0 contains a denial of service vulnerability which is similar to the unicode vulnerability. This can be fixed by installing the recent unicode patches.

tags | exploit, denial of service
SHA-256 | f877b8c806d53dfad30246acf6a74461dbb28f13b37fda783263068d9efcb449

scx-sa-08.txt

Change Mirror Download

=====================================================================
Securax-SA-08 Security Advisory
belgian.networking.security Dutch
=====================================================================
Topic: IIS4.0 Denial Of Service (part 1)
Announced: 2000-11-03
Updated: 2000-11-03
Affects: IIS 4.0
None affected: Apache, IIS 3.0, IIS5.0
Obsoletes: /
=====================================================================

THE ENTIRE ADVISORY HAS BEEN BASED UPON TRIAL AND ERROR
RESULTS. THEREFORE WE CANNOT ENSURE YOU THE INFORMATION BELOW IS
100% CORRECT. THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT PRIOR
NOTICE.
PLEASE, IF YOU HAPPEN TO FIND MORE INFORMATION CONCERNING
THE BUG DISCUSSED IN THIS ADVISORY, PLEASE SHARE THIS ON BUQTRAQ.
THANK YOU,


First:

In the past, several bugs were found that look very similar to the one discussed here,
(https://www.securityfocus.com/bid/1101)
(https://www.securityfocus.com/bid/1642)
(the ./././././ DoS by USSRlabs)

However, I think this is a new one, (I found servers that were not vulnerable to the above
bugs, but were vulnerable to this one... ofcourse I could be wrong.. my apologies if this is
the case.

I. Background

While beta testing a new stress tool, I noticed that "forbidden" unicode representations
for the ascii "0" character such as %C0%80 and %E0%80%80 were handled as correct
filenames on IIS4.0 check "https://www.securitywatch.com/%C0%80"
(Btw: this site is not vulnerable to the DoS! )

Normally that should result in a 404, but instead it returns a 200.
(Try to use it on a server that does relaying .. fun to see :-)

On IIS5.0 (e.g. www.microsoft.com) this will not return a 404 nor a 200 but a 302, with an
invalid header, causing browsers to panic..

II. Problem Description

If we create a very long URL with /%C0%80/%C0%80% [...snip...] C0%80 IIS will
stop functioning until the complete string is interpreted / decoded.

If the string does not return a 404 on IIS4, try to add an existing directory to the string.

It might be possible to use this "feature" in combination with other (future?) exploits.
(like those +230 %20's with .htw)


I think the DoS problem is solved with the latest UNICODE patches... although those
strings still return a 200 code... and they obviously should not.

Maybe using multiple sockets would allow it to be used on IIS5.0 too. (not tested)


III. Impact

This denial of service should not work on well configured IIS servers, but we all know
these are in a minority.

IV. Solution

Be sure to install all IIS patches ever released, that should be sufficient ?
Following the Microsoft recommended limitation for urls should also do the trick.

Just set the following registry entry to the maximum-length URL you want to accept:
Hive
HKEY_LOCAL_MACHINE \SYSTEM
Key
CurrentControlSet\Services\W3SVC\Parameters

Name
MaxClientRequestBuffer

Value Type
DWORD



V. Credits

Zoa_Chien (zoachien@securax.org)
Segfau|t (for fixxin mi speling eroors)

VI. Source code
none.




Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    17 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close