Bugtraq mailing list archives
Re: IIS 4.0 remote DoS (MS99-029)
From: carock () EPCONLINE NET (Chuck Rock)
Date: Fri, 13 Aug 1999 15:08:50 -0500
Microsoft has also removed this patch becaus it was not fully regression tested when it was released and didn't work with some older software. They are working on a new patch that will be fully regression tested. Here is the patch removal notice from Microsoft. http://www.microsoft.com/security/bulletins/ms99-029regression.asp Chuck -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Nobuo Miwa Sent: Wednesday, August 11, 1999 5:25 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: IIS 4.0 remote DoS (MS99-029) Hi, I found a kind of DoS attack against IIS 4.0 on NT SP4 & SP5. I reported it to MS and they've provided HotFix for this. Problem Description ------------------- Simple play. I sent lots of "Host:aaaaa...aa" to IIS like... GET / HTTP/1.1 Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes) Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes) ...10,000 lines Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes) I sent twice above request sets. Then somehow victim IIS got memory leak after these requests. Of course, it can not respond any request any more. If you try this, you should see memory increase through performance monitor. You would see memory increase even after those requests finished already. It will stop when you got shortage of virtual memory. After that, you might not be able to restart web service and you would restart computer. I tried this against Japanese and English version of Windows NT. Fix Information --------------- MS announced in their Security Bulletin as following : http://www.microsoft.com/security/bulletins/MS99-029faq.asp Additional information ---------------------- You'll realize someone release exploit code of this thing. It's easy to make it by using perl or another scripts. <Nobuo Miwa> n-miwa () lac co jp ( @ @ ) http://www.lac.co.jp/security -------------------------------o00o--(. .)--o00o-------------------------
Current thread:
- IIS 4.0 remote DoS (MS99-029) Nobuo Miwa (Aug 11)
- Re: IIS 4.0 remote DoS (MS99-029) Chuck Rock (Aug 13)
- Win32 File Naming (again) x-empt [ lvhc / lou ] (Aug 14)
- Re: Win32 File Naming (again) David LeBlanc (Aug 16)
- Re: Win32 File Naming (again) Marc Slemko (Aug 16)