Bugtraq mailing list archives
IIS 4 Request Logging Security Advisory
From: mnemonix () GLOBALNET CO UK (mnemonix)
Date: Fri, 22 Jan 1999 10:12:52 -0000
There is are a combination of problems with IIS 4 that allows an successful HTTP request to go unlogged. Microsoft's Internet Information Server 4 allows the use of any request method of almost any length for a resource that is to be interpreted or executed on the web server. This includes such files as Active Server Pages, Perl Scripts and ordinary executables. Consequently a user can request a file, default.asp, with a request method of AAAAAAAAAAAAAAAAAAAAAAAAA and it will be returned. If the request method used added to the path to the requested resource is over c.10150 bytes long the page is returned and nothing is logged by IIS. This could allow attacks on the server to go unnoticed. MS have probably decided to avoid the situation where an attacker could rapidly fill up disk space by not logging overly long requests. Perhaps it would be better to truncate such a request and log that. To demonstrate this I have written an executable called avoid.exe that will use a request method which is 10140 bytes long that requests /default.asp from a webserver. This program does not exploit anything other than the logging avoidance. You can get a copy from http://www.infowar.co.uk/mnemonix/avoid.exe This was tested on NT 4 with SP3 + hotfixes. Can someone test this on a SP4 machine? Cheers, David LItchfield http://www.infowar.co.uk/mnemonix/
Current thread:
- Call for Papers: UNIX AND WINDOWS NT, (continued)
- Call for Papers: UNIX AND WINDOWS NT Fred Donck (Jan 25)
- New IE4 privacy issue aleph1 () UNDERGROUND ORG (Jan 25)
- Re: SSH 1.x and 2.x Daemon Jim Bourne (Jan 25)
- Re: backdoored tcp wrapper source code Wietse Venema (Jan 23)
- LocalSecure Testing Program NSS SDT (Jan 21)
- Re: backdoored tcp wrapper source code John Stange (Jan 24)
- Advisory: IIS FTP Exploit/DoS Attack Marc (Jan 24)
- Re: Advisory: IIS FTP Exploit/DoS Attack Seth McGann (Jan 24)
- Re: Advisory: IIS FTP Exploit/DoS Attack Matt Conover (Jan 25)
- IIS Advisory Marc (Jan 24)
- Re: Sendmail 8.8.x/8.9.x bugware Brock Rozen (Jan 18)
- Linux 2.0.36 vulnerable to local port/memory DoS attack David Schwartz (Jan 19)
- Re: Sendmail 8.8.x/8.9.x bugware Steve VanDevender (Jan 19)