Bugtraq mailing list archives
MS IIS 5.0 Access Violation on handling URL String
From: webmaster () DOC2000 DE (Lark Lizerman)
Date: Thu, 13 Jan 2000 19:05:53 -0800
Description: MS IIS 5.0 has problems handling a specific form of URL ending with "ida". The extension ida has been taken from the Bugtraq posting "IIS revealing webdirectories" The problem causes 2 kind of results. The one result is that the server responds with a message like "URL String too long"; "Cannot find the specified path" The other error causes the server to terminate with an Access Violation. When the server "Access violates" it displays as last message: File d:\http\............................................................................................................................................................................................................................................................???????. Error 0xc0000005 caught while processing query Reproducing: As described above, the server gives out on one and the same string , 2+ error messages. The String will be hosted on an external site, so it doesn't produce too much email traffic for Bugtraq. You find the string at: www.packetshield.de/iisstring.txt (25KB) (Use Netscape Browser to view the file because MS IE5.0 has a bug preventing viewing txt files in one row what cuts of a large peace of the string. You can still view it with the "View source" of MS IE5.0. the last 3 bytes of the string are "ida", then the url is complete) As described above there are 2+ kinds of messages: 1)Access Violation with a display on the website you request 2)URL too long 3)Cannot find the specified path (3) output: File d:\http\............................................................................................................................................................................................................................................................????. The system cannot find the path specified. With the one and the same string you get one of the 3 messages. The Access Violation error comes about every 20 times you request. (don't ask me why) I have 2 screenshots where 2 of the messages are displayed. The system I have tried it out is a cluster where each backups the other on case of failure. Because of that reason I can not guaranteed say if the process dies or not, because I got redirected to another server. The screenshots can be viewed at: http://www.packetshield.de/extra/crash1.jpg www.packetshield.de/extra/crash2.jpg Sorry the shots are so large (79,114KB, but Bitmap Editor can't compress better :-( ) I hope MS personal can fix that bug quickly because there is a chance of DoS'ing IIS Webservers, which have disabled "too long URL strings" One Server has too long URL check enabled and gives out a "warning". Temp. Solution: Enable IIS to check for too long URL strings and block them. I hope I didn't describe it to difficult, but I still prefer describing it instead of giving an exploit which can be used by every kid without understanding how it works and just doing damage ------------------------------- Lark Lizerman contact: lizerman () doc2000 de or lark82 () hotmail com -------------------------------
Current thread:
- MS IIS 5.0 Access Violation on handling URL String Lark Lizerman (Jan 13)
- Re: MS IIS 5.0 Access Violation on handling URL String Anthony Benjamin (Jan 14)
- Re: MS IIS 5.0 Access Violation on handling URL String Imran Ghory (Jan 18)
- Re: MS IIS 5.0 Access Violation on handling URL String David Litchfield (Jan 15)
- Re: MS IIS 5.0 Access Violation on handling URL String Lark Lizerman (Jan 15)
- Yahoo Pager/Messanger Buffer Overflow Jaynus Jaynus (Jan 16)
- <Possible follow-ups>
- Re: MS IIS 5.0 Access Violation on handling URL String Michael Howard (Jan 17)
- Re: MS IIS 5.0 Access Violation on handling URL String Michael Howard (Jan 18)
- Re: MS IIS 5.0 Access Violation on handling URL String Anthony Benjamin (Jan 14)