Vulnerability Development mailing list archives
Reminder: MaxClientRequestBuffer
From: marc () EEYE COM (Marc)
Date: Wed, 3 May 2000 15:37:49 -0700
By default the registry key MaxClientRequestBuffer is not created. It is essential to IIS security to set a limit to MaxClientRequestBuffer. This key sets the allowed amount of input to IIS (basically). So for example if you set MaxClientRequestBuffer to 256 (bytes) and you telnet into the server and hit it with GET /[bigbuffer] HTTP/1.0 you will only be allowed to send aprox. 256 bytes. By default though there is no restriction on this so its easy to create a program to cause IIS to waste memory and use up 100% of the CPU. We were able to use cnghack.c to waste 70megs of memory in a matter of a few minutes. We've created a demonstration program as a reminder to make sure you have MaxClientRequestBuffer set to something reasonable. http://www.eeye.com/database/advisories/cnghack.c <-- example code... very broken. cnghack.c works by doing the following: Connects to example.com Sends: GET / HTTP/[return][buffer] [return] is just an \r\n [buffer] is a never ending stream of A's IIS will keep buffering the input therefore wasting memory and in the mean time the processor will sit at 100%. Some of you might be asking why does IIS accept invalid http syntax in the first place? A normal HTTP request should be something like "GET / HTTP/1.0\r\n\r\n" but this request is "GET / HTTP/\r\n[buffer]" so it should have dropped the connection because we never sent a HTTP version. However, IIS keeps buffering input until it receives \r\n\r\n. O well I do not have time to go into much more detail. If you have any questions/comments feel free to eMail me directly. Microsoft was nice enough to write up a KB article about MaxClientRequestBuffer. They've just posted it to their site today so be sure to check it out. http://support.microsoft.com/support/kb/articles/q260/6/94.ASP Signed, Marc eEye Digital Security http://www.eEye.com Going to networld+interop next week? Well be there at booth 4708 sporting t-shirts that poke fun at NSA so be sure to drop by.
Current thread:
- Help me audit a mail filter in C, please?, (continued)
- Help me audit a mail filter in C, please? Bennett Todd (May 04)
- Re: ethernet cards & promisc mode David LaPorte (May 04)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 05)
- Re: ethernet cards & promisc mode Bluefish (May 07)
- "I don't think I really love you" Michal Zalewski (May 07)
- Re: ethernet cards & promisc mode Granquist, Lamont (May 07)
- Possible new strain of [CENSORED] Blue Boar (May 05)
- Re: ethernet cards & promisc mode Dragos Ruiu (May 04)
- Opportunist? Blue Boar (May 04)
- Re: Opportunist? Andreas Ferber (May 05)
- Reminder: MaxClientRequestBuffer Marc (May 03)
- Re: Blind Remote Buffer Overflow Max Vision (May 02)
- Re: Blind Remote Buffer Overflow Blue Boar (May 02)
- Re: Blind Remote Buffer Overflow Bluefish (May 03)
- Re: Blind Remote Buffer Overflow Bluefish (May 02)