Microsoft IIS Lets Remote Users Deny Service or Execute Arbitrary Code With Malformed HTTP GET Requests
SecurityTracker Alert ID: 1015376|
SecurityTracker URL: http://securitytracker.com/id/1015376
(Links to External Site)
Updated: Jul 10 2007|
Original Entry Date: Dec 18 2005
Denial of service via network, Execution of arbitrary code via network, User access via network|
Exploit Included: Yes |
Version(s): 5.1 only|
A vulnerability was reported in Microsoft Internet Information Server (IIS). A remote user can cause denial of service conditions or execute arbitrary code on the target system.|
A remote user can send a specially crafted URL four times to the target IIS service to cause the service to crash. Only folders with Execute Permissions set to 'Scripts & Executables' are affected, such as the '_vti_bin' directory.
A demonstration exploit URL is provided:
IIS versions 5.0 and 6.0 are not affected.
The vendor was notified on January 28, 2005.
The vulnerability was originally reported as having a denial of service impact. However, on July 10, 2007, the vendor indicated that remote code execution is possible.
A demonstration exploit information is provided at:
Inge Henriksen discovered this vulnerability.
Microsoft credits Jonathan Afek and Adi Sharabani of Watchfire with reporting the remote code execution impact.
A remote user can cause the IIS service to crash or execute arbitrary code.|
On July 10, 2007, the vendor issued the following fix:|
Microsoft Internet Information Services (IIS) 5.1:
A restart is required.
The Microsoft advisory is available at:
Vendor URL: www.microsoft.com/technet/security/bulletin/ms07-041.mspx (Links to External Site)
Source Message Contents
Date: Fri, 16 Dec 2005 23:46:11 +0000|
Subject: Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit
** Inge Henriksen Security Advisory - Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/ **
Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit
16. Desember 2005
Microsoft® Internet Information Server® V5.1
Microsoft® Internet Information Server® V5.0
Microsoft® Internet Information Server® V6.0
Inge Henriksen (email@example.com) http://ingehenriksen.blogspot.com/
Notified 28. January 2005. No fix will be released until Microsoft® Windows® XP Service Pack 3
(Rumored due late 2006).
I have found that by doing a malformed anonymous HTTP request one can remotely crash the IIS service
process, inetinfo.exe, using just a simple tool like a web browser. The vulnerablity is only present
in folders with Execute Permissions set to Scripts & Executables, examples of vulnerable virtual
folders would be "<webroot>/_vti_bin" and the like.
Block all incoming URL's containing "~0", "~1", "~2", "~3", "~4", "~5", "~6", "~7", "~8", or "~9"
Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/