Microsoft IIS Lets Remote Users Deny Service or Execute Arbitrary Code With Malformed HTTP GET Requests
|
|
SecurityTracker Alert ID: 1015376 |
|
SecurityTracker URL: http://securitytracker.com/id/1015376
|
|
CVE Reference:
CVE-2005-4360
(Links to External Site)
|
Updated: Jul 10 2007
|
Original Entry Date: Dec 18 2005
|
Impact:
Denial of service via network, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 5.1 only
|
Description:
A vulnerability was reported in Microsoft Internet Information Server (IIS). A remote user can cause denial of service conditions or execute arbitrary code on the target system.
A remote user can send a specially crafted URL four times to the target IIS service to cause the service to crash. Only folders with Execute Permissions set to 'Scripts & Executables' are affected, such as the '_vti_bin' directory.
A demonstration exploit URL is provided:
http://[target]/_vti_bin/.dll/*\~0
IIS versions 5.0 and 6.0 are not affected.
The vendor was notified on January 28, 2005.
The vulnerability was originally reported as having a denial of service impact. However, on July 10, 2007, the vendor indicated that remote code execution is possible.
A demonstration exploit information is provided at:
http://ingehenriksen.blogspot.com/
Inge Henriksen discovered this vulnerability.
Microsoft credits Jonathan Afek and Adi Sharabani of Watchfire with reporting the remote code execution impact.
|
Impact:
A remote user can cause the IIS service to crash or execute arbitrary code.
|
Solution:
On July 10, 2007, the vendor issued the following fix:
Microsoft Internet Information Services (IIS) 5.1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=fccbfe90-f838-47df-8310-352e2fb47132
A restart is required.
The Microsoft advisory is available at:
http://www.microsoft.com/technet/security/bulletin/ms07-041.mspx
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms07-041.mspx (Links to External Site)
|
Cause:
Boundary error
|
Underlying OS:
Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Fri, 16 Dec 2005 23:46:11 +0000
Subject: Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit
|
** Inge Henriksen Security Advisory - Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/ **
Advisory Name:
Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit
Release Date:
16. Desember 2005
Vulnerable:
Microsoft® Internet Information Server® V5.1
Not vulnerable:
Microsoft® Internet Information Server® V5.0
Microsoft® Internet Information Server® V6.0
Severity:
High
Discovered by:
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
Vendor Status:
Notified 28. January 2005. No fix will be released until Microsoft® Windows® XP Service Pack 3
(Rumored due late 2006).
Description:
I have found that by doing a malformed anonymous HTTP request one can remotely crash the IIS service
process, inetinfo.exe, using just a simple tool like a web browser. The vulnerablity is only present
in folders with Execute Permissions set to Scripts & Executables, examples of vulnerable virtual
folders would be "<webroot>/_vti_bin" and the like.
Suggested solution:
Block all incoming URL's containing "~0", "~1", "~2", "~3", "~4", "~5", "~6", "~7", "~8", or "~9"
(Ignore quotes).
Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/
|
|
