SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS Web Server on Windows 2000 Allows Remote Users to Cause the Server to Consume All Available Memory Due to Memory Leak in WebDAV Lock Method
SecurityTracker Alert ID:  1001565
SecurityTracker URL:  http://securitytracker.com/id/1001565
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 17 2001
Impact:   Denial of service via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): httpext.dll versions prior to 0.9.3940.21 (prior to Windows 2000 SP2)
Description:   Defcom Labs issued an advisory warning of another WebDAV-related vulnerability in Microsoft's Internet Information Server (IIS) that allows remote users to cause the server to consume all available memory.

It is reported that the lock method contains a memory leak vulnerability that can be triggered by a remote user if continuous requests are sent for non-existing files:

LOCK /aaaaaaaaaaaaaaaaaaaaaaaaaa.htw HTTP/1.0

If these requests are continually sent, the server will eventually run out of available memory and performance will drop.

Impact:   A remote user can cause the server to consume all available memory, resulting in poor server performance or a server crash and reboot.
Solution:   The vendor has released a patch. The patch (v 0.9.3940.21) is included in Windows 2000 SP2. See the Vendor URL or the following URL for information on Service Pack 2:
http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp

Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Resource error
Underlying OS:  Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  def-2001-26: IIS WebDav Lock Method Memory Leak DoS


======================================================================
                  Defcom Labs Advisory def-2001-26

               IIS WebDav Lock Method Memory Leak DoS

Release Date: 2001-05-17
======================================================================
------------------------=[Brief Description]=-------------------------
The WebDav extensions for Internet Information Server 5.0 contain a
flaw that could allow a malicious user to consume all available memory
on the server.

------------------------=[Affected Systems]=--------------------------
- httpext.dll versions prior to 0.9.3940.21 (Windows 2000 SP2)

----------------------=[Detailed Description]=------------------------
The lock method contains a memory leak that will trigger if you send
it continous requests for non-existing files. Eg.

LOCK /aaaaaaaaaaaaaaaaaaaaaaaaaa.htw HTTP/1.0

Eventually the server will run out of memory and run really slow, you
might argue that the server will then crash, reboot and return to
normal again, but there are a few things that can be done to determine
when you get close to filling up the servers memory, and then it is
just a matter of stopping, and the server won't free the memory. One
way is to combine the attack with asp executions, eg.

GET /iisstart.asp?uc=a HTTP/1.0

which ofcourse requires the presence of iisstart.asp (but this is
just an example). The script will return execution errors when it
runs out of temporary space on the server to execute the .asp script
and that's when the server is almost out of memory.

---------------------------=[Workaround]=-----------------------------
The problem has been corrected in httpext.dll v.0.9.3940.21, which is
packaged with Windows 2000 Service Pack 2 and according to Microsoft:

"it will ship with each IIS5 hotfix that we release going forward
 (and will be available for SP0, SP1, and SP2+.)"

You can find Service Pack 2 on Microsofts webpage at:

www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendor's attention on the 3rd of March,
2001, and the vendor released a patch on the 16th of May.

======================================================================
            This release was brought to you by Defcom Labs

              labs@defcom.com             www.defcom.com
======================================================================






 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC