SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Microsoft Internet Information Server (IIS) Web Server Vendors:   Microsoft
Microsoft IIS Lets Remote Users Deny Service or Execute Arbitrary Code With Malformed HTTP GET Requests
SecurityTracker Alert ID:  1015376
SecurityTracker URL:  http://securitytracker.com/id/1015376
CVE Reference:   CVE-2005-4360   (Links to External Site)
Updated:  Jul 10 2007
Original Entry Date:  Dec 18 2005
Impact:   Denial of service via network, Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 5.1 only
Description:   A vulnerability was reported in Microsoft Internet Information Server (IIS). A remote user can cause denial of service conditions or execute arbitrary code on the target system.

A remote user can send a specially crafted URL four times to the target IIS service to cause the service to crash. Only folders with Execute Permissions set to 'Scripts & Executables' are affected, such as the '_vti_bin' directory.

A demonstration exploit URL is provided:

http://[target]/_vti_bin/.dll/*\~0

IIS versions 5.0 and 6.0 are not affected.

The vendor was notified on January 28, 2005.

The vulnerability was originally reported as having a denial of service impact. However, on July 10, 2007, the vendor indicated that remote code execution is possible.

A demonstration exploit information is provided at:

http://ingehenriksen.blogspot.com/

Inge Henriksen discovered this vulnerability.

Microsoft credits Jonathan Afek and Adi Sharabani of Watchfire with reporting the remote code execution impact.

Impact:   A remote user can cause the IIS service to crash or execute arbitrary code.
Solution:   On July 10, 2007, the vendor issued the following fix:

Microsoft Internet Information Services (IIS) 5.1:

http://www.microsoft.com/downloads/details.aspx?FamilyId=fccbfe90-f838-47df-8310-352e2fb47132

A restart is required.

The Microsoft advisory is available at:

http://www.microsoft.com/technet/security/bulletin/ms07-041.mspx

Vendor URL:  www.microsoft.com/technet/security/bulletin/ms07-041.mspx (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (XP)
Underlying OS Comments:  XP SP2

Message History:   None.


 Source Message Contents

Subject:  Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit

** Inge Henriksen Security Advisory - Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/ **

Advisory Name: 
Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit

Release Date: 
16. Desember 2005

Vulnerable: 

Not vulnerable: 

Severity: 
High

Discovered by: 
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/

Vendor Status: 
(Rumored due late 2006).

Description:
I have found that by doing a malformed anonymous HTTP request one can remotely crash the IIS service 
process, inetinfo.exe, using just a simple tool like a web browser. The vulnerablity is only present 
in folders with Execute Permissions set to Scripts & Executables, examples of vulnerable virtual 
folders would be "<webroot>/_vti_bin" and the like. 

Suggested solution:
Block all incoming URL's containing  "~0", "~1", "~2", "~3", "~4", "~5", "~6", "~7", "~8", or "~9" 
(Ignore quotes).

Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC