Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-01

Bugtraq Archives: Re: MS IIS 5.0 Access Violation on handling U

Re: MS IIS 5.0 Access Violation on handling URL String

Subject: Re: MS IIS 5.0 Access Violation on handling URL String
From: Anthony Benjamin (benjaminPOWERWEB.NET)
Date: Fri Jan 14 2000 - 23:41:24 CST

Next message: Lark Lizerman: "Re: MS IIS 5.0 Access Violation on handling URL String"
Previous message: Vanja Hrustic: "Re: IIS still revealing paths for web directories"
In reply to: Lark Lizerman: "MS IIS 5.0 Access Violation on handling URL String"
Next in thread: Imran Ghory: "Re: MS IIS 5.0 Access Violation on handling URL String"
Next in thread: David Litchfield: "Re: MS IIS 5.0 Access Violation on handling URL String"
Next in thread: Lark Lizerman: "Re: MS IIS 5.0 Access Violation on handling URL String"
Reply: Anthony Benjamin: "Re: MS IIS 5.0 Access Violation on handling URL String"
Reply: Imran Ghory: "Re: MS IIS 5.0 Access Violation on handling URL String"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This URL also causes Netscape 4.7 (Win 98) to crash when used as a
location..
So if you embedded it into something, Javascript or otherwise, you could
probably have some fun.

NETSCAPE caused an invalid page fault in
module <unknown> at 0000:2e2e2e2e.
Registers:
EAX=00000000 CS=015f EIP=2e2e2e2e EFLGS=00010246
EBX=0094a5d0 SS=0167 ESP=00b351c4 EBP=2e2e2e2e
ECX=00000000 DS=0167 ESI=0000cc6a FS=1a6f
EDX=81b1200c ES=0167 EDI=00b426c8 GS=0000
Bytes at CS:EIP:

Stack dump:
2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e
2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e

-- Anthony Benjamin [AB Computer Consulting] benjamin

powerweb.net http://www.powerweb.net/Nimajneb

----- Original Message ----- From: "Lark Lizerman" <webmasterDOC2000.DE> To: <BUGTRAQSECURITYFOCUS.COM> Sent: Thursday, January 13, 2000 9:05 PM Subject: [BUGTRAQ] MS IIS 5.0 Access Violation on handling URL String

Description:

MS IIS 5.0 has problems handling a specific form of URL ending with "ida". The extension ida has been taken from the Bugtraq posting "IIS revealing webdirectories" The problem causes 2 kind of results. The one result is that the server responds with a message like "URL String too long"; "Cannot find the specified path"

The other error causes the server to terminate with an Access Violation. When the server "Access violates" it displays as last message:

File d:\http\.................................................................... ............................................................................ ............................................................................ ................................???????. Error 0xc0000005 caught while processing query

Reproducing:

As described above, the server gives out on one and the same string , 2+ error messages. The String will be hosted on an external site, so it doesn't produce too much email traffic for Bugtraq. You find the string at: www.packetshield.de/iisstring.txt (25KB) (Use Netscape Browser to view the file because MS IE5.0 has a bug preventing viewing txt files in one row what cuts of a large peace of the string. You can still view it with the "View source" of MS IE5.0. the last 3 bytes of the string are "ida", then the url is complete)

As described above there are 2+ kinds of messages:

1)Access Violation with a display on the website you request 2)URL too long 3)Cannot find the specified path

(3) output: File d:\http\.................................................................... ............................................................................ ............................................................................ ................................????. The system cannot find the path specified.

With the one and the same string you get one of the 3 messages. The Access Violation error comes about every 20 times you request. (don't ask me why)

I have 2 screenshots where 2 of the messages are displayed. The system I have tried it out is a cluster where each backups the other on case of failure. Because of that reason I can not guaranteed say if the process dies or not, because I got redirected to another server.

The screenshots can be viewed at: http://www.packetshield.de/extra/crash1.jpg www.packetshield.de/extra/crash2.jpg

Sorry the shots are so large (79,114KB, but Bitmap Editor can't compress better :-( )

I hope MS personal can fix that bug quickly because there is a chance of DoS'ing IIS Webservers, which have disabled "too long URL strings" One Server has too long URL check enabled and gives out a "warning".

Temp. Solution:

Enable IIS to check for too long URL strings and block them.

I hope I didn't describe it to difficult, but I still prefer describing it instead of giving an exploit which can be used by every kid without understanding how it works and just doing damage

------------------------------- Lark Lizerman contact: lizermandoc2000.de or lark82hotmail.com -------------------------------

Next message: Lark Lizerman: "Re: MS IIS 5.0 Access Violation on handling URL String"
Previous message: Vanja Hrustic: "Re: IIS still revealing paths for web directories"
In reply to: Lark Lizerman: "MS IIS 5.0 Access Violation on handling URL String"
Next in thread: Imran Ghory: "Re: MS IIS 5.0 Access Violation on handling URL String"
Next in thread: David Litchfield: "Re: MS IIS 5.0 Access Violation on handling URL String"
Next in thread: Lark Lizerman: "Re: MS IIS 5.0 Access Violation on handling URL String"
Reply: Anthony Benjamin: "Re: MS IIS 5.0 Access Violation on handling URL String"
Reply: Imran Ghory: "Re: MS IIS 5.0 Access Violation on handling URL String"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Mon Jan 17 2000 - 16:38:44 CST