Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Riley Hassell (rhasselleeye.com)
Date: Sat Apr 13 2002 - 08:45:04 CDT
lets see whats up...
Do it first manually. Copy and paste the request into a telnet session with
the web server. I used the telnet.exe that came along with the machine I'm
testing. It's running Windows 2000 Server, build 5.00.2195 with SP2 all the
latest hotfixes prior to Q319733.
Here it is:
POST /iisstart.asp HTTP/1.1
If you have troubles,try hitting [enter] a few more times in your telnet
session after you have pasted the session in. Be patient, IIS may need to
load the ISAPI filter, this could take several seconds or longer depending
on the speed of the system.
Also make sure you haven't changed your iisstart.asp file, just so we have
the same test environment.
For the app you're writing what particular language are you using?
If you're writing an app to check for these, try adding a healthy timeout
limit for data reads. IIS may need to load the filter so it could take a
If IIS is still not throwing the error, then (if you'd like), send me a
packet capture of your telnet session and a copy of the iisstart.asp file on
the machine you're testing. Then I should be able to tell you why it's not
working from that.
There's also the possibility that this vulnerability may have been
introduced with a later version of the IIS related dll releases. Maybe a
underlying code change, or patch caused this issue. Only speculation of
Security Research Associate
eEye Digital Security
and light the world on fire.
> In my case it produces no error and simply responses with page content
> RH> It won't overwrite anything mission critical so the dllhost shouldn't
> RH> up or exit. If you're vulnerable then you'll the following string in
> RH> error message "(0x80004005)<br>Unspecified". When a server is patched
> RH> will respond with a new error, I believe it's
> RH> You can also try putting NULL's in strange places in you request. The
> RH> fixes a problem in parsing requests with NULLs. When IIS see's
> RH> invalid in a request it will error back with "parameter incorrect", on
> RH> unpatched system the responses will vary.
> ...без дубинки никогда не принимался он за программирование. (Лем)