Bugtraq mailing list archives
Reminder: MaxClientRequestBuffer
From: marc () EEYE COM (Marc)
Date: Wed, 3 May 2000 15:33:52 -0700
By default the registry key MaxClientRequestBuffer is not created. It is essential to IIS security to set a limit to MaxClientRequestBuffer. This key sets the allowed amount of input to IIS (basically). So for example if you set MaxClientRequestBuffer to 256 (bytes) and you telnet into the server and hit it with GET /[bigbuffer] HTTP/1.0 you will only be allowed to send aprox. 256 bytes. By default though there is no restriction on this so its easy to create a program to cause IIS to waste memory and use up 100% of the CPU. We were able to use cnghack.c to waste 70megs of memory in a matter of a few minutes. We've created a demonstration program as a reminder to make sure you have MaxClientRequestBuffer set to something reasonable. http://www.eeye.com/database/advisories/cnghack.c <-- example code... very broken. cnghack.c works by doing the following: Connects to example.com Sends: GET / HTTP/[return][buffer] [return] is just an \r\n [buffer] is a never ending stream of A's IIS will keep buffering the input therefore wasting memory and in the mean time the processor will sit at 100%. Some of you might be asking why does IIS accept invalid http syntax in the first place? A normal HTTP request should be something like "GET / HTTP/1.0\r\n\r\n" but this request is "GET / HTTP/\r\n[buffer]" so it should have dropped the connection because we never sent a HTTP version. However, IIS keeps buffering input until it receives \r\n\r\n. O well I do not have time to go into much more detail. If you have any questions/comments feel free to eMail me directly. Microsoft was nice enough to write up a KB article about MaxClientRequestBuffer. They've just posted it to their site today so be sure to check it out. http://support.microsoft.com/support/kb/articles/q260/6/94.ASP Signed, Marc eEye Digital Security http://www.eEye.com Going to networld+interop next week? Well be there at booth 4708 sporting t-shirts that poke fun at NSA so be sure to drop by.
Current thread:
- ILOVEYOU worm Elias Levy (May 04)
- Formated and commented loveletter. The Hidden (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Alert: Listserv Web Archives (wa) buffer overflow Cerberus Security Team (May 03)
- Reminder: MaxClientRequestBuffer Marc (May 03)
- Internet Security Systems Security Advisory: Vulnerability in Quake3Arena Auto-Download Feature Aleph One (May 03)
- Alert: DMailWeb buffer overflow Cerberus Security Team (May 03)
- Security Bulletins Digest (fwd) Justin Tripp (May 04)
- Aladdin eToken 3.3.3.x Hardware USB Key Private Data Extraction Kingpin (May 04)
- Trend Micro InterScan VirusWall Remote Overflow NAI Labs (May 04)
- How we defaced www.apache.org Peter van Dijk (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Mac OS X Signature Omachonu Ogali (May 03)
- Re: IL0VEY0U worm Elias Levy (May 05)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: ILOVEYOU worm Jaanus Kase (May 04)