RE: OWA over ssl shutting down IIS

[Mihai PETROV <mihai.petrov () gecadsoftware com>]

After further testing, the result is the same: HTTP500 ONLY from that
browser window. On other machines or other browser on same machine works
fine.

Scenario:

1. Log on to OWA with that weird string (other to test).
2. Get response from server: bad CGI or HTTP-500
3. Restart IIS (it is still working thouch) - HTTP-500
4. restart server ( panic?) - HTTP 500

3a. Use Netscape - Works
3b. Use other machine - Works
3c. Close all IE windows and open again - Works

Config: NT4 SP6 w/0 Rollup Package (SP7). IIS fully patched w/ SSL 128 bits.
Exchange 5.5 SP4 only for OWA (emtpty IS).

Mihai


-----Original Message-----
From: mms
To: Mihai PETROV
Cc: bugtraq () securityfocus com
Sent: 8/23/01 5:30 PM
Subject: Re: OWA over ssl shutting down IIS




Mihai PETROV <mihai.petrov () gecadsoftware com> wrote:
: I have reached a different result:
: 
: after entering the %'s, the OWA site returns HTTP 500 - Internal
server
: error . However, IIS is up and running, other sites work OK.
: It seems that the leak is in the Exchange OWA script (ISAPI?) rather
than in
: IIS.
: OWA still not working after restarting IIS.
: 
: Exchange 5.5 SP4, NT4 SP6 w/o rullup package

With a similar build as Mihai, I get the HTTP 500 error, 
however, only from the browser I was trying to log in 
with (IE).  If I switch to another machine (or even just
over to Netscape I get the splash screen and can log in 
fine.

-matt

: 
: Mihai PETROV
: 
: > -----Original Message-----
: > From: Andrew McQueen [mailto:amcqueen () jstmackintosh co uk]
: > Sent: Thursday, August 23, 2001 1:22 AM
: > To: 'bugtraq () securityfocus com'
: > Subject: OWA over ssl shutting down IIS
: > 
: > 
: > Here is a copy of postings I posted to the iis security forum 
: > 
: > I have just found this bug with our IIS 4 server and OWA 
: > The server is SP6a with the hotfix roll up applied and also 
: > the 128 bit 
: > ssl upgrade OWA is running accross 128 bit ssl 
: > 
: > I log onto OWA with an extra long user name of % characters 
: > ie %%%%%%%%% 
: > (at least 30 times)
: > I then receive the NT username and password box if I then 
: > fill both of 
: > these with the same characters and hit return till the page 
: > times out. 
: > 
: > The result ends up with world wide web publishing service is stopped

: > And IIS admin service stopped 
: > 
: > 
: > exchange 5.5 sp4 
: > The iis server is separate to the exchange server 
: > I will be able give more specific info tommorrow! 
: > ie event logs, specific service packs etc 
: > I have replicated this problem 5 times now and not once has 
: > it failed to 
: > work. 
: > Is this a known problem and if not could it be exploited 
: > (apart from DOS) 
: >  
: > Andy Mcqueen (sorry about the footer it is a legal firm and 
: > is compulsory) 
: > 

--
you make enough cheese / you can be my main boo