|
Brought to you by:
Suppliers of:
|
|
|
| |
Microsoft Internet Information Services (IIS) is "a set of Internet-based services for servers using Microsoft Windows".
Microsoft's IIS 5.1, the version that comes with Windows XP, contains a security vulnerability in its handing of incoming requests that allows remote attackers to cause the service to crash by sending it a malformed request. |
| |
Credit:
The information has been provided by Inge Henriksen.
The original article can be found at: Microsoft IIS Remote DoS .DLL Url exploit
|
| |
Vulnerable Systems:
* Microsoft Internet Information Server version 5.1
Immune Systems:
* Microsoft Internet Information Server version 5.0
* Microsoft Internet Information Server version 6.0
Inge Henrikse have found that by sending a malformed HTTP request one can remotely crash the IIS service process, inetinfo.exe, using just a simple tool like a web browser. The vulnerability is only present in folders with Execute Permissions set to Scripts & Executables, examples of vulnerable virtual folders would be "<webroot>/_vti_bin" and the like.
Workaround:
Block all incoming URL's containing "~0", "~1", "~2", "~3", "~4", "~5", "~6", "~7", "~8", or "~9" (Ignore quotes).
Proof of Concept:
By sending the same malformed request four times using just a web browser, an attacker can crash a IIS 5.1 web server service. The attacked virtual directory Execute Permissions must be set to "Scripts & Executables", like "_vti_bin" and "_sharepoint" etc have.
Type the following URL into a browser and refresh 4 times:
http://www.example.xom/_vti_bin/.dll/*\~0
The * can be any of these ASCII characters:
%01-%1f, %3f, ", *, :, <, >
The last \ can also be a /
The last number can be any number from 0 to 9
Vendor Status:
Notified 28. January 2005.
No fix will be released until Microsoft Windows XP Service Pack 3 (Rumored due late 2006).
|
|
|
|
|
