[13368] in bugtraq
MS IIS 5.0 Access Violation on handling URL String
daemon@ATHENA.MIT.EDU (Lark Lizerman)
Sat Jan 15 03:24:24 2000
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_0009_01BF5DF9.36CFEF60"
Message-Id: <000c01bf5e3c$49d35aa0$348ad4ab@u1u7p1>
Date: Thu, 13 Jan 2000 19:05:53 -0800
Reply-To: Lark Lizerman <webmaster@DOC2000.DE>
From: Lark Lizerman <webmaster@DOC2000.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_0009_01BF5DF9.36CFEF60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Description:
MS IIS 5.0 has problems handling a specific form of URL ending with =
"ida".
The extension ida has been taken from the Bugtraq posting "IIS revealing =
webdirectories"
The problem causes 2 kind of results.
The one result is that the server responds with a message like
"URL String too long"; "Cannot find the specified path"
The other error causes the server to terminate with an Access Violation.
When the server "Access violates" it displays as last message:
File
d:\http\.................................................................=
.........................................................................=
.........................................................................=
.........................................???????.
Error 0xc0000005 caught while processing query
Reproducing:
As described above, the server gives out on one and the same string , 2+ =
error messages.
The String will be hosted on an external site, so it doesn't produce too =
much email traffic for Bugtraq.
You find the string at: www.packetshield.de/iisstring.txt (25KB)
(Use Netscape Browser to view the file because MS IE5.0 has a bug =
preventing viewing txt files in one row what cuts of a large peace
of the string. You can still view it with the "View source" of MS IE5.0. =
the last 3 bytes of the string are "ida", then the url is complete)
As described above there are 2+ kinds of messages:
1)Access Violation with a display on the website you request
2)URL too long
3)Cannot find the specified path
(3) output:
File =
d:\http\.................................................................=
.........................................................................=
.........................................................................=
.........................................????. The system cannot find =
the path specified.=20
With the one and the same string you
get one of the 3 messages. The Access Violation error comes about every =
20 times you request. (don't ask me why)
I have 2 screenshots where 2 of the messages are displayed.
The system I have tried it out is a cluster where each backups the other =
on case of failure.
Because of that reason I can not guaranteed say if the process dies or =
not, because I got redirected to another server.
The screenshots can be viewed at:
http://www.packetshield.de/extra/crash1.jpg
www.packetshield.de/extra/crash2.jpg
Sorry the shots are so large (79,114KB, but Bitmap Editor can't compress =
better :-( )
I hope MS personal can fix that bug quickly because there is a chance of =
DoS'ing IIS Webservers, which have disabled "too long URL strings"
One Server has too long URL check enabled and gives out a "warning".
Temp. Solution:
Enable IIS to check for too long URL strings and block them.
I hope I didn't describe it to difficult,
but I still prefer describing it instead of giving=20
an exploit which can be used by every kid
without understanding how it works and just doing damage
=20
-------------------------------
Lark Lizerman
contact:
lizerman@doc2000.de
or
lark82@hotmail.com
-------------------------------
------=_NextPart_000_0009_01BF5DF9.36CFEF60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content=3D"text/html; charset=3Diso-8859-1" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#fffff0>
<DIV><FONT face=3DArial size=3D2>Description:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>MS IIS 5.0 has problems handling a =
specific form of=20
URL ending with "ida".</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>The extension ida has been taken from =
the Bugtraq=20
posting "IIS revealing webdirectories"</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>The problem causes 2 kind of =
results.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>The one result is that the server =
responds with a=20
message like</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>"URL String too long"; "Cannot find the =
specified=20
path"</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The other error causes the server to =
terminate with=20
an Access Violation.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>When the server "Access violates" =
it displays=20
as last message:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial=20
size=3D2>File<BR>d:\http\................................................=
.........................................................................=
.........................................................................=
..........................................................???????.<BR>Err=
or=20
0xc0000005 caught while processing query</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Reproducing:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>As described above, the server gives =
out on one and=20
the same string , 2+ error messages.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>The String will be hosted =
on an external=20
site, so it doesn't produce too much email traffic for =
Bugtraq.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>You find the string at: <A=20
href=3D"http://www.packetshield.de/iisstring.txt">www.packetshield.de/iis=
string.txt</A> (25KB)</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>(Use Netscape Browser to view the file =
because MS=20
IE5.0 has a bug preventing viewing txt files in one row what cuts of a =
large=20
peace</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>of the string. You can still view it =
with the "View=20
source" of MS IE5.0. the last 3 bytes of the string are "ida", then the =
url is=20
complete)</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>As described above there are 2+ kinds =
of=20
messages:</FONT></DIV>
<DIV> </DIV>
<DIV>1)Access Violation with a display on the website you =
request</DIV>
<DIV>2)URL too long</DIV>
<DIV>3)Cannot find the specified path</DIV>
<DIV> </DIV>
<DIV>(3) output:</DIV>
<DIV>File=20
d:\http\.................................................................=
.........................................................................=
.........................................................................=
.........................................????.=20
The system cannot find the path specified. </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>With the one and the same string you</DIV>
<DIV>get one of the 3 messages. The Access Violation error comes =
about=20
every 20 times you request. (don't ask me why)</DIV>
<DIV> </DIV>
<DIV>I have 2 screenshots where 2 of the messages are displayed.</DIV>
<DIV>The system I have tried it out is a cluster where each backups the =
other on=20
case of failure.</DIV>
<DIV>Because of that reason I can not guaranteed say if the process dies =
or not,=20
because I got redirected to another server.</DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>The screenshots can be viewed =
at:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.packetshield.de/extra/crash1.jpg">http://www.packetshi=
eld.de/extra/crash1.jpg</A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"http://www.packetshield.de/extra/crash2.jpg">www.packetshield.de/=
extra/crash2.jpg</A></FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>Sorry the shots are so large (79,114KB, =
but Bitmap=20
Editor can't compress better :-( )</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I hope MS personal can fix that bug =
quickly because=20
there is a chance of DoS'ing IIS Webservers, which have disabled "too=20
long URL strings"</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>One Server has too long URL check =
enabled and gives=20
out a "warning".</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Temp. Solution:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Enable IIS to check for too long URL=20
strings</FONT> <FONT face=3DArial size=3D2>and block =
them.</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>I hope I didn't describe it to=20
difficult,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>but I still prefer describing it =
instead of giving=20
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>an exploit which can be used by every=20
kid</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>without understanding how it works and =
just doing=20
damage</FONT></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>-------------------------------<BR>Lark =
Lizerman<BR>contact:<BR><A=20
href=3D"mailto:lizerman@doc2000.de">lizerman@doc2000.de</A><BR>or</FONT><=
/DIV>
<DIV><FONT face=3DArial size=3D2><A=20
href=3D"mailto:lark82@hotmail.com">lark82@hotmail.com</A></FONT></DIV>
<DIV><FONT face=3DArial=20
size=3D2>-------------------------------</FONT></DIV></BODY></HTML>
------=_NextPart_000_0009_01BF5DF9.36CFEF60--