[13402] in bugtraq

home help back first fref pref prev next nref lref last post

Re: MS IIS 5.0 Access Violation on handling URL String

daemon@ATHENA.MIT.EDU (Michael Howard)
Tue Jan 18 11:48:31 2000

Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
              micalg=SHA1; boundary="----=_NextPart_000_003A_01BF6110.ACC55DD0"
Message-Id:  <BBE1B65AF746D111868B00805FFEEF641D7271D8@RED-MSG-53>
Date:         Mon, 17 Jan 2000 17:31:15 -0800
Reply-To: Michael Howard <mikehow@MICROSOFT.COM>
From: Michael Howard <mikehow@MICROSOFT.COM>
X-To:         Lark Lizerman <webmaster@DOC2000.DE>, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM

This is a multi-part message in MIME format.

------=_NextPart_000_003A_01BF6110.ACC55DD0
Content-Type: multipart/alternative;
	boundary="----=_NextPart_001_003B_01BF6110.ACC55DD0"


------=_NextPart_001_003B_01BF6110.ACC55DD0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

this is by design - the call inside iis is wrapped in an exception
handler and reporting the error. kinda like this:

try {
    char *pF = NULL;
    *pF = "Hello, there!";
} catch {
    // oops! there was an error
}


Cheers, Michael Howard
Windows 2000 Security
Got an 'Access Denied' problem? Check the appropriate logs first!

-----Original Message-----
From: Lark Lizerman [mailto:webmaster@DOC2000.DE]
Sent: Thursday, January 13, 2000 7:06 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: MS IIS 5.0 Access Violation on handling URL String


Description:

MS IIS 5.0 has problems handling a specific form of URL ending with
"ida".
The extension ida has been taken from the Bugtraq posting "IIS revealing
webdirectories"
The problem causes 2 kind of results.
The one result is that the server responds with a message like
"URL String too long"; "Cannot find the specified path"

The other error causes the server to terminate with an Access Violation.
When the server "Access violates" it displays as last message:

File
d:\http\................................................................
........................................................................
........................................................................
............................................???????.
Error 0xc0000005 caught while processing query

<snip>


------=_NextPart_001_003B_01BF6110.ACC55DD0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">


<META content=3D"MSHTML 5.00.2920.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#fffff0>
<DIV><FONT color=3D#0000ff face=3D"Trebuchet MS" size=3D2><SPAN=20
class=3D483302901-18012000>this is by design - the call inside iis is =
wrapped in=20
an exception handler and reporting the error. kinda like=20
this:</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Trebuchet MS" size=3D2><SPAN=20
class=3D483302901-18012000></SPAN></FONT>&nbsp;</DIV>
<DIV><FONT color=3D#0000ff face=3D"Trebuchet MS" size=3D2><SPAN=20
class=3D483302901-18012000>try {</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Trebuchet MS" size=3D2><SPAN=20
class=3D483302901-18012000>&nbsp;&nbsp;&nbsp; char *pF =3D =
NULL;</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Trebuchet MS" size=3D2><SPAN=20
class=3D483302901-18012000>&nbsp;&nbsp;&nbsp; *pF =3D "Hello,=20
there!";</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Trebuchet MS" size=3D2><SPAN=20
class=3D483302901-18012000>} catch {</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Trebuchet MS" size=3D2><SPAN=20
class=3D483302901-18012000>&nbsp;&nbsp;&nbsp; // oops! there was an=20
error</SPAN></FONT></DIV>
<DIV><FONT color=3D#0000ff face=3D"Trebuchet MS" size=3D2><SPAN=20
class=3D483302901-18012000>}</SPAN></FONT></DIV>
<DIV>&nbsp;</DIV>
<P><B><FONT face=3D"Trebuchet MS" size=3D2>Cheers, Michael =
Howard</FONT></B>=20
<BR><B><FONT face=3D"Trebuchet MS" size=3D2>Windows 2000 =
Security</FONT></B>=20
<BR><FONT face=3D"Trebuchet MS" size=3D1>Got an 'Access Denied' problem? =
Check the=20
appropriate logs first!</FONT> </P>
<BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px">
  <DIV align=3Dleft class=3DOutlookMessageHeader dir=3Dltr><FONT =
face=3DTahoma=20
  size=3D2>-----Original Message-----<BR><B>From:</B> Lark Lizerman=20
  [mailto:webmaster@DOC2000.DE]<BR><B>Sent:</B> Thursday, January 13, =
2000 7:06=20
  PM<BR><B>To:</B> BUGTRAQ@SECURITYFOCUS.COM<BR><B>Subject:</B> MS IIS =
5.0=20
  Access Violation on handling URL String<BR><BR></DIV></FONT>
  <DIV><FONT face=3DArial size=3D2>Description:</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>MS IIS 5.0 has problems handling a =
specific form=20
  of URL ending with "ida".</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>The extension ida has been taken from =
the Bugtraq=20
  posting "IIS revealing webdirectories"</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>The problem causes 2 kind of=20
results.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>The one result is that the server =
responds with a=20
  message like</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>"URL String too long"; "Cannot find =
the specified=20
  path"</FONT></DIV>
  <DIV>&nbsp;</DIV>
  <DIV><FONT face=3DArial size=3D2>The other error causes the server to =
terminate=20
  with an Access Violation.</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2>When the server&nbsp;"Access =
violates" it=20
  displays as last message:</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT face=3DArial=20
  =
size=3D2>File<BR>d:\http\................................................=
.........................................................................=
.........................................................................=
..........................................................???????.<BR>Err=
or=20
  0xc0000005 caught while processing query</FONT></DIV>
  <DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
  <DIV><FONT color=3D#0000ff face=3D"Trebuchet MS" size=3D2><SPAN=20
  =
class=3D483302901-18012000>&lt;snip&gt;</SPAN></FONT></DIV></BLOCKQUOTE><=
/BODY></HTML>

------=_NextPart_001_003B_01BF6110.ACC55DD0--

------=_NextPart_000_003A_01BF6110.ACC55DD0
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF3jCCAsIw
ggIroAMCAQICAwHA0DANBgkqhkiG9w0BAQQFADCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdl
c3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVyYmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UE
CxMUQ2VydGlmaWNhdGUgU2VydmljZXMxKDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAx
OTk5LjkuMTYwHhcNOTkxMjAxMjMxMjQ4WhcNMDAxMTMwMjMxMjQ4WjBiMQ8wDQYDVQQEEwZIb3dh
cmQxEDAOBgNVBCoTB01pY2hhZWwxFzAVBgNVBAMTDk1pY2hhZWwgSG93YXJkMSQwIgYJKoZIhvcN
AQkBFhVtaWtlaG93QG1pY3Jvc29mdC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMYK
oXyl6I4H5296NPsyNnef5TRdcFL/646dZl+4q0LzUTn96wBVisskVl19xR31szqrBjc0kuLWBVNX
dv0hNeCT4IBYgC1TX1vsvbGSiFWer5/En3xgxHG94k41LE9gFql983UJDYNga3w7p9/tQYMV3tKE
LMX3zL3fNbcjydHFAgMBAAGjUzBRMCAGA1UdEQQZMBeBFW1pa2Vob3dAbWljcm9zb2Z0LmNvbTAM
BgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaAFIir8WCDZlX05FjHRh3AYb0j18OMMA0GCSqGSIb3DQEB
BAUAA4GBABDye9MyMkotv3FV+DDhQtflmm4jj7o3hgapUCjNci9n5U/oE+i9K8ClvNBUYXu3zS+l
tXB5T22Eg3gZV9S/iggpdkpKOcq0MAonEMMdi2QaY/H5nUGqaxgehtFzg/4Sm9wGFMVrNQpQbQ+m
8X9TLpI+Ray+u+uyQGIrQspBmNgJMIIDFDCCAn2gAwIBAgIBCzANBgkqhkiG9w0BAQQFADCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRow
GAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNl
cyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZI
hvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTk5MDkxNjE0MDE0MFoXDTAx
MDkxNTE0MDE0MFowgZQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNV
BAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNl
cnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MIGfMA0GCSqG
SIb3DQEBAQUAA4GNADCBiQKBgQCzaVqX1NAWC3q1xV3pIZwjcs0STEv3fs/H+8pyJPRCUqxXleN7
YXoXhOf9cjk4lLTq7WWnkgZeveBl9hm7lHl2TD65aHB1hBz0EXQAvAUsTwkDFzHM9EHUcsamXeKI
RLCLLsRN8fDWhT5s85WUeJF+QOmc0Y0VV47Cc+Uw3kb1TwIDAQABozcwNTASBgNVHRMBAf8ECDAG
AQH/AgEAMB8GA1UdIwQYMBaAFHJJwnM0xlX0C3ZygX539IfnxrIOMA0GCSqGSIb3DQEBBAUAA4GB
AGvGWekx+um27LED2N9ycv6RYEjqxlXde/BnjsZhcOdtwqU32J23FyhWBYvdXHVvxpGQxmxmcRPQ
EHxrkW+G4CE2LcHX6rIJrc8tbcaDUpv7u/6ch538t+l0kuRcl678fqzKDW9yemcsa3P1hvmd9QBu
9B0Hzp2egmMp75MJflXeMYICrjCCAqoCAQEwgZwwgZQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxX
ZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZUaGF3dGUxHTAbBgNV
BAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25hbCBGcmVlbWFpbCBSU0Eg
MTk5OS45LjE2AgMBwNAwCQYFKw4DAhoFAKCCAWcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMDAwMTE4MDEzMTIzWjAjBgkqhkiG9w0BCQQxFgQUFsEfitp5LAEZW+Mw
OnoKozHDcBMwWAYJKoZIhvcNAQkPMUswSTANBggqhkiG9w0DAgIBKDAKBggqhkiG9w0DBzAOBggq
hkiG9w0DAgICAIAwBwYFKw4DAgcwBwYFKw4DAhowCgYIKoZIhvcNAgUwga0GCSsGAQQBgjcQBDGB
nzCBnDCBlDELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTEUMBIGA1UEBxMLRHVy
YmFudmlsbGUxDzANBgNVBAoTBlRoYXd0ZTEdMBsGA1UECxMUQ2VydGlmaWNhdGUgU2VydmljZXMx
KDAmBgNVBAMTH1BlcnNvbmFsIEZyZWVtYWlsIFJTQSAxOTk5LjkuMTYCAwHA0DANBgkqhkiG9w0B
AQEFAASBgGPqQXU8NVub2Hysmi4/zxX2sOv33ang9r5HF3NOoFbRaUeny1ra9Sy5Ne5XLBfKDa+R
Wtn1N6hOuG6r0SSI3AoesnIChOhoQ3OD8xQCxGv1L7p4TEh4fNxS0CH0wOikQ9fseSqE0GLdiQk6
KrjLcRFvfortPdOkwUG+d1SH0/AIAAAAAAAA

------=_NextPart_000_003A_01BF6110.ACC55DD0--

home help back first fref pref prev next nref lref last post