[41714] in bugtraq
Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit
daemon@ATHENA.MIT.EDU (inge.henriksen@booleansoft.com)
Sat Dec 17 17:43:14 2005
Date: 16 Dec 2005 23:46:11 -0000
Message-ID: <20051216234611.10746.qmail@securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: inge.henriksen@booleansoft.com
To: bugtraq@securityfocus.com
** Inge Henriksen Security Advisory - Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/ **
Advisory Name:
Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit
Release Date:
16. Desember 2005
Vulnerable:
Microsoft® Internet Information Server® V5.1
Not vulnerable:
Microsoft® Internet Information Server® V5.0
Microsoft® Internet Information Server® V6.0
Severity:
High
Discovered by:
Inge Henriksen (inge.henriksen@booleansoft.com) http://ingehenriksen.blogspot.com/
Vendor Status:
Notified 28. January 2005. No fix will be released until Microsoft® Windows® XP Service Pack 3
(Rumored due late 2006).
Description:
I have found that by doing a malformed anonymous HTTP request one can remotely crash the IIS service
process, inetinfo.exe, using just a simple tool like a web browser. The vulnerablity is only present
in folders with Execute Permissions set to Scripts & Executables, examples of vulnerable virtual
folders would be "<webroot>/_vti_bin" and the like.
Suggested solution:
Block all incoming URL's containing "~0", "~1", "~2", "~3", "~4", "~5", "~6", "~7", "~8", or "~9"
(Ignore quotes).
Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/
