[9150] in bugtraq
IIS 4 Request Logging Security Advisory
daemon@ATHENA.MIT.EDU (mnemonix)
Thu Jan 21 14:31:40 1999
Date: Fri, 22 Jan 1999 10:12:52 -0000
Reply-To: mnemonix <mnemonix@GLOBALNET.CO.UK>
From: mnemonix <mnemonix@GLOBALNET.CO.UK>
X-To: ntbugtraq@listserv.ntbugtraq.com
To: BUGTRAQ@NETSPACE.ORG
There is are a combination of problems with IIS 4 that allows an successful
HTTP request to go unlogged.
Microsoft's Internet Information Server 4 allows the use of any request
method of almost any length for a resource that is to be interpreted or
executed on the web server. This includes such files as Active Server Pages,
Perl Scripts and ordinary executables. Consequently a user can request a
file, default.asp, with a request method of AAAAAAAAAAAAAAAAAAAAAAAAA and it
will be returned.
If the request method used added to the path to the requested resource is
over c.10150 bytes long the page is returned and nothing is logged by IIS.
This could allow attacks on the server to go unnoticed.
MS have probably decided to avoid the situation where an attacker could
rapidly fill up disk space by not logging overly long requests. Perhaps it
would be better to truncate such a request and log that.
To demonstrate this I have written an executable called avoid.exe that will
use a request method which is 10140 bytes long that requests /default.asp
from a webserver. This program does not exploit anything other than the
logging avoidance. You can get a copy from
http://www.infowar.co.uk/mnemonix/avoid.exe
This was tested on NT 4 with SP3 + hotfixes. Can someone test this on a SP4
machine?
Cheers,
David LItchfield
http://www.infowar.co.uk/mnemonix/
