iis4_remote_DoS.txt

1999-09-22T00:00:00
ID PACKETSTORM:15712
Type packetstorm
Reporter Packet Storm
Modified 1999-09-22T00:00:00

Description

                                        
                                            `Subject: IIS 4.0 remote DoS (MS99-029)  
To: BUGTRAQ@SECURITYFOCUS.COM   
  
  
Hi,  
  
  
I found a kind of DoS attack against IIS 4.0 on NT SP4 & SP5.  
I reported it to MS and they've provided HotFix for this.  
  
  
Problem Description  
-------------------  
Simple play. I sent lots of "Host:aaaaa...aa" to IIS like...  
  
  
GET / HTTP/1.1  
Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes)  
Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes)  
...10,000 lines  
Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes)  
  
  
I sent twice above request sets. Then somehow victim IIS got  
memory leak after these requests. Of course, it can not  
respond any request any more.  
If you try this, you should see memory increase through  
performance monitor. You would see memory increase even after  
those requests finished already. It will stop when you got  
shortage of virtual memory.  
After that, you might not be able to restart web service and  
you would restart computer.  
I tried this against Japanese and English version of Windows NT.  
  
  
Fix Information  
---------------  
MS announced in their Security Bulletin as following :  
http://www.microsoft.com/security/bulletins/MS99-029faq.asp  
  
  
Additional information  
----------------------  
You'll realize someone release exploit code of this thing.  
It's easy to make it by using perl or another scripts.  
  
  
<Nobuo Miwa> n-miwa@lac.co.jp ( @ @ ) http://www.lac.co.jp/security  
-------------------------------o00o--(. .)--o00o-------------------------  
`