[NT] Microsoft IIS Malformed URI DoS (_vti_bin, _sharepoint)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft IIS Malformed URI DoS (_vti_bin, _sharepoint)
------------------------------------------------------------------------


SUMMARY

<http://www.microsoft.com/WindowsServer2003/iis/default.mspx> Microsoft
Internet Information Services (IIS) is "a set of Internet-based services
for servers using Microsoft Windows".

Microsoft's IIS 5.1, the version that comes with Windows XP, contains a
security vulnerability in its handing of incoming requests that allows
remote attackers to cause the service to crash by sending it a malformed
request.

DETAILS

Vulnerable Systems:
* Microsoft Internet Information Server version 5.1

Immune Systems:
* Microsoft Internet Information Server version 5.0
* Microsoft Internet Information Server version 6.0

Inge Henrikse have found that by sending a malformed HTTP request one can
remotely crash the IIS service process, inetinfo.exe, using just a simple
tool like a web browser. The vulnerability is only present in folders with
Execute Permissions set to Scripts & Executables, examples of vulnerable
virtual folders would be "<webroot>/_vti_bin" and the like.

Workaround:
Block all incoming URL's containing "~0", "~1", "~2", "~3", "~4", "~5",
"~6", "~7", "~8", or "~9" (Ignore quotes).

Proof of Concept:
By sending the same malformed request four times using just a web browser,
an attacker can crash a IIS 5.1 web server service. The attacked virtual
directory Execute Permissions must be set to "Scripts & Executables", like
"_vti_bin" and "_sharepoint" etc have.

Type the following URL into a browser and refresh 4 times:
http://www.example.xom/_vti_bin/.dll/*\~0

The * can be any of these ASCII characters:
%01-%1f, %3f, ", *, :, <, >

The last \ can also be a /

The last number can be any number from 0 to 9

Vendor Status:
Notified 28. January 2005.
No fix will be released until Microsoft Windows XP Service Pack 3 (Rumored
due late 2006).


ADDITIONAL INFORMATION

The information has been provided by
<mailto:inge.henriksen@xxxxxxxxxxxxxxx> Inge Henriksen.
The original article can be found at:
<http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html> Microsoft IIS Remote DoS .DLL Url exploit



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages