OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: MS IIS 5.0 Access Violation on handling URL S

MS IIS 5.0 Access Violation on handling URL String

Subject: MS IIS 5.0 Access Violation on handling URL String
From: Lark Lizerman (webmasterDOC2000.DE)
Date: Thu Jan 13 2000 - 21:05:53 CST

Description:

MS IIS 5.0 has problems handling a specific form of URL ending with "ida".
The extension ida has been taken from the Bugtraq posting "IIS revealing webdirectories"
The problem causes 2 kind of results.
The one result is that the server responds with a message like
"URL String too long"; "Cannot find the specified path"

The other error causes the server to terminate with an Access Violation.
When the server "Access violates" it displays as last message:

File
d:\http\............................................................................................................................................................................................................................................................???????.
Error 0xc0000005 caught while processing query

Reproducing:

As described above, the server gives out on one and the same string , 2+ error messages.
The String will be hosted on an external site, so it doesn't produce too much email traffic for Bugtraq.
You find the string at: www.packetshield.de/iisstring.txt (25KB)
(Use Netscape Browser to view the file because MS IE5.0 has a bug preventing viewing txt files in one row what cuts of a large peace
of the string. You can still view it with the "View source" of MS IE5.0. the last 3 bytes of the string are "ida", then the url is complete)

As described above there are 2+ kinds of messages:

1)Access Violation with a display on the website you request
2)URL too long
3)Cannot find the specified path

(3) output:
File d:\http\............................................................................................................................................................................................................................................................????. The system cannot find the path specified.

With the one and the same string you
get one of the 3 messages. The Access Violation error comes about every 20 times you request. (don't ask me why)

I have 2 screenshots where 2 of the messages are displayed.
The system I have tried it out is a cluster where each backups the other on case of failure.
Because of that reason I can not guaranteed say if the process dies or not, because I got redirected to another server.

The screenshots can be viewed at:
http://www.packetshield.de/extra/crash1.jpg
www.packetshield.de/extra/crash2.jpg

Sorry the shots are so large (79,114KB, but Bitmap Editor can't compress better :-( )

I hope MS personal can fix that bug quickly because there is a chance of DoS'ing IIS Webservers, which have disabled "too long URL strings"
One Server has too long URL check enabled and gives out a "warning".

Temp. Solution:

Enable IIS to check for too long URL strings and block them.

I hope I didn't describe it to difficult,
but I still prefer describing it instead of giving
an exploit which can be used by every kid
without understanding how it works and just doing damage
  

-------------------------------
Lark Lizerman
contact:
lizermandoc2000.de
or
lark82hotmail.com
-------------------------------

This archive was generated by hypermail 2b27 : Sat Jan 15 2000 - 00:00:54 CST