Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit
From: inge.henriksen@xxxxxxxxxxxxxxx
Date: 16 Dec 2005 23:46:11 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

** Inge Henriksen Security Advisory - Full Disclosure Proof of Concept at 
http://ingehenriksen.blogspot.com/ **

Advisory Name: 
Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit

Release Date: 
16. Desember 2005

Vulnerable: 
Microsoft® Internet Information Server® V5.1

Not vulnerable: 
Microsoft® Internet Information Server® V5.0 
Microsoft® Internet Information Server® V6.0

Severity: 
High

Discovered by: 
Inge Henriksen (inge.henriksen@xxxxxxxxxxxxxxx) 
http://ingehenriksen.blogspot.com/

Vendor Status: 
Notified 28. January 2005. No fix will be released until Microsoft® Windows® XP 
Service Pack 3 
(Rumored due late 2006).

Description:
I have found that by doing a malformed anonymous HTTP request one can remotely 
crash the IIS service 
process, inetinfo.exe, using just a simple tool like a web browser. The 
vulnerablity is only present 
in folders with Execute Permissions set to Scripts & Executables, examples of 
vulnerable virtual 
folders would be "<webroot>/_vti_bin" and the like. 

Suggested solution:
Block all incoming URL's containing  "~0", "~1", "~2", "~3", "~4", "~5", "~6", 
"~7", "~8", or "~9" 
(Ignore quotes).

Full Disclosure Proof of Concept at http://ingehenriksen.blogspot.com/

Prev by Date: Bug in HC
Next by Date: Re: Patches available for IBM AIX flaws
Previous by thread: Bug in HC
Next by thread: Fullpath disclosure in roundcube webmail
Index(es):
- Date
- Thread