Hi, Maybe using this advisory it would be easier to test for the W3SVC DoS (ACT_DENIAL style)? Thanks Noam Rathaus CTO Beyond Security Ltd http://www.SecurITeam.com http://www.BeyondSecurity.com ----- Original Message ----- From: "Peter Gründl" <pgrundlat_private> To: "securiteam" <newsat_private> Sent: Thursday, April 11, 2002 11:32 AM Subject: KPMG-2002009: Microsoft IIS W3SVC Denial of Service > -------------------------------------------------------------------- > > -=>Microsoft IIS W3SVC Denial of Service<=- > courtesy of KPMG Denmark > > BUG-ID: 2002009 > CVE: CAN-2002-0072 > Released: 11th Apr 2002 > -------------------------------------------------------------------- > Problem: > ======== > A flaw in internal object interaction could allow a malicious user > to bring down Internet Information Server 4.0, 5.0 and 5.1. > > > Vulnerable: > =========== > - Microsoft Internet Information Server 4.0 with FP2002 > - Microsoft Internet Information Server 5.0 with FP2002 > - Microsoft Internet Information Server 5.1 with FP2002 > > Details: > ======== > This vulnerability was discovered by Dave Aitel from @stake and by > Peter Gründl from KPMG. It was done independently, and both > reported the same two vulnerabilities to the same vendor at around > the same time. > > Frontpage contains URL parsers for dynamic components (shtml.exe/dll) > If a malicious user issues a request for /_vti_bin/shtml.exe where > the URL for the dynamic contents is replaced with a long URL, the > submodule will filter out the URL, and return a null value to the > web service URL parser. An example string would be 35K of ascii 300. > This will cause an access violation and Inetinfo.exe will be shut > down. Due to the nature of the crash, we do not feel that it is > exploitable beyond the point of a Denial of Service. > > Although servers are supposed to restart the service with "iisreset", > this only works a few times (if any), and the service is crashed > until an admin manually restarts the service or reboots the server. > > > Vendor URL: > =========== > You can visit the vendors webpage here: http://www.microsoft.com > > > Vendor response: > ================ > The vendor was contacted on the 4th of February, 2002. On the 9th > of April we received a private hotfix, which corrected the issue. > On the 10th of April, the vendor released a public bulletin. > > > Corrective action: > ================== > The vendor has released a patched w3svc.dll, which is included in > the security rollup package MS02-018, available here: > http://www.microsoft.com/technet/security/bulletin/ms02-018.asp > > > Author: Peter Gründl (pgrundlat_private) > > -------------------------------------------------------------------- > KPMG is not responsible for the misuse of the information we provide > through our security advisories. These advisories are a service to > the professional security community. In no event shall KPMG be lia- > ble for any consequences whatsoever arising out of or in connection > with the use or spread of this information. > -------------------------------------------------------------------- > >
This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 12:39:32 PDT