Dear Riley Hassell, I do use telnet sometimes ;) I mean in case of _patched_ IIS it doesn't >> RH> will respond with a new error, I believe it's RH> (0x80004005)<br>Request... but simply shows you a page like it does on GET request... You can try >telnet www.security.nnov.ru 80 Trying 195.122.226.28... Connected to ntst.sci-nnov.ru. Escape character is '^]'. POST http://www.security.nnov.ru/index.asp HTTP/1.0 Accept: */* Host: www.security.nnov.ru Content-Type: application/x-www-form-urlencoded Transfer-Encoding: chunked 1 E 0 After hitting enter twice you'll HTML content. --Saturday, April 13, 2002, 5:45:04 PM, you wrote to 3APA3Aat_private: RH> lets see whats up... RH> Do it first manually. Copy and paste the request into a telnet session with RH> the web server. I used the telnet.exe that came along with the machine I'm RH> testing. It's running Windows 2000 Server, build 5.00.2195 with SP2 all the RH> latest hotfixes prior to Q319733. RH> Here it is: RH> ----start RH> POST /iisstart.asp HTTP/1.1 RH> Accept: */* RH> Host: hostname-changed.com RH> Content-Type: application/x-www-form-urlencoded RH> Transfer-Encoding: chunked RH> 1 RH> E RH> 0 RH> ----end RH> If you have troubles,try hitting [enter] a few more times in your telnet RH> session after you have pasted the session in. Be patient, IIS may need to RH> load the ISAPI filter, this could take several seconds or longer depending RH> on the speed of the system. RH> Also make sure you haven't changed your iisstart.asp file, just so we have RH> the same test environment. RH> For the app you're writing what particular language are you using? RH> If you're writing an app to check for these, try adding a healthy timeout RH> limit for data reads. IIS may need to load the filter so it could take a RH> while. RH> If IIS is still not throwing the error, then (if you'd like), send me a RH> packet capture of your telnet session and a copy of the iisstart.asp file on RH> the machine you're testing. Then I should be able to tell you why it's not RH> working from that. RH> There's also the possibility that this vulnerability may have been RH> introduced with a later version of the IIS related dll releases. Maybe a RH> underlying code change, or patch caused this issue. Only speculation of RH> course ;) RH> -R RH> Riley Hassell RH> Security Research Associate RH> eEye Digital Security RH> Get up... RH> and light the world on fire. >> >> In my case it produces no error and simply responses with page content RH> after >> >> "\r\n" >> "1\r\n" >> "E\r\n" >> "0\r\n" >> "\r\n" >> >> >> RH> It won't overwrite anything mission critical so the dllhost shouldn't RH> lock >> RH> up or exit. If you're vulnerable then you'll the following string in RH> the >> RH> error message "(0x80004005)<br>Unspecified". When a server is patched RH> it >> RH> will respond with a new error, I believe it's RH> (0x80004005)<br>Request... >> >> RH> You can also try putting NULL's in strange places in you request. The RH> rollup >> RH> fixes a problem in parsing requests with NULLs. When IIS see's RH> something >> RH> invalid in a request it will error back with "parameter incorrect", on RH> an >> RH> unpatched system the responses will vary. >> >> >> >> -- >> ~/ZARAZA >> ...без дубинки никогда не принимался он за программирование. (Лем) >> >> -- ~/ZARAZA Появился новый тип элементарных частиц - шкварки. Не очень большие, слегка подгоревшие. (Лем)
This archive was generated by hypermail 2b30 : Sat Apr 13 2002 - 10:18:36 PDT