Hi,
Maybe using this advisory it would be easier to test for the W3SVC DoS
(ACT_DENIAL style)?
Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com
----- Original Message -----
From: "Peter Gründl" <pgrundl@kpmg.dk>
To: "securiteam" <news@securiteam.com>
Sent: Thursday, April 11, 2002 11:32 AM
Subject: KPMG-2002009: Microsoft IIS W3SVC Denial of Service
> --------------------------------------------------------------------
>
> -=>Microsoft IIS W3SVC Denial of Service<=-
> courtesy of KPMG Denmark
>
> BUG-ID: 2002009
> CVE: CAN-2002-0072
> Released: 11th Apr 2002
> --------------------------------------------------------------------
> Problem:
> ========
> A flaw in internal object interaction could allow a malicious user
> to bring down Internet Information Server 4.0, 5.0 and 5.1.
>
>
> Vulnerable:
> ===========
> - Microsoft Internet Information Server 4.0 with FP2002
> - Microsoft Internet Information Server 5.0 with FP2002
> - Microsoft Internet Information Server 5.1 with FP2002
>
> Details:
> ========
> This vulnerability was discovered by Dave Aitel from @stake and by
> Peter Gründl from KPMG. It was done independently, and both
> reported the same two vulnerabilities to the same vendor at around
> the same time.
>
> Frontpage contains URL parsers for dynamic components (shtml.exe/dll)
> If a malicious user issues a request for /_vti_bin/shtml.exe where
> the URL for the dynamic contents is replaced with a long URL, the
> submodule will filter out the URL, and return a null value to the
> web service URL parser. An example string would be 35K of ascii 300.
> This will cause an access violation and Inetinfo.exe will be shut
> down. Due to the nature of the crash, we do not feel that it is
> exploitable beyond the point of a Denial of Service.
>
> Although servers are supposed to restart the service with "iisreset",
> this only works a few times (if any), and the service is crashed
> until an admin manually restarts the service or reboots the server.
>
>
> Vendor URL:
> ===========
> You can visit the vendors webpage here: http://www.microsoft.com
>
>
> Vendor response:
> ================
> The vendor was contacted on the 4th of February, 2002. On the 9th
> of April we received a private hotfix, which corrected the issue.
> On the 10th of April, the vendor released a public bulletin.
>
>
> Corrective action:
> ==================
> The vendor has released a patched w3svc.dll, which is included in
> the security rollup package MS02-018, available here:
> http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
>
>
> Author: Peter Gründl (pgrundl@kpmg.dk)
>
> --------------------------------------------------------------------
> KPMG is not responsible for the misuse of the information we provide
> through our security advisories. These advisories are a service to
> the professional security community. In no event shall KPMG be lia-
> ble for any consequences whatsoever arising out of or in connection
> with the use or spread of this information.
> --------------------------------------------------------------------
>
>
Maybe using this advisory it would be easier to test for the W3SVC DoS
(ACT_DENIAL style)?
Thanks
Noam Rathaus
CTO
Beyond Security Ltd
http://www.SecurITeam.com
http://www.BeyondSecurity.com
----- Original Message -----
From: "Peter Gründl" <pgrundl@kpmg.dk>
To: "securiteam" <news@securiteam.com>
Sent: Thursday, April 11, 2002 11:32 AM
Subject: KPMG-2002009: Microsoft IIS W3SVC Denial of Service
> --------------------------------------------------------------------
>
> -=>Microsoft IIS W3SVC Denial of Service<=-
> courtesy of KPMG Denmark
>
> BUG-ID: 2002009
> CVE: CAN-2002-0072
> Released: 11th Apr 2002
> --------------------------------------------------------------------
> Problem:
> ========
> A flaw in internal object interaction could allow a malicious user
> to bring down Internet Information Server 4.0, 5.0 and 5.1.
>
>
> Vulnerable:
> ===========
> - Microsoft Internet Information Server 4.0 with FP2002
> - Microsoft Internet Information Server 5.0 with FP2002
> - Microsoft Internet Information Server 5.1 with FP2002
>
> Details:
> ========
> This vulnerability was discovered by Dave Aitel from @stake and by
> Peter Gründl from KPMG. It was done independently, and both
> reported the same two vulnerabilities to the same vendor at around
> the same time.
>
> Frontpage contains URL parsers for dynamic components (shtml.exe/dll)
> If a malicious user issues a request for /_vti_bin/shtml.exe where
> the URL for the dynamic contents is replaced with a long URL, the
> submodule will filter out the URL, and return a null value to the
> web service URL parser. An example string would be 35K of ascii 300.
> This will cause an access violation and Inetinfo.exe will be shut
> down. Due to the nature of the crash, we do not feel that it is
> exploitable beyond the point of a Denial of Service.
>
> Although servers are supposed to restart the service with "iisreset",
> this only works a few times (if any), and the service is crashed
> until an admin manually restarts the service or reboots the server.
>
>
> Vendor URL:
> ===========
> You can visit the vendors webpage here: http://www.microsoft.com
>
>
> Vendor response:
> ================
> The vendor was contacted on the 4th of February, 2002. On the 9th
> of April we received a private hotfix, which corrected the issue.
> On the 10th of April, the vendor released a public bulletin.
>
>
> Corrective action:
> ==================
> The vendor has released a patched w3svc.dll, which is included in
> the security rollup package MS02-018, available here:
> http://www.microsoft.com/technet/security/bulletin/ms02-018.asp
>
>
> Author: Peter Gründl (pgrundl@kpmg.dk)
>
> --------------------------------------------------------------------
> KPMG is not responsible for the misuse of the information we provide
> through our security advisories. These advisories are a service to
> the professional security community. In no event shall KPMG be lia-
> ble for any consequences whatsoever arising out of or in connection
> with the use or spread of this information.
> --------------------------------------------------------------------
>
>