IIS 5.1 DoS exploit released

Published: 2005-12-19
Last Updated: 2005-12-19 22:13:17 UTC
by Swa Frantzen (Version: 3)
0 comment(s)
A Denial of Service (DoS) exploit against IIS 5.1 was brought to our attention. Source code of the exploit is being distributed from multiple sites. The claimed effect of the exploit is to stop the inetinfo.exe process.

We have advised Microsoft of the situation and got a reply they are aware and are investigating. We're eager to see more details from Microsoft.

The troubling part is the simplicity of the URL used in the exploit, so an understanding of what it causes on the server would be very interesting from a security perspective.

Vulnerable versions

Confirmation of the exact conditions where the exploit works will cause updates to this story.

IIS 5.1 comes with Windows XP Professional, but fortunately isn't enabled by default. Even if most professionals will try to avoid using Windows XP on a server, some other software installation might have decided it was a good idea to enable it.

Tests by fellow handler Kevin Liston indicate IIS 6.0 would not be vulnerable to the published exploit, the tests simply logged as 404 errors.

There currently are no indications (yet) to suspect IIS on Windows 2000 and 2003.

Mitigation

The smartest mitigation strategy at this point is to plan an upgrade to the most recent version of IIS.

Detection

A preliminary snort signature made by fellow handler Erik Fichtner :
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (sid:2005121901; rev:1; 
        msg:"[ISC] FrSIRT ADV-2005-2963 IIS 5.1 DoS";
        flow:established;
        uricontent: "/|2e|dll/|2a|/|7e|0";
        content: "POST "; offset: 0; depth: 5;
        reference:url,www.frsirt.com/english/advisories/2005/2963;
        classtype:denial-of-service;)
Adapt it to your needs if you have other directories with execute permissions set to "Scripts & Executables"
Use at your own risk.

In log files the URLs of attempts should match /~[0-9]$/ . For those not familiar with regexps: end with a tilde followed by a digit.

--
Swa Frantzen
Keywords:
0 comment(s)

Comments


Diary Archives