|
Vulnerability IIS Affected IIS 5.0 (httpext.dll versions prior to 0.9.3940.21 - Windows 2000 SP2) Description Following is based on a Defcom Labs Advisory def-2001-26 by Peter Grundl. The WebDav extensions for Internet Information Server 5.0 contain a flaw that could allow a malicious user to consume all available memory on the server. The lock method contains a memory leak that will trigger if you send it continous requests for non-existing files. Eg. LOCK /aaaaaaaaaaaaaaaaaaaaaaaaaa.htw HTTP/1.0 Eventually the server will run out of memory and run really slow, you might argue that the server will then crash, reboot and return to normal again, but there are a few things that can be done to determine when you get close to filling up the servers memory, and then it is just a matter of stopping, and the server won't free the memory. One way is to combine the attack with asp executions, eg. GET /iisstart.asp?uc=a HTTP/1.0 which of course requires the presence of iisstart.asp (but this is just an example). The script will return execution errors when it runs out of temporary space on the server to execute the .asp script and that's when the server is almost out of memory. Solution The problem has been corrected in httpext.dll v.0.9.3940.21, which is packaged with Windows 2000 Service Pack 2 and according to Microsoft: "it will ship with each IIS5 hotfix that we release going forward (and will be available for SP0, SP1, and SP2+.)" You can find Service Pack 2 on Microsofts webpage at: www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp