|
Immunity Advisory on IIS Stack Overflow Exception Denial of Service (SPIKE 2.7) Author: Dave Aitel Date: Oct 17, 2002 When IIS 5.0 and 5.1 recieve long headers, they sometimes cause a Stack Overflow Exception (note: not a stack overflow, but an actual exception when the stack runs out of space to expand.) This causes IIS to spin for a certain amount of time, refusing to accept new connections, until it has handled this condition. There is no risk of futher compromise via this vulnerability. This vulnerability can be reproduced, and was originally found, by running SPIKE 2.7's closed_source_web_server_fuzzer against IIS.