You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/06/22 20:08:57 UTC

From the horse's mouth

------- Forwarded Message

Date:         Sun, 22 Jun 1997 10:08:05 -0700
Reply-To: John Ludeman <jo...@MICROSOFT.COM>
Sender: Windows NT BugTraq Mailing List <NT...@RC.ON.CA>
From: John Ludeman <jo...@MICROSOFT.COM>
Subject:      Re: IIS DoS
Comments: To: Russ <Ru...@RC.ON.CA>
To: NTBUGTRAQ@RC.ON.CA

<"Alert" from subject line removed>

Just FYI - it's a very specific boundary condition when parsing the
headers.  The end of a token (method, URL, version or header) must be
exactly at 8k, followed by a second token.  Our max header buffer is 8k,
anything beyond gets thrown out as an invalid request.  In this
particular scenario, an index gets misinterpreted as a pointer so we
deref 0x00002000 which lo' and behold, doesn't exist.

The fix was to properly detect when we exceed the 8k boundary when we're
exactly at 8k.  Our test matrix included all the standard tests for long
urls, long headers etc but they didn't happen to hit this very specific
window.

John
johnl@microsoft.com

> -----Original Message-----
> From: Russ [SMTP:Russ.Cooper@RC.ON.CA]
> Sent: Friday, June 20, 1997 11:02 PM
> To:   NTBUGTRAQ@RC.ON.CA
> Subject:      Alert: RE: IIS DoS
>
> IIS on NT 4.0 (the version seems not to matter) can be crashed with a
> URL of specific but long length (4k - 8k, variable per server). Erich
> Siedler sent out the URLs for stories  about this bug (Alert members
> can
> see the message in the archives, http://ntbugtraq.rc.on.ca/archives)
>
> This exploit/bug has been fixed with a Hot Fix now available on the MS
> FTP site. The location is;
>
> ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfi
> xe
> s-postSP3/iis-fix
>
> Fixes seem only available for USA versions for Intel and Alpha. I
> haven't yet been able to determine what files are actually updated in
> the Hot Fix since it executes far too quickly and I haven't tried it
> with auditing turned on yet. I couldn't find any updated files in the
> INETSRV directory.
>
> **** WARNING!! When you run the Hot Fix it will reboot your machine
> without asking!!! ****
>
> KB article Q143484 is woefully bereft of any useful information about
> the bug, see Todd Fast's site for the only descriptive information
> about
> it;
>
> http://www.eden.com/~tfast/jihad.html
>
> Cheers,
> Russ
> R.C. Consulting, Inc. - NT/Internet Security
> owner of the NTBugTraq mailing list:
> http://ntbugtraq.rc.on.ca/index.html

------- End of Forwarded Message