IIS/ASP DoS


From dave@EDIS.ORG Thu Feb 26 01:06:43 1998
From: Dave Edis 
To: BUGTRAQ@NETSPACE.ORG
Date: Thu, 15 Jan 1998 14:24:04 -0800
Subject: IIS/ASP bugs

I tryed the following and the server stopped resoponding
on ieak.microsoft.com:

http://ieak.microsoft.com/ASPSamp/Samples/code.asp?source=/ASPSamp///////Samples/hello.asp

* replace //////// with a few hundred forward slashes

Looks like any IIS server with ASPSamp directory installed is
vulnerable..
(or ASPs that take file paths as input)

And something else... I notice handler mapped file extensions
reveal system file paths for web directories..
ie: try (.idq, .idc, .stm, .pl, .cgi) depending on what is mapped.

example : http://www.microsoft.com/badidea.stm

Returns "Error processing SSI file 'd:\http\badidea.stm'"

=-=
____________________________________________________________________
Dave Edis                                       http://www.edis.org/
From leon@networx.com.au Thu Feb 26 01:07:01 1998
From: Leon O'Brien 
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Fri, 16 Jan 1998 16:49:54 +1000
Subject: Re: Re  IIS/ASP bugs

I've found that only if the directory has execute permissions will it do it.
Now because Microsoft run ASP files over there entire site you would find
then
that every directory has execute permissions, therefore giving the response.

Leon O'Brien

-----Original Message-----
From: Sam R. Akhtar 
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM 
Date: Friday, January 16, 1998 2:07 PM
Subject: Re IIS/ASP bugs


>>And something else... I notice handler mapped file extensions
>>reveal system file paths for web directories..
>>ie: try (.idq, .idc, .stm, .pl, .cgi) depending on what is mapped.
>>
>>example : http://www.microsoft.com/badidea.stm
>>
>>Returns "Error processing SSI file 'd:\http\badidea.stm'"
>
>
>
>We're getting a 404 error on the above on NT 4.0\IIS 3.0, all SP\some
>hotfixes applied (TCP\DoS pertinent one's at least).  Has anyone else
>been able to replicate this on an NT\IIS server of any type?  What are
>the specs if so?
>
>We do notice that MS and one other site (of a handful of eight tested)
>is apparently the only NT\IIS site that does this.  Perhaps MS is
>running some ISAPI filter that these other sites are not, or even IIS
>4.0 instead of IIS 3.0?
>
>
>Regards,
>
>Sam Akhtar

=-=

From srakhtar@IBISNET.NET Thu Feb 26 01:09:19 1998
From: "Sam R. Akhtar" 
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Fri, 16 Jan 1998 14:43:08 -0500
Subject: Re: Re  IIS/ASP bugs

>The first version of IIS to support SSI is indeed IIS 4.0. But
>interestingly :-


Not trying to be contrary, but IIS 3.0 does support SOME SSI
functionality, not so sure how complete it is wrt 4.0...

After some more testing on our end, it looks like this error is in IIS
2.0, IIS 3.0 and IIS 4.0
in directories that are marked execute.

So far, all we are seeing is the physical path to the attempted script.
I guess we should be getting 404 errors eh?

Forgive my density, but I'm curious at to how this could be used for
further intrusion into a system.

Regards,


Sam Akhtar

=-=

From jzawodn@WCNET.ORG Thu Feb 26 01:09:23 1998
From: Jeremy Zawodny 
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Fri, 16 Jan 1998 11:05:03 -0500
Subject: Re: Re  IIS/ASP bugs

On Fri, 16 Jan 1998, Peter Bowyer wrote:

> The first version of IIS to support SSI is indeed IIS 4.0. But
> interestingly :-

Not true. It's in 3.0 as well. I'm using it.

Jeremy
--
Jeremy D. Zawodny                 jzawodn@wcnet.org
Web Server Administrator          www@wcnet.org
Wood County Free Net (Ohio)       http://www.wcnet.org/

=-=

From SteveB@HBS.COM Thu Feb 26 01:10:46 1998
From: Steve Boyce 
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Date: Tue, 20 Jan 1998 00:19:58 -0000
Subject: Re: Re  IIS/ASP bugs

This message comes from the script dll, not from IIS.  There's no need
to put badidea.stm, just put .stm, this invokes the script-mapped dll,
which produces the message.  (Different versions of these dll's produce
different messages)

In IIS3 as first released, you could put
www.xxx.com/.stm/myfile.asp
and myfile.asp was sent to the stm processor which, having nothing
better to do with it, just sent the contents of the asp straight back to
the browser.  (This behaviour was as per the strict HTTP spec, but
obviously undesirable)  The first update to IIS3 fixed this by passing
the whole URL string to the ISAPI dll, not just the part to the right of
".stm".  Also, IIS cancels out any ".."s first to avoid climbing back up
the directory tree.

btw, one obvious related thing to avoid at all times is any scripting
application which can take an input file or template via a ? parameter
in the URL: This is open to obvious abuse.


-----Original Message-----
From: Sam R. Akhtar [mailto:srakhtar@IBISNET.NET]
Sent: 16 January 1998 02:16
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re IIS/ASP bugs


>And something else... I notice handler mapped file extensions
>reveal system file paths for web directories..
>ie: try (.idq, .idc, .stm, .pl, .cgi) depending on what is mapped.
>
>example : http://www.microsoft.com/badidea.stm
>
>Returns "Error processing SSI file 'd:\http\badidea.stm'"