what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VIGILANTE-2000003.txt

VIGILANTE-2000003.txt
Posted Jul 15, 2000
Authored by Vigilante | Site vigilante.com

Microsoft IIS v4.0 and 5.0 contain a remote denial of service vulnerability if the server has been upgraded from v3.0. Issuing a malformed request for a certain file contained in /scripts/iisadmin can result in the webserver going into to an infinite loop, causing the web server to no longer accept requests. Microsoft bulletin available here.

tags | exploit, remote, web, denial of service
SHA-256 | 4c48bae0b226218deaf38e5938232cb42629e8cd6e919da87f76a5db9e3da358

VIGILANTE-2000003.txt

Change Mirror Download
"Absent Directory Browser Argument" DoS

Advisory Code: VIGILANTE-2000003

Release Date:
July 15, 2000

Systems Affected:
Internet Information Server 4.0 for NT (upgraded from IIS 3.0)
Internet Information Server 5.0 for NT (upgraded from IIS 3.0)

THE PROBLEM
A system with Internet Information Server 4.0 or 5.0 that was upgraded from
3.0, contains unused remains from 3.0 due to functionality changes in 4.0.
Since it's easy to "accidentally" install 3.0 when you install the server,
there is bound to be quite a few systems out there that haven't cleaned out
the no longer used scripts and thus are vulnerable.
Issuing a malformed request for a certain file contained in
/scripts/iisadmin can result in the webserver going into to an infinite
loop, causing the web server to no longer accept requests. The service will
continue to "pick up" on TCP port 80 (or where ever you installed it), but
will not honour HTTP requests. During testing of this, it was usually
necessary to reboot the machine in order for IIS to start working again,
simply attempting to stop and start inetinfo did not work.

Vendor Status:
Initially reported on the 24th of May this year. Microsoft has released the
following bulletin concerning the issue, including a patch:
http://www.microsoft.com/technet/security/bulletin/MS00-044.asp

Fix:
Internet Information Server 4.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709
Internet Information Server 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708


Vendor URL: http://www.microsoft.com
Internet Information Server 4.0 URL:
http://www.microsoft.com/ntserver/web/default.asp
Internet Information Server 5.0 URL:
http://www.microsoft.com/windows2000/guide/server/features/appsvcs.asp

Copyright VIGILANTe 2000-07-15

Disclaimer:
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.

Feedback:
Please send suggestions, updates, and comments to:

VIGILANTe
mailto: info@vigilante.com
http://www.vigilante.com

Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    9 Files
  • 7
    Feb 7th
    33 Files
  • 8
    Feb 8th
    34 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close