IIS Denial of Service

IIS Denial of Service
Reported May 11 by
USSRLabs

VERSIONS EFFECTED
Internet Information Server 4.0
  • Internet Information Server 5.0

    DESCRIPTION

    IIS has flexibility built in to allow it to process any arbitrary sequence of file extensions or subresource identifiers (path_segments). By providing a URL that contains specially-malformed file extension information, a user could arbitrarily increase the work factor associated with parsing the URL. This could consume much or all of the CPU availability, thereby constituting a denial of service attack against the machine for the time period request to process the malformed URL, at which point service would return to normal.

    DEMONSTRATION

    The malformed URL would contain a large number of periods in between the filename and its extension. For example the following request would deny service temporarily.

    GET /inde....\[620 periods total\]....stm

    VENDOR RESPONSE

    Microsoft has issued a patch for the problem.

    Internet Information Server 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20906

    Internet Information Server 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20904

    CREDITS
    Discovered and reported by USSRLabs

  • Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish