COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 5.0 (httpext.dll versions prior to 0.9.3940.21 - Windows 2000 SP2)

PROBLEM

    Following is based on a Defcom Labs Advisory def-2001-26 by  Peter
    Grundl.   The WebDav  extensions for  Internet Information  Server
    5.0 contain a  flaw that could  allow a malicious  user to consume
    all available memory on the server.

    The lock method  contains a memory  leak that will  trigger if you
    send it continous requests for non-existing files. Eg.

        LOCK /aaaaaaaaaaaaaaaaaaaaaaaaaa.htw HTTP/1.0

    Eventually the server will run out of memory and run really  slow,
    you  might  argue  that  the  server  will  then crash, reboot and
    return to normal  again, but there  are a few  things that can  be
    done to  determine when  you get  close to  filling up the servers
    memory, and then it is just  a matter of stopping, and the  server
    won't free the memory.  One way is to combine the attack with  asp
    executions, eg.

        GET /iisstart.asp?uc=a HTTP/1.0

    which of course requires the presence of iisstart.asp (but this is
    just an example).  The script will return execution errors when it
    runs out  of temporary  space on  the server  to execute  the .asp
    script and that's when the server is almost out of memory.

SOLUTION

    The problem has been corrected in httpext.dll v.0.9.3940.21, which
    is packaged  with Windows  2000 Service  Pack 2  and according  to
    Microsoft:  "it  will ship with  each IIS5 hotfix  that we release
    going forward (and will be available for SP0, SP1, and SP2+.)"

    You can find Service Pack 2 on Microsofts webpage at:

        www.microsoft.com/windows2000/downloads/servicepacks/sp2/default.asp