COMMAND

    IIS

SYSTEMS AFFECTED

    MS IIS 4.0

PROBLEM

    Nobuo Miwa found a kind of DoS attack against IIS 4.0 on NT SP4 &
    SP5.  Simple play.  Send lots of "Host:aaaaa...aa" to IIS like...

        GET / HTTP/1.1
        Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes)
        Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes)
        ...10,000 lines
        Host: aaaaaaaaaaaaaaaaaaaaaaa....(200 bytes)

    If sent twice above request sets, victim IIS will get memory  leak
    after these requests.  Of  course, it can not respond  any request
    any more.  If you try this, you should see memory increase through
    performance monitor.  You  would see memory increasing  even after
    those  requests  finished  already.   It  will  stop  when you got
    shortage of virtual memory.  After that, you might not be able  to
    restart  web  service  and  you  would  be  forced  to restart the
    computer.  This was tested against Japanese and English version of
    Windows NT.

    Here are the basic details:
    * The error lies in how  IIS log files are processed.   If writing
      a log  record caused  the size  of the  log file  to be an exact
      multiple of 64KB, the server would hang.
    * An  affected server  could be  put back  into service by killing
      the  IIS  process,  copying  the  log  file  to a safe location,
      erasing the working copy, and restarting the IIS service.
    * If you have  not installed the patch,  we recommend that you  do
      not do so until the new version is ready.
    * If you have installed the patch, we do not recommend  attempting
      to back  it out.   The conditions  under which  error occurs are
      fairly rare, and we intend to deliver a new version of the patch
      very quickly.  We recommend that you be alert to the possibility
      of the error, but take no other action.

SOLUTION

    Microsoft re-released  the patch  for the  "Malformed HTTP Request
    Header" vulnerability  affecting IIS  4.0.   The regression  error
    that was found in it has been eliminated, and it is available  for
    downloading.

        ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/security/HDBRK-fix/

    The patch can be applied to these products as well:

        - Microsoft Site Server 3.0
        - Microsoft Site Server 3.0, Commerce Edition
        - Microsoft Commerce Internet Server 2.0 and 2.5

    John Hall added  following.  He  installed this hot  fix last week
    and  now  attempts  to  relay  with  an  encap.  SMTP  address are
    immediately 550'd  -- relaying  denied.   Congrats!!   However, if
    you put  the" IMCEASMTP"  in lower  case the  IMS will  accept the
    meassage.   It won't  relay but  it will  waste bandwidth and disk
    space  (smtp  message  archival)  by  accepting  it.  Depending on
    message size  and quantity,  this could  be a  real problem.  This
    might also encourage spammers to resend since they did'nt get  the
    550 smtp error.