COMMAND
Internet Information Server
SYSTEMS AFFECTED
IIS 5.0
PROBLEM
Lark Lizerman found following. MS IIS 5.0 has problems handling
a specific form of URL ending with "ida". The extension ida has
been taken from the Bugtraq posting "IIS revealing webdirectories"
The problem causes 2 kind of results. The one result is that the
server responds with a message like "URL String too long"; "Cannot
find the specified path"
The other error causes the server to terminate with an Access
Violation. When the server "Access violates" it displays as last
message:
File
d:\http\............................................................................................................................................................................................................................................................???????.
Error 0xc0000005 caught while processing query
Reproducing? As described above, the server gives out on one and
the same string, 2+ error messages. The String will be hosted on
an external site. You find the string at:
http://www.packetshield.de/iisstring.txt (25KB)
(Use Netscape Browser to view the file because MS IE5.0 has a bug
preventing viewing txt files in one row what cuts of a large peace
of the string. You can still view it with the "View source" of
MS IE5.0. the last 3 bytes of the string are "ida", then the url
is complete).
As described above there are 2+ kinds of messages:
1) Access Violation with a display on the website you request
2) URL too long
3) Cannot find the specified path
(3) output:
File d:\http\............................................................................................................................................................................................................................................................????. The system cannot find the path specified.
With the one and the same string you get one of the 3 messages.
The Access Violation error comes about every 20 times you request.
(don't ask me why) Lark has 2 screenshots where 2 of the messages
are displayed. The system Lark tried it out is a cluster where
each backups the other on case of failure. Because of that reason
one can not guaranteed say if the process dies or not, because
its got redirected to another server.
The screenshots can be viewed at:
http://www.packetshield.de/extra/crash1.jpg
http://www.packetshield.de/extra/crash2.jpg
The URL above also causes Netscape 4.7 (Win 98) to crash when used
as a location.. So if you embedded it into something, Javascript
or otherwise, you could probably have some fun.
NETSCAPE caused an invalid page fault in
module <unknown> at 0000:2e2e2e2e.
Registers:
EAX=00000000 CS=015f EIP=2e2e2e2e EFLGS=00010246
EBX=0094a5d0 SS=0167 ESP=00b351c4 EBP=2e2e2e2e
ECX=00000000 DS=0167 ESI=0000cc6a FS=1a6f
EDX=81b1200c ES=0167 EDI=00b426c8 GS=0000
Bytes at CS:EIP:
Stack dump:
2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e
2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e
Ditto for Opera 3.51
OPERA caused an invalid page fault in
module OPERA.EXE at 014f:004aff1d.
Registers:
EAX=0076f5d0 CS=014f EIP=004aff1d EFLGS=00010246
EBX=00000000 SS=0157 ESP=0076f490 EBP=0076f6d8
ECX=0076faec DS=0157 ESI=00000000 FS=23af
EDX=005016d5 ES=0157 EDI=2e2e2e2e GS=0000
Bytes at CS:EIP:
80 3f 00 74 3f 57 e8 e8 04 03 00 59 8d 74 38 ff
Stack dump:
00000000 bfc04db6 004bb98e 2e2e2e2e bfc04db6 bfc02333 17df0002 00026034 00000808
17df05ee 00026034 08080047 84f20000 07af44e5 31d78556 000257f0
SOLUTION
Enable IIS to check for too long URL strings and block them.
Michael Howard said following. This is by design - the call
inside IIS is wrapped in an exception handler and reporting the
error. Kinda like this:
try {
char *pF = NULL;
*pF = "Hello, there!";
} catch {
// oops! there was an error
}