4th time’s the charm? IIS DoS and how it doesn’t work

a few days ago a bugtraq post was made about an iis dos.

the post was almost completely ignored by everybody, and today we saw a post on sans isc about a vague vulnerability in iis 5.1 (xp) after a post about it on securiteam:
http://www.securiteam.com/windowsntfocus/6e00e2keus.html

now, the funny thing about this exploit is that it will only return an exception on the 4th attempt.

every time, only on the 4th attempt.

this is the best anti-exploitation effort i have ever seen, it is either:
1. a way to avoid exploits.. which is simply unbelievable. ms has gone nuts. this is hillarious. and if do it, why stop at 4 times? make it go to infinity… uh huh.
2. a way to avoid bugs! hey we are all kind of annoyed from qa and fixing bugs.. if it’s important enough to show up 4 times, let us know and crash the program, will ya?
3. a complete fluke! some bored reverser will let us know why iis does this, no doubt.

still, let us go to the conspiratorial side for a minute:
this is why iis vulnerabilities are hard to come by these days!! microsoft made sure you will only get an exception after 4 times!

so much for all the fuzzers that have been hammering iss all these years, eh? :p

try the exploit, it’s just one url. enter it 4 times, follow it in a debugger and be amazed!

the original text can be found at:
http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html

gadi evron,
ge@beyondsecurity.com.

Share
  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy

    sunshine,

    the explanation i can think of for the requirement that four requests be submitted is some kind of memory corruption vulnerability. perhaps this is some kind of use-after-free condition or something of that nature that is causing heap corruption? just a thought. i’m not bored enough to hack iis 5.1. the six people who use it don’t have anything critical to protect.

  • sunshine

    Don’t ruin it for me… this is an evil evil evil stupid protection mechanism. Got it?

    BTW: I know where you live!! :)

    And I really don’t see who would run IIS on XP…

  • http://www.BeyondSecurity.com noam

    Without doing too much disassembling work, one thing that I did notice was a counter counting from 3 to 0 (decrementing each time the attack is conducted).

    When the counter reaches 0, the code jumps to a different section, i.e. an exception occurs…

    This could be some kind of SEH (Software Exception Handler) type of behavior, I am not sure, someone with more Ninja-Skills of debugging/analyzing might have better insight to why its counting from 3 to 0.