Everhart,Glenn
From:	G. Richard Bellamy [Richard@midnightengineers.com]
Sent:	Friday, April 17, 1998 5:29 PM
To:	'ntsecurity@iss.net'
Subject:	[NTSEC] Forcing Inetinfo to crash with FrontPage extensions, possible DOS attack.

TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net
Contact ntsecurity-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

Using that wonderful little tool ported by l0pht from Hobbit's NetCat, I
found the following:
When sending the following command, to port 80 of an IIS 4.0 server,

POST /_vti_bin/shtml.dll///////////////(and about 130,000 more of these)/
HTTP/1.0

Inetinfo causes a Page Fault, DRWATSON shows up and takes 100% CPU time.
Is this a known problem, or perhaps an iteration of a known problem?

I put the command in a text file and performed the following:

nc -v -v www.myserver.com 80 > send1.3.cap

The send1.3.cap file was approximately 128kb when it crash's Inetinfo, I
found that when the send1.3.cap file was 96kb, Inetinfo worked just fine.
However, I did not spend the time to determine the exact point at which
Inetinfo chokes. Any comments would be appreciated, as the permissions on
shtml.dll are rather loose by necessity (maybe I'm wrong here) since it must
be availible to IUSR_MACHINENAME for execution.

And please, be gentle with me, this is the first time I've posted what I
thought was a possible problem, so I'm new at the proper procedures to go
through before coming to the group with the information.

G. Richard Bellamy
mailto:richard@midnightengineers.com
VOX:707.887.8814
FOX:707.887.1810
_,.-~-.,__,.-~-.,__,.-~-.,__,.-~-.,_
I am coffee of Borg.
Instant is futile.
You will be percolated.
_,.-~-.,__,.-~-.,__,.-~-.,__,.-~-.,_
p_priority=PFUN+(p_work/4)+(2*p_cash)