Microsoft IIS Server
Subject to Denial of Service Attack

Reported June 18,1997 by Todd Fast

Systems Affected

Windows NT running IIS

The Problem

Microsoft IIS can be made to crash by sending abnormally large URLs (4k-8K or more) to the server.

According to Microsoft personnel, it"s a very specific boundary condition when parsing the headers.  The end of a token (method, URL, version or header) must be exactly at 8k, followed by a second token.  Our max header buffer is 8k, anything beyond gets thrown out as an invalid request.  In this particular scenario, an index gets misinterpreted as a pointer so we deref 0x00002000 which lo" and behold, doesn"t exist.

Verifying the vulnerability to this problem can be done by using this Java Class object. Here is the README text file that goes along with it.

Or, if you prefer, HERE is a binary compiled down for Linux that doesn"t rely on Java.

Stopping the Attack

Load the hotfix, located here.

Microsoft"s Response:

On June 20, 1997, Microsoft posted hotfixes for this problem - less than 48 hours after being notified -- kudos.

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by Todd Fast
Posted here on
The NT Shop June 20, 1997 5pm