MS IIS 5.0 has problems handling a specific form of URL ending with "ida". The extension ida has been taken from the Bugtraq posting "IIS revealing webdirectories" The problem causes 2 kind of results. The one result is that the server responds with a message like "URL String too long"; "Cannot find the specified path" The other error causes the server to terminate with an Access Violation. When the server "Access violates" it displays as last message.
c6301bd7666cad9967d8dafc5ad77f1302a8469ac918b24e757bf1d26a8ed0d1
<!DOCTYPE HTML PUBLIC "html.dtd">
<HTML>
<BODY BGCOLOR="#000000" TEXT="#FFFFFF"><PRE>
<FONT COLOR="#CC0000">COMMAND</FONT>
Internet Information Server
<FONT COLOR="#CC0000">SYSTEMS AFFECTED</FONT>
IIS 5.0
<FONT COLOR="#CC0000">PROBLEM</FONT>
Lark Lizerman found following. MS IIS 5.0 has problems handling
a specific form of URL ending with "ida". The extension ida has
been taken from the Bugtraq posting "IIS revealing webdirectories"
The problem causes 2 kind of results. The one result is that the
server responds with a message like "URL String too long"; "Cannot
find the specified path"
The other error causes the server to terminate with an Access
Violation. When the server "Access violates" it displays as last
message:
<FONT COLOR="#00FF00">
File
d:\http\............................................................................................................................................................................................................................................................???????.
Error 0xc0000005 caught while processing query
</FONT>
Reproducing? As described above, the server gives out on one and
the same string, 2+ error messages. The String will be hosted on
an external site. You find the string at:
<FONT COLOR="#00FF00">
http://www.packetshield.de/iisstring.txt (25KB)
</FONT>
(Use Netscape Browser to view the file because MS IE5.0 has a bug
preventing viewing txt files in one row what cuts of a large peace
of the string. You can still view it with the "View source" of
MS IE5.0. the last 3 bytes of the string are "ida", then the url
is complete).
As described above there are 2+ kinds of messages:
<FONT COLOR="#00FF00">
1) Access Violation with a display on the website you request
2) URL too long
3) Cannot find the specified path
</FONT>
(3) output:
<FONT COLOR="#00FF00">
File d:\http\............................................................................................................................................................................................................................................................????. The system cannot find the path specified.
</FONT>
With the one and the same string you get one of the 3 messages.
The Access Violation error comes about every 20 times you request.
(don't ask me why) Lark has 2 screenshots where 2 of the messages
are displayed. The system Lark tried it out is a cluster where
each backups the other on case of failure. Because of that reason
one can not guaranteed say if the process dies or not, because
its got redirected to another server.
The screenshots can be viewed at:
<FONT COLOR="#00FF00">
http://www.packetshield.de/extra/crash1.jpg
http://www.packetshield.de/extra/crash2.jpg
</FONT>
The URL above also causes Netscape 4.7 (Win 98) to crash when used
as a location.. So if you embedded it into something, Javascript
or otherwise, you could probably have some fun.
<FONT COLOR="#00FF00">
NETSCAPE caused an invalid page fault in
module <unknown> at 0000:2e2e2e2e.
Registers:
EAX=00000000 CS=015f EIP=2e2e2e2e EFLGS=00010246
EBX=0094a5d0 SS=0167 ESP=00b351c4 EBP=2e2e2e2e
ECX=00000000 DS=0167 ESI=0000cc6a FS=1a6f
EDX=81b1200c ES=0167 EDI=00b426c8 GS=0000
Bytes at CS:EIP:
Stack dump:
2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e
2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e
</FONT>
<FONT COLOR="#CC0000">SOLUTION</FONT>
Enable IIS to check for too long URL strings and block them.
Michael Howard said following. This is by design - the call
inside IIS is wrapped in an exception handler and reporting the
error. Kinda like this:
<FONT COLOR="#00FF00">
try {
char *pF = NULL;
*pF = "Hello, there!";
} catch {
// oops! there was an error
}
</FONT>
</PRE></BODY>
</HTML>