A 33-year old male from Norway released a Proof of Concept exploit for an unpatched vulnerability related to Microsoft Internet Information Server v5.1.
The exploit works by sending malformed HTTP request, four (4) times to the target server running IIS service just by using only the web browser. “The reason for the four time “rule” for the process to crash is because of an internal counter inside the inetinfo.exe process”, the author added. The vulnerability is present only on virtual directories with the Execute Permission set to Scripts and Executables such as “_vti_bin” and the likes.
This exploit can remotely crash the IIS service process, inetinfo.exe, on the target web server resulting into a Remote Denial of Service (DoS). The vulnerability has been known by Microsoft since January 28, 2005 but no patched has been released up until now.
I have conducted a test and it really crashes the IIS service, inetinfo.exe, on my Windows XP SP0. I am running an IIS service with version 5.1.2600.1. I have entered the following URL address in the address bar of my Internet Explorer (from the other machine) and refreshed it four times.
http://10.10.1.100/<BLOCKED>/.dll/*~0
This is the message that I’ve got from the vulnerable web server.
The 10.10.1.100 is the address of my vulnerable web server.
The * can be any of these ASCII characters:
%01-%1f, %3f, “, *, :, <, >
The last can also be a /
The “~0” can also be one of the following :
“~1”, “~2”, “~3”, “~4”, “~5”, “~6”, “~7”, “~8”, or “~9”
Update (JoneZ, 19 December 2005 22:04:28)
French Security Incident Response Team(FrSIRT) just published an exploit code for this vulnerability.