"Invalid URL" DoS

Advisory Code:   VIGILANTE-2000009

Release Date:
September 6, 2000

Systems Affected:
- Internet Information Server 4.0 for Windows NT 4.0
- Possibly Windows NT 4.0 in general (read Microsoft's note) 


THE PROBLEM
A certain series of requests can cause INETINFO.EXE to gradually
consume all system ressources (99-100% CPU and all memory). When
the pagefile can't expand any further, INETINFO.EXE is killed by
the operating system, with possibly a dialogue box on your screen
stating that the system is running low on virtual memory. During
testing it was found that usually you wouldn't even see this box.
It requires a restart of the www service for IIS to start working
again. 
Initially we believed this to be a problem with IIS, but Microsoft
has pointed out that this is a problem within Windows NT 4.0 (which
might explain why we couldn't reproduce it on Internet Information
Server 5.0). For this reason, you should probably consider applying
the patch on any production environments, running on Windows NT 4.0.

Vendor Status:
Initially reported on the 16th of May this year. Microsoft has
released the following bulletin concerning the issue, including a 
patch: 
http://www.microsoft.com/technet/security/bulletin/MS00-063.asp

Fix: 
Windows NT 4.0 Workstation, Server and Server, Enterprise Edition: 
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24079

Windows NT 4.0 Server, Terminal Server Edition: To be released shortly 

Vendor   URL: http://www.microsoft.com
Internet Information Server 4.0 URL: 
http://www.microsoft.com/ntserver/web/default.asp


Copyright VIGILANTe 2000-03-16

Disclaimer:
The information within this document may change without notice. Use of
this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any consequences whatsoever
arising out of or in connection with the use or spread of this
information. Any use of this information lays within the user's
responsibility.

Feedback:
Please send suggestions, updates, and comments to:

VIGILANTe
mailto: swat@vigilante.com
http://www.vigilante.com