COMMAND

    Internet Information Server

SYSTEMS AFFECTED

    IIS 5.0

PROBLEM

    Lark Lizerman found following.   MS IIS 5.0 has problems  handling
    a specific form of URL ending  with "ida".  The extension ida  has
    been taken from the Bugtraq posting "IIS revealing webdirectories"
    The problem causes 2 kind of results.  The one result is that  the
    server responds with a message like "URL String too long"; "Cannot
    find the specified path"

    The other  error causes  the server  to terminate  with an  Access
    Violation.  When the server "Access violates" it displays as  last
    message:

        File
        d:\http\............................................................................................................................................................................................................................................................???????.
        Error 0xc0000005 caught while processing query

    Reproducing?  As described above, the server gives out on one and
    the same string, 2+ error messages.  The String will be hosted on
    an external site.  You find the string at:

        http://www.packetshield.de/iisstring.txt (25KB)

    (Use Netscape Browser to view the file because MS IE5.0 has a  bug
    preventing viewing txt files in one row what cuts of a large peace
    of the string.   You can still view  it with the "View  source" of
    MS IE5.0. the last 3 bytes  of the string are "ida", then  the url
    is complete).

    As described above there are 2+ kinds of messages:

        1) Access Violation with a display on the website you request
        2) URL too long
        3) Cannot find the specified path

    (3) output:

        File d:\http\............................................................................................................................................................................................................................................................????. The system cannot find the path specified.

    With the one and  the same string you  get one of the  3 messages.
    The Access Violation error comes about every 20 times you request.
    (don't ask me why)  Lark has 2 screenshots where 2 of the messages
    are displayed.  The  system Lark tried it  out is a cluster  where
    each backups the other on case of failure.  Because of that reason
    one can  not guaranteed  say if  the process  dies or not, because
    its got redirected to another server.

    The screenshots can be viewed at:

        http://www.packetshield.de/extra/crash1.jpg
        http://www.packetshield.de/extra/crash2.jpg

    The URL above also causes Netscape 4.7 (Win 98) to crash when used
    as a location..  So if you embedded it into something,  Javascript
    or otherwise, you could probably have some fun.

        NETSCAPE caused an invalid page fault in
        module <unknown> at 0000:2e2e2e2e.
        Registers:
        EAX=00000000 CS=015f EIP=2e2e2e2e EFLGS=00010246
        EBX=0094a5d0 SS=0167 ESP=00b351c4 EBP=2e2e2e2e
        ECX=00000000 DS=0167 ESI=0000cc6a FS=1a6f
        EDX=81b1200c ES=0167 EDI=00b426c8 GS=0000
        Bytes at CS:EIP:

        Stack dump:
        2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e
        2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e 2e2e2e2e

SOLUTION

    Enable  IIS  to  check  for  too  long URL strings and block them.
    Michael  Howard  said  following.   This  is  by design - the call
    inside IIS is  wrapped in an  exception handler and  reporting the
    error.  Kinda like this:

        try {
            char *pF = NULL;
            *pF = "Hello, there!";
        } catch {
            // oops! there was an error
        }