Thursday, April 16, 2015

Crash 1/3 of the Internet with MS15-034?

SANS Internet Storm Center raised their Threat Level to Yellow today and with very good reason.

Netcraft says in their 2014 report that about 33% of Web Servers on the Internet were Micrsoft IIS. Can you image crashing them all with a simple HTTP request?

With some slight modifications to the's python test script I was able to use it to cause a Windows 2012 Test Box to immediately Crash and Reboot. Yikes!!!!

It's also bad because on my test windows box, there were no logs (System and application, or IIS Logs) that the request even happened! The only thing I saw was after the server rebooted and you get the standard message below

That's one heck of a DoS! And it's scarier than that, because Microsoft listed this as Remote Code Execution so it's possible that even worse attacks are on the way!

In general the changes needed to the Python script above are ...
- Change the range to an exploitable value that sans mentioned like 18-18446744073709551615
- Change the attack to hit a specific file that exists like a png(it doesn't appear to work on non-existant or redirected files/pages)
- Change the attack to a for loop of multiple requests instead of 1


Patch and Patch fast.

I did see that somebody named Malik Mesellem (@MME_IT) pasted something similar on pastebin

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment