Rapid7 Vulnerability & Exploit Database

Microsoft ASP.Net DOS device denial of service

Back to Search

Microsoft ASP.Net DOS device denial of service

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
05/29/2007
Created
07/25/2018
Added
08/06/2007
Modified
12/04/2013

Description

Microsoft IIS version 6.0 contains a flaw which may allow an attacker to cause a denial of service condition (service hang) or read arbitrary physical device streams (COM, LPT) by specifying a DOS device name in a GET request whose URI contains a '/' character immediately before and after the name of a DOS device.

According to Microsoft Security Response Center (MSRC). "Non vulnerability in II 6.0/ASP.NET. Microsoft has completed the investigation into the public proof of concept code that claims to demonstrate a vulnerability in IIS 6.0. Our investigation has found that the claims are incorrect and that the proof of concept code does not take advantage of a vulnerability in IIS 6.0. Additionally, the code in question incorrectly claims to use IIS 6.0. Our investigation has shown the code in question actually uses ASP.NET. Our investigation has shown that the code has no impact against systems running ASP.NET 2.0. Systems running ASP.NET 1.1 may experience a temporary disruption when receiving a large volume of concurrent requests containing this code. However, as soon as the requests are no longer submitted, the system returns to normal operation.

Solution(s)

  • no-patch-ms-iis-msdos-device-dos
  • isapi-filter-ms-iis-msdos-device-dos

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;