The URL parser in Microsoft Internet Information Services (IIS) 5.1 on Windows XP Professional SP2 allows remote attackers to execute arbitrary code via multiple requests to ".dll" followed by arguments such as "~0" through "~9", which causes ntdll.dll to produce a return value that is not correctly handled by IIS, as demonstrated using "/_vti_bin/.dll/*/~0". NOTE: the consequence was originally believed to be only a denial of service (application crash and reboot).
Microsoft IIS is prone to a remote code-execution vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the vulnerable application, which may lead to the complete compromise of affected computers.This issue affects Microsoft IIS 5.1 running on Windows XP SP2.Note: this issue was previously reported as a denial-of-service vulnerability. New information from the vendor states that code execution is possible.
The vendor released an advisory along with fixes to address this issue. Please see the referenced advisory for more information. Microsoft IIS 5.1 Microsoft Security Update for Windows XP (KB939373) http://www.microsoft.com/downloads/details.aspx?FamilyId=fccbfe90-f838 -47df-8310-352e2fb47132
To demonstrate this issue, the following request will crash the application if issued a number of times (four requests will do the trick, according to the author): http://www.example.xom/_vti_bin/.dll/*\~0 The following proof-of-concept exploit also demonstrates this issue by crashing the application: /data/vulnerabilities/exploits/IIS_Mal_URI_Dos.cpp