Microsoft IIS Multiple Invalid URL Request DoS Vulnerability

Bugtraq ID:	2440
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2001-0146
Remote:	Yes
Local:	Yes
Published:	Mar 01 2001 12:00AM
Updated:	Jul 11 2009 04:46AM
Credit:	Discovered by Kevin Kotas and posted in a Microsoft Security Bulletin (MS01-014) on March 1, 2001.
Vulnerable:	Microsoft IIS 5.0 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsoft Windows 2000 Advanced Server SP1 + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP1 - Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional + Microsoft Windows 2000 Professional - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP2 - Microsoft Windows 2000 Server SP1 - Microsoft Windows 2000 Server SP1 + Microsoft Windows 2000 Server + Microsoft Windows 2000 Server
Not Vulnerable:

Microsoft IIS Multiple Invalid URL Request DoS Vulnerability

Solution:
The original patches released by Microsoft have been reported to introduce a memory leak which could deplete all available memory on the host. Microsoft has addressed both issues with the following patches:


Microsoft IIS 5.0

• Microsoft Q293826
  http://download.microsoft.com/download/win2000platform/Patch/q293826/N T5/EN-US/Q293826_W2K_SP3_x86_en.EXE

Microsoft IIS Multiple Invalid URL Request DoS Vulnerability

References:

• Microsoft Internet Information Server/ Exchange 2000 invalid request denial of s (eSecurityOnline)
  
• Microsoft Security Bulletin (MS01-014) (Microsoft)
  
• Microsoft Security Bulletin MS02-026 (Microsoft)