CVE-1999-1035 in IISinfo

Summary

by MITRE

IIS 3.0 and 4.0 on x86 and Alpha allows remote attackers to cause a denial of service (hang) via a malformed GET request, aka the IIS "GET" vulnerability.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/20/2026

The vulnerability identified as CVE-1999-1035 represents a critical denial of service flaw affecting Microsoft Internet Information Services versions 3.0 and 4.0 running on both x86 and Alpha processor architectures. This vulnerability specifically targets the HTTP GET request handling mechanism within the IIS web server implementation, creating a condition where malformed requests can cause the server to become unresponsive or enter a state of permanent hang. The flaw exploits fundamental parsing mechanisms within the web server's request processing pipeline, demonstrating a classic buffer overflow or input validation weakness that was prevalent in early web server implementations.

The technical nature of this vulnerability stems from inadequate input validation and error handling within the IIS HTTP request parser. When the web server receives a specially crafted malformed GET request, the parsing logic fails to properly handle the malformed data structure, leading to a condition where the server process becomes stuck in an infinite loop or encounters an unrecoverable state. This type of vulnerability aligns with CWE-129, which describes issues related to insufficient validation of the length of input data, and CWE-170, which covers problems with improper handling of input that contains potentially dangerous characters or structures. The vulnerability operates at the application layer of the network stack, specifically targeting the HTTP protocol implementation within the IIS server software.

From an operational impact perspective, this vulnerability poses significant risk to organizations relying on IIS 3.0 and 4.0 servers for their web hosting infrastructure. A remote attacker capable of sending malicious GET requests can effectively disable web services by causing the affected IIS servers to become unresponsive, leading to complete denial of service for legitimate users and business operations. The vulnerability is particularly dangerous because it requires no authentication or privileged access to exploit, making it an attractive target for automated attack tools. The impact extends beyond simple service disruption as it can affect multiple concurrent connections and potentially lead to cascading failures in larger network infrastructures that depend on these web servers for critical business functions.

The attack surface for this vulnerability encompasses any organization running vulnerable IIS versions on affected hardware platforms, particularly those with exposed web servers to the internet. The exploit demonstrates characteristics consistent with the attack pattern described in the MITRE ATT&CK framework under the T1499 category for network denial of service attacks, where adversaries leverage application-level vulnerabilities to disrupt service availability. Organizations should consider implementing network-level protections such as firewall rules to restrict access to web server ports, though this approach provides only partial mitigation since the vulnerability can be exploited through various network paths and protocols. The most effective long-term solution involves applying the official Microsoft security patches that address the underlying parsing logic flaw and implement proper input validation mechanisms. Additionally, implementing intrusion detection systems that can identify malformed HTTP requests and deploying web application firewalls that can filter out suspicious traffic patterns provides additional defensive layers against exploitation attempts.

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!