CVE-1999-1538
CVSS2.1
发布时间 :1999-01-14 00:00:00
修订时间 :2016-10-17 22:05:41
NMCOES    

[原文]When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allows an unauthorized user to gain access to sensitive server information, including the Administrator's password.


[CNNVD]Microsoft IIS 4.0远程Web管理ism.dll文件可被利用暴力猜解漏洞(CNNVD-199901-040)

        
        IIS 4.0是一款Windows NT系统自带的的Web服务器软件,由Microsoft公司开发维护。
        由低版本IIS升级的IIS 4.0有一个文件ism.dll未被删除,此程序可用于远程管理IIS服务,远程攻击者可能利用此程序穷举口令。
        默认安装的IIS 4.0中包含远程WEB管理组件,可以通过浏览器管理IIS服务。但是仅限于通过环回地址(127.0.0.1)访问。如果IIS 4.0是从IIS 2.0或者IIS 3.0基础上升级的,那么在/scripts/iisadmin目录下会留下一个ism.dll,通过直接向该文件提交请求同样可以实现远程WEB管理。而这里通常是任何IP地址都可以访问的。在访问的时候系统会要求输入用户名和密码,这也提供了一个穷举破解的途径。
        

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1538
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1538
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199901-040
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=91638375309890&w=2
(UNKNOWN)  BUGTRAQ  19990114 MS IIS 4.0 Security Advisory
http://marc.info/?l=ntbugtraq&m=91632724913080&w=2
(UNKNOWN)  NTBUGTRAQ  19990114 MS IIS 4.0 Security Advisory
http://www.securityfocus.com/bid/189
(UNKNOWN)  BID  189

- 漏洞信息

Microsoft IIS 4.0远程Web管理ism.dll文件可被利用暴力猜解漏洞
低危 访问验证错误
1999-01-14 00:00:00 2005-10-20 00:00:00
远程  
        
        IIS 4.0是一款Windows NT系统自带的的Web服务器软件,由Microsoft公司开发维护。
        由低版本IIS升级的IIS 4.0有一个文件ism.dll未被删除,此程序可用于远程管理IIS服务,远程攻击者可能利用此程序穷举口令。
        默认安装的IIS 4.0中包含远程WEB管理组件,可以通过浏览器管理IIS服务。但是仅限于通过环回地址(127.0.0.1)访问。如果IIS 4.0是从IIS 2.0或者IIS 3.0基础上升级的,那么在/scripts/iisadmin目录下会留下一个ism.dll,通过直接向该文件提交请求同样可以实现远程WEB管理。而这里通常是任何IP地址都可以访问的。在访问的时候系统会要求输入用户名和密码,这也提供了一个穷举破解的途径。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 删除scripts/iisadmin/ism.dll
        厂商补丁:
        Microsoft
        ---------
        该问题无须补丁,删除scripts/iisadmin/ism.dll即可。

- 漏洞信息 (19147)

NT IIS4 Remote Web-Based Administration Vulnerability (EDBID:19147)
windows remote
1999-01-14 Verified
0 Mnemonix
N/A [点击下载]
source: http://www.securityfocus.com/bid/189/info

Web-based administration for IIS 4.0 is, by default, limited to the local loopback address, 127.0.0.1. In instances where IIS4.0 was installed as an upgrade to IIS 2.0 or 3.0, a legacy ISAPI DLL (ISM.DLL) is left in the /scripts/iisadmin directory. An attacker may call this DLL via the following syntax:

http://www.server.com/scripts/iisadmin/ism.dll?http/dir

This URL prompts the user for a username/password to access the remote administration console. Although approved access does not permit the user to commit changes to the IIS server, it may allow them to gather sensitive information about the web server and its configuration. 		

- 漏洞信息

273
Microsoft IIS Upgrade ism.dll Local Privilege Escalation
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

When Microsoft Internet Information Server (IIS) 4.0 is upgraded from version 2.0 or 3.0 the ism.dll file is left in the /scripts/iisadmin directory. This script discloses sensitive information via a specially crafted URL which could lead to elevated privileges. An attacker could use this to gain access to the administrator's password.

- 时间线

1999-01-14 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove the ism.dll from the /scripts/iisadmin directory. It's also recommended that access to the /scripts/iisadmin directory be limited to localhost access only.

- 相关参考

- 漏洞作者

- 漏洞信息

NT IIS4 Remote Web-Based Administration Vulnerability
Access Validation Error 189
Yes No
1999-01-14 12:00:00 2009-07-11 12:16:00
This vulnerability was posted to NTBugtraq by David Litchfield (Mnemonix).

- 受影响的程序版本

Microsoft IIS 4.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 1.0
+ Cisco Call Manager 1.0
+ Cisco ICS 7750
+ Cisco ICS 7750
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.0
+ Cisco Unity Server 2.0
+ Cisco uOne 4.0
+ Cisco uOne 4.0
+ Cisco uOne 3.0
+ Cisco uOne 3.0
+ Cisco uOne 2.0
+ Cisco uOne 2.0
+ Cisco uOne 1.0
+ Cisco uOne 1.0
+ Hancom Hancom Office 2007 0
+ Hancom Hancom Office 2007 0
+ Microsoft BackOffice 4.5
+ Microsoft BackOffice 4.5
+ Microsoft Windows NT 4.0 Option Pack
+ Microsoft Windows NT 4.0 Option Pack
Microsoft IIS 3.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft IIS 2.0
+ Microsoft Windows NT 4.0
+ Microsoft Windows NT 4.0

- 不受影响的程序版本

Microsoft IIS 3.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft IIS 2.0
+ Microsoft Windows NT 4.0
+ Microsoft Windows NT 4.0

- 漏洞讨论

Web-based administration for IIS 4.0 is, by default, limited to the local loopback address, 127.0.0.1. In instances where IIS4.0 was installed as an upgrade to IIS 2.0 or 3.0, a legacy ISAPI DLL (ISM.DLL) is left in the /scripts/iisadmin directory. An attacker may call this DLL via the following syntax:

http://www.server.com/scripts/iisadmin/ism.dll?http/dir

This URL prompts the user for a username/password to access the remote administration console. Although approved access does not permit the user to commit changes to the IIS server, it may allow them to gather sensitive information about the web server and its configuration.

- 漏洞利用

see discussion

- 解决方案

Delete the ISM.DLL from the /scripts/iisadmin directory.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站