CVE-2000-0649
CVSS2.6
发布时间 :2000-07-13 00:00:00
修订时间 :2008-09-10 15:05:32
NMCOES    

[原文]IIS 4.0 allows remote attackers to obtain the internal IP address of the server via an HTTP 1.0 request for a web page which is protected by basic authentication and has no realm defined.


[CNNVD]Microsoft IIS内部IP地址泄露漏洞(CNNVD-200007-036)

        IIS 4.0版本存在漏洞。远程攻击者可以借助被基本认证保护并且无区域定义的网页的HTTP 1.0请求来获得服务器的内部IP地址。

- CVSS (基础分值)

CVSS分值: 2.6 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-200 [信息暴露]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:internet_information_server:3.0Microsoft IIS 3.0
cpe:/a:microsoft:internet_information_server:2.0Microsoft IIS 2.0
cpe:/a:microsoft:internet_information_server:4.0Microsoft IIS 4.0
cpe:/a:microsoft:internet_information_server:5.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0649
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0649
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200007-036
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1499
(VENDOR_ADVISORY)  BID  1499
http://archives.neohapsis.com/archives/ntbugtraq/2000-q3/0025.html
(VENDOR_ADVISORY)  NTBUGTRAQ  20000713 IIS4 Basic authentication realm issue

- 漏洞信息

Microsoft IIS内部IP地址泄露漏洞
低危 信息泄露
2000-07-13 00:00:00 2008-05-06 00:00:00
远程  
        IIS 4.0版本存在漏洞。远程攻击者可以借助被基本认证保护并且无区域定义的网页的HTTP 1.0请求来获得服务器的内部IP地址。

- 公告与补丁

        This behaviour can be altered by changing the w3svc/UseHostName value in the metabase from False to True. Detailed instructions can be found in the Microsoft knowlege base at:
        http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP

- 漏洞信息 (20096)

Microsoft IIS 2.0/3.0/4.0/5.0/5.1 Internal IP Address Disclosure Vulnerability (EDBID:20096)
windows remote
2000-07-13 Verified
0 Dougal Campbell
N/A [点击下载]
source: http://www.securityfocus.com/bid/1499/info

When a remote user attempts to access an area protected by basic authentication with no realm defined, while specifying HTTP 1.0, Microsoft IIS will return an Access Denied error message containing the internal IP address of the host. Even if IIS is behind a firewall or NAT, it will disclose the true internal IP address to the remote user.

The internal IP address may also be revealed through a HTTP request made with an empty host name. If a PROPFIND HTTP request is made, the message returned will include the IP address as part of the HREF header. The IP address may also be exposed through the WRITE or MKCOL methods, although they would not normally be exposed to the external network.

Eg.

telnet target 80
Trying target...
Connected to target.
Escape character is '^]'.
HEAD /directory HTTP/1.0[CRLF]
[CRLF]

HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="<Internal IP Address>"
Content-Length: 644
Content-Type: text/html 		

- 漏洞信息

630
Microsoft IIS Multiple Malformed Header Field Internal IP Address Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality Workaround
Exploit Public Third-party Verified

- 漏洞描述

Microsoft IIS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when attempting to access an area protected via basic HTTP authentication without providing realm information, making a request without a host: header, or by trying to access a resource that has been moved (302). This may disclose the internal IP address or network name in the response header resulting in a loss of confidentiality.

- 时间线

2000-07-13 Unknow
2000-07-13 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Change the w3svc/UseHostName value (from False to True) in the metabase This is done my using the adsutil.vbs ot manually change values within the metabase.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft IIS Internal IP Address Disclosure Vulnerability
Design Error 1499
Yes No
2000-07-13 12:00:00 2009-07-11 02:56:00
Posted to NTBugtraq on July 13, 2000 by Dougal Campbell <dougal@GUNTERS.ORG>.

- 受影响的程序版本

Microsoft IIS 5.1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
+ Microsoft Windows XP 64-bit Edition SP1
+ Microsoft Windows XP 64-bit Edition
+ Microsoft Windows XP 64-bit Edition
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Home
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
Microsoft IIS 5.0
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server SP1
+ Microsoft Windows 2000 Advanced Server
+ Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
+ Microsoft Windows 2000 Professional
+ Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server SP1
+ Microsoft Windows 2000 Server
+ Microsoft Windows 2000 Server
Microsoft IIS 4.0 alpha
- Microsoft Windows NT 4.0 alpha
- Microsoft Windows NT 4.0 alpha
Microsoft IIS 4.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Building Broadband Service Manager (BBSM) 5.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 3.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 2.0
+ Cisco Call Manager 1.0
+ Cisco Call Manager 1.0
+ Cisco ICS 7750
+ Cisco ICS 7750
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco IP/VC 3540 Video Rate Matching Module
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.4
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.3
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.2
+ Cisco Unity Server 2.0
+ Cisco Unity Server 2.0
+ Cisco uOne 4.0
+ Cisco uOne 4.0
+ Cisco uOne 3.0
+ Cisco uOne 3.0
+ Cisco uOne 2.0
+ Cisco uOne 2.0
+ Cisco uOne 1.0
+ Cisco uOne 1.0
+ Hancom Hancom Office 2007 0
+ Hancom Hancom Office 2007 0
+ Microsoft BackOffice 4.5
+ Microsoft BackOffice 4.5
+ Microsoft Windows NT 4.0 Option Pack
+ Microsoft Windows NT 4.0 Option Pack
Microsoft IIS 3.0
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
Microsoft IIS 2.0
+ Microsoft Windows NT 4.0
+ Microsoft Windows NT 4.0

- 漏洞讨论

When a remote user attempts to access an area protected by basic authentication with no realm defined, while specifying HTTP 1.0, Microsoft IIS will return an Access Denied error message containing the internal IP address of the host. Even if IIS is behind a firewall or NAT, it will disclose the true internal IP address to the remote user.

The internal IP address may also be revealed through a HTTP request made with an empty host name. If a PROPFIND HTTP request is made, the message returned will include the IP address as part of the HREF header. The IP address may also be exposed through the WRITE or MKCOL methods, although they would not normally be exposed to the external network.

Eg.

telnet target 80
Trying target...
Connected to target.
Escape character is '^]'.
HEAD /directory HTTP/1.0[CRLF]
[CRLF]

HTTP/1.1 401 Access Denied
WWW-Authenticate: Basic realm="&lt;Internal IP Address&gt;"
Content-Length: 644
Content-Type: text/html

- 漏洞利用

HEAD /directory HTTP/1.0[CRLF]
[CRLF]

or

PROPFIND / HTTP/1.1
Host:
Content-Length: 0

- 解决方案

This behaviour can be altered by changing the w3svc/UseHostName value in the metabase from False to True. Detailed instructions can be found in the Microsoft knowlege base at:

http://support.microsoft.com/support/kb/articles/Q218/1/80.ASP

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站