安全研究
安全漏洞
Microsoft .Net Framework多个空字节注入漏洞(MS07-040)
发布日期:2007-07-10
更新日期:2007-07-11
受影响系统:
Microsoft .NET Framework 2.0描述:
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.0
BUGTRAQ ID: 24791
CVE(CAN) ID: CVE-2007-0042
Microsoft .NET Framework是一个流行的软件开发工具包。
.NET Framework在处理网页请求时存在漏洞,远程攻击可能利用此漏洞绕过安全限制访问到敏感信息。
.NET Framework的Server.MapPath、Server.Execute、Server.Transfer、String.Compare、System.Net.Mail.SmtpMail.Send方式没有正确地验证某些用户输入参数,允许用户在提交的URI中注入任意空字节。成功地利用此漏洞的攻击者绕过ASP.NET网站的安全限制下载任何网页的内容。
<*来源:Paul Craig (headpimp@pimp-industries.com)
链接:http://security-assessment.com/files/advisories/2007-07-11_Multiple_.NET_Null_Byte_Injection_Vulnera
http://secunia.com/advisories/26003/
http://www.microsoft.com/technet/security/Bulletin/ms07-040.mspx?pf=true
http://www.us-cert.gov/cas/techalerts/TA07-191A.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<%@ Page Language="vb" %>
<html>
<head>
<title>vb.net MapPath example </title>
<script runat="server">
Sub Page_Load()
dim name as string
dim realname as string
name = request("name") & ".uploaded"
realname = Mappath(".") & "\" & name
response.write("Mappath of name = <b>" & MapPath(name) & "</b><br>")
response.write("The real value is: <b>" & realname & "</b><br>")
End Sub
</script>
</head>
<body>
<asp:label id="Message" runat="server"/>
<asp:label id="Message2" runat="server"/>
</body>
</html>
例2
<%@ Page Language="VB" %>
<html>
<head>
<script runat="server">
Sub Page_Load()
Server.Execute(request("page"))
End Sub
</script>
</head>
<body>
</body>
例3
<%@ Page Language="VB" %>
<html>
<head>
<title>Server.execute </title>
<script runat="server">
Sub Page_Load()
Server.Transfer(request("page"))
End Sub
</script>
</head>
<body>
</body>
例4
<%@ Page Language="vb" %>
<html>
<head>
<title>String.Compare</title>
<script runat="server">
Sub Page_Load()
dim allowed, sFirstItem, sSecondItem as string
sFirstItem = Request("first")
sSecondItem = Request("second")
response.Write ("String.Compare - First item = " & sFirstItem & "<br>")
response.Write ("String.Compare - Second item = " & sSecondItem & "<br>")
if String.Compare(sFirstItem, sSecondItem) =0 then
response.Write ("<b>String.Compare - Matched! Strings are the same</b>" & "<br>")
else
response.Write ("<b>String.Compare - Failed!! Strings are diffrent </b>" & "<br>")
End If
if sFirstItem=sSecondItem then
response.Write ("Direct eval - Matched!" & "<br>")
else
response.Write ("<b>Direct eval - Failed!!</b>" & "<br>")
End If
End Sub
</script>
</head>
<body>
</body>
</html>
例5
<% @Import Namespace="System.Web.Mail" %>
<% @Import Namespace="System.IO" %>
<%@ Page Language="vb" %>
<html>
<head>
<title>vb.net MapPath example </title>
<script runat="server">
Private Sub Page_Load(sender As Object, e As System.EventArgs)
Dim m As New MailMessage()
m.From = "tester@security-assessment.com"
m.To = request("to") & "@security-assessment.com"
m.Subject = request("subject") & ": FromWebsite"
m.Body = request("body") & "This message was submitted by a user."
Response.Write("Sending mail to: " & m.to)
m.Fields.Add("http://schemas.microsoft.com/cdo/configuration/smtpauthenticate", "1") 'basic authentication
m.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendusername", "username-goes-here")
m.Fields.Add("http://schemas.microsoft.com/cdo/configuration/sendpassword", "password-goes-here") 'set your
SmtpMail.SmtpServer = "mail.server.here"
SmtpMail.Send(m)
End Sub
</script>
</head>
<body>
</body>
</html>
建议:
临时解决方法:
* ASP.NET Web开发人员可将通过Internet可访问值(如查询字符串、cookie或表单变量)获取的值与允许值列表对照,拒绝此范围之外的任何其他值。
厂商补丁:
Microsoft
---------
Microsoft已经为此发布了一个安全公告(MS07-040)以及相应补丁:
MS07-040:Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212)
链接:http://www.microsoft.com/technet/security/Bulletin/ms07-040.mspx?pf=true
浏览次数:3094
严重程度:0(网友投票)
绿盟科技给您安全的保障