Lucene search

HistoryNov 23, 2018 - 12:00 a.m.

Those years make us tremble in fear of the IIS vulnerability-vulnerability warning-the black bar safety net






One, the world’s third largest network server
Internet Information Services IIS, formerly called Internet Information Server Internet Information Service is Microsoft the company to provide scalableWeb server, support for HTTP, HTTP/2, HTTPS, FTP, FTPS, SMTP and NNTP, etc. Initially for Windows NT series, and then the built-in Windows 2000, Windows XP Professional, Windows Server 2003 and subsequent versions together with the issue. IIS currently only applies to Windows system, not for the other[operating system](<; a).
According to Netcraft in 2018 9 on the latest WorldWeb serverreport shows, Microsoft IIS still to 9. 57%of the proportion occupy the world’s third busiest server, behind Apache 34.07% and Nginx 25.45 per cent. The current popular version of Windows by default install IIS service,but at the same time IIS security has been in the industry criticized, once IIS is a high-risk vulnerability, there will be a wide range, the impact of the deep features.
! [](/Article/UploadPic/2018-11/20181123201244207. png)
Currently IIS is a total release 12 version, from IIS 1.0 to IIS version 10.0, IIS 1.0-4.0 has been basically out of the market, IIS 5.0-10.0 is a Web market the main use of the web server. With the Windows version is released and constantly updated, the IIS itself, the security also has been greatly improved. In 2005-2018 period, the IIS vulnerability presented decreasing trend, while also illustrating the IIS vulnerability POC posted less and less, vulnerability mining difficulty is also on the increase.
! [](/Article/UploadPic/2018-11/20181123201244722. png)
From the IIS vulnerability statistical tables can be seen, IIS 7.5, IIS 8.5 and IIS 10.0 is currently the world most used of the three IIS versions, respectively, corresponding to the affected vulnerability 12, 4 and 2, showing affected by the number of vulnerabilities decreasing trend. At the same time, in the calendar version of IIS vulnerabilities, IIS 6.0, IIS 5.1, IIS 7.5 and IIS 7.0 is affected by the vulnerability number is among the top four.
Second, the IIS vulnerability analysis
Chisato mesh lab for IIS nearly a dozen years after 2005, of the 35 vulnerabilities and finishing, and analysis, the IIS vulnerability are mainly distributed in the buffer overflow, authentication bypass, DOS, denial of Service, code execution and information disclosure, which in MS15-034 remote code execution vulnerability most serious.
! [](/Article/UploadPic/2018-11/20181123201244382. png)
! [](/Article/UploadPic/2018-11/20181123201244204. png)

From the above table it can be seen, the IIS calendar year vulnerability mainly in the remote vulnerability-based, accounting for vulnerability of the total number of 85. 71% of local vulnerabilities have 5, accounting for vulnerability of the total number of 14. 29 per cent. 5 of which local vulnerabilities are: (MS12-073)Microsoft IIS password information disclosure vulnerability CVE-2012-2531, Microsoft IIS source code disclosure vulnerability CVE-2005-2678, the (MS17-016)Microsoft Internet Information Server cross-site scripting vulnerability CVE-2017-0055, the (MS16-016)IIS WEBDAV elevation of privilege vulnerability CVE-2016-0051, a (MS08-005)Microsoft IIS file change notification local privilege escalation vulnerability, CVE-2008-0074。
The following is mainly for IIS vulnerability can be exploited remotely by the focus of the vulnerability analysis and reproduction: the
1. Buffer overflow vulnerability
1.1 (MS09-053)Microsoft IIS FTPd service NLST command stack buffer CVE-2009-3023
1.1.1 vulnerability description
Microsoft IIS built-inFTP serverin the presence of a stack-based buffer overflow vulnerability. If a remote attacker with a specially crafted name of the directory release contains a wildcard the FTP NLST(NAME LIST)command, then it can trigger this overflow, resulting in arbitrary code execution. Only when the attacker has write access to the case can only be created with a special name in the directory.
1.1.2 vulnerability analysis and reproduction
· Vulnerability affects versions: IIS 5.0, IIS 5.1, IIS 6.0
· Vulnerability analysis:
IIS include used by TCP computer network switching and the operation of the fileFTP serverservice. By default it listens on Port 21 to access from the FTP client of the incoming connection. IIS support FTP command is the name of the list NLST command. This command is used to add a directory list from the server transmitted to the client. The syntax of the command is as follows:

This command is the pathname should specify a directory or other system-specific file group descriptor; pathname is NULL, use the current directory. NLST command may be used such as“*”like a wildcard to refer to multiple paths.
Microsoft Internet Information Services(IIS)in the presence of buffer overflow vulnerabilities. The vulnerability is due to processing NLST FTP command when the bounds check is insufficient. When the FTP user request contains a wildcard the path name is too long the directory list, the vulnerable code will be the directory path name of the copy to 0x9F(159) - byte stack-based buffer without performing boundary verification. Provide contains greater than 0x9F(159)bytes of the path name will cause a stack buffer overflow, which may cover the key process data such as function return addresses.
A remote authenticated attacker can connect to a vulnerable IIS FTP serverto the target server to send malicious NLST command to exploit this vulnerability. Successful exploitation will lead to the use of System privileges to execute code. If code execution attack is unsuccessful, might cause the affected FTP session aborted.
Note: in order to successfully exploit this vulnerability, an NLST command to specify a long path name must exist in the target system. Therefore, the use of this vulnerability to attack may be accompanied by a MKD command to use.
· Vulnerability type: remote exploit, there is a buffer overflow vulnerability that can trigger code execution
· Vulnerability reproduction: the
Reproduce environment: Win XP SP3 x64 Professional Edition, the default IIS 5.1
1. Set up IIS FTP drone environment, test anonymous default anonymous user is available, and can create and read directories;

[1] [2] [3] [4] [5] next