Rh.114 - ‫‪Microsofte Internet Information Server‬‬...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: ‫‪Microsofte Internet Information Server‬‬ ‫)‪( IIS‬‬ ‫ﻧﻮﻳﺴﻨﺪﻩ : ﺍﻣﻴﺮ ﺣﺴﻴﻦ ﺷﺮﻳﻔﻲ‬ ‫‪ IIS‬ﻳﻜﻲ ﺍﺯ ﭘﺮ ﺍﺳﺘﻔﺎﺩﻩ ﺗﺮﻳﻦ ﻣﺤﻴﻂ ﻫﺎﻱ ﻛﺎﺭﻱ ﺑﺮﺍﻱ ﺑﺴﻴﺎﺭﻱ ﺍﺯ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ﺩﺭ ﭼﻨﺪ ﺳﺎﻝ ﺍﺧﻴﺮ‬ ‫ﺑﻮﺩﻩ ﺍﺳﺖ. ﺑﻪ ﻫﻤﻴﻦ ﺩﻟﻴﻞ ﻫﻤﻴﺸﻪ ﻳﻚ ﻫﺪﻑ ﻋﺎﻟﻲ ﺑﺮﺍﻱ ﻧﻔﻮﺫﮔﺮﺍﻥ ﻭﺏ ﻣﻲ ﺑﺎﺷﺪ. ﺍﻳﻦ ﺳﺮﻭﺭ‬ ‫ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﺑﺴﻴﺎﺭ ﺯﻳﺎﺩﻱ ﺩﺍﺷﺖ ﻭ ﺩﺍﺭﺩ ﻭ ﻫﻤﻴﻦ ﺍﻣﺮ ﺑﺎﻋﺚ ﺷﺪﻩ ﺍﺳﺖ ﺑﺴﻴﺎﺭ ﻣﻮﺭﺩ ﺣﻤﻠﻪ‬ ‫ﻧﻔﻮﺫﮔﺮﺍﻥ ﻭﺏ ﻗﺮﺍﺭ ﮔﻴﺮﺩ ﺍﺯ ﺍﻳﻦ ﮔﻮﻧﻪ ﺿﻌﻔﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﻣﻲ ﺗﻮﺍﻥ ، ﺿﻌﻔﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﺁﺷﻜﺎﺭ ﺳﺎﺯﻱ‬ ‫‪ ، ::$DATA‬ﺁﺷﻜﺎﺭ ﺳﺎﺯﻱ ﺍﻃﻼﻋﺎﺕ ﺑﻪ ﻭﺳﻴﻠﻪ ﺍﺳﻜﺮﻳﭙﺘﻬﺎﻱ‬ ‫ﻛﺪ ﺍﺻﻠﻲ ﺑﺮﻧﺎﻣﻪ ﻫﺎ ﺷﺒﻴﻪ‬ ‫‪ ، showcode.asp‬ﺍﺟﺮﺍﻱ ﺩﺳﺘﻮﺭﺍﺕ ﺳﻴﺴﺘﻤﻲ ﺍﺯ ﻃﺮﻳﻖ ﺗﺰﺭﻳﻖ ﻛﺮﺩﻥ ﺩﺳﺘﻮﺭﺍﺕ ﺩﺭ ﭘﺮﺱ ﻭ‬ ‫ﺟﻮﻫﺎﻱ ﭘﻠﻴﮕﺎﻩ ﺩﺍﺩﻩ ) ‪ ( MDAC / RDS‬ﻭ ﺣﻤﻼﺕ ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺭﻭﻱ ‪ IIS‬ﺭﺍ ﻧﺎﻡ ﺑﺮﺩ. ﺍﮔﺮ ﭼﻪ‬ ‫ﺍﻳﻦ ﻧﻮﻉ ﺿﻌﻔﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﺗﻮﺳﻂ ﭘﭻ ﻫﺎﻳﻲ ﻛﻪ ﺍﺭﺍﺋﻪ ﺷﺪﻩ ﺍﻧﺪ ﻭ ﻫﻤﭽﻨﻴﻦ ﺩﺭ ﻧﺴﺨﻪ ﻫﺎﻱ ﺟﺪﻳﺪ ﺭﻓﻊ‬ ‫ﺷﺪﻩ ﺍﻧﺪ ﺍﻟﺒﺘﻪ ﺑﺎﻳﺪ ﮔﻔﺖ ﻛﻪ ﻣﺤﺼﻮﻻﺕ ﺟﺪﻳﺪ ﺍﺭﺍﺋﻪ ﺷﺪﻩ ﺑﺎ ﻧﻈﻢ ﺑﻬﺘﺮ ﺍﺭﺍﺋﻪ ﺷﺪﻩ ﺍﻧﺪ.‬ ‫ﺑﻴﺸﺘﺮ ﺿﻌﻔﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ‪ IIS‬ﺭﺍ ﻣﻲ ﺗﻮﺍﻥ ﺩﺭ ﺩﻭ ﮔﺮﻭﻩ ﺯﻳﺮ ﺩﺳﺘﻪ ﺑﻨﺪﻱ ﻛﺮﺩ:‬ ‫ﺣﻤﻠﻪ ﻋﻠﻴﻪ ﻣﻮﻟﻔﻪ ﻫﺎﻱ ‪IIS‬‬ ‫ﺣﻤﻠﻪ ﻋﻠﻴﻪ ﺧﻮﺩ ‪IIS‬‬ ‫‬‫-‬ ‫ﺩﺭ ﺍﻳﻦ ﻣﺒﺤﺚ ، ﻫﺮ ﺩﻭ ﺩﺳﺘﻪ ﺭﺍ ﺗﺎ ﺁﻧﺠﺎ ﻛﻪ ﺑﺘﻮﺍﻧﻴﻢ ﺗﻮﺿﻴﺢ ﻣﻲ ﺩﻫﻴﻢ ﻭ ﺳﻌﻲ ﻣﻲ ﻛﻨﻴﻢ ﺑﺎ ﺑﻴﺎﻥ‬ ‫ﻣﺜﺎﻟﻬﺎﻱ ﻣﺘﻨﻮﻋﻲ ﺁﻧﻬﺎ ﺭﺍ ﺑﻬﺘﺮ ﺑﻴﺎﻥ ﻛﻨﻴﻢ. ﺍﻟﺒﺘﻪ ﺑﻴﺸﺘﺮﻳﻦ ﺣﻤﻼﺕ ﺩﺭ ﺩﺳﺘﻪ ﺍﻭﻝ ﻣﻲ ﮔﻨﺠﺪ .‬ ‫ﺣﻤﻠﻪ ﻋﻠﻴﻪ ﻣﻮﻟﻔﻪ ﻫﺎﻱ ‪IIS‬‬ ‫‪ IIS‬ﺑﻪ ﺻﻮﺭﺕ ﺧﻴﻠﻲ ﮔﺴﺘﺮﺩﻩ ﺍﻱ ﺭﻭﻱ ﻣﺠﻤﻮﻋﻪ ﺍﻱ ﺍﺯ ﻛﺘﺎﺑﺨﺎﻧﻪ ﻫﺎﻱ ﺩﻳﻨﺎﻣﻴﻜﻲ ) ‪ ( DLL‬ﺗﻜﻴﻪ‬ ‫ﻛﺮﺩﻩ ﺍﺳﺖ ﻛﻪ ﺍﻳﻦ ﻣﺠﻤﻮﻋﻪ ﺑﺎ ﻳﻜﺪﻳﮕﺮ ﺗﻌﺎﻣﻞ ﺑﺮﻗﺮﺍﺭ ﻣﻲ ﻛﻨﻨﺪ ﺗﺎ ﭘﺮﻭﺳﻪ ﻫﺎﻱ ﺍﺻﻠﻲ ﺳﻴﺴﺘﻢ ﺭﺍ ،‬ ‫‪ ، inetinfo.exe‬ﭘﺎﺳﺦ ﺩﻫﻨﺪ ﻭ ﺑﻪ ﻫﻤﻴﻦ ﻭﺳﻴﻠﻪ ﺗﻮﺍﻧﺎﻳﻲ ﻫﺎﻱ ﺯﻳﺎﺩﻱ ﺭﺍ ﺑﺮﺍﻱ ﺳﻴﺴﺘﻢ ﺍﻳﺠﺎﺩ ﻛﺮﺩﻩ‬ ‫ﺍﻧﺪ. ﺍﮔﺮ ﺑﺨﻮﺍﻫﻴﺪ ﺑﻪ ﺻﻮﺭﺕ ﻋﻤﻠﻲ ﻣﺠﺴﻢ ﻛﻨﻴﺪ ، ﺑﻪ ﺻﻮﺭﺕ ﺳﺎﺩﻩ ﺍﻱ ﺍﻳﻦ ﻓﺎﻳﻠﻬﺎﻱ ‪ DLL‬ﻣﻲ ﺗﻮﺍﻧﺪ‬ ‫ﺗﻮﺳﻂ ﻳﻚ ﻓﺎﻳﻞ ﺑﺎ ﻳﻚ ﭘﺴﻮﻧﺪ ﺍﺧﺘﺼﺎﺻﻲ ﺍﺯ ‪ IIS‬ﺩﺭﺧﻮﺍﺳﺖ ﺷﻮﺩ. ﺑﺮﺍﻱ ﻣﺜﺎﻝ ﺩﺭﺧﻮﺍﺳﺖ ﻳﻚ ﻓﺎﻳﻞ‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﺑﺎ ﭘﺴﻮﻧﺪ ‪) .prniter‬ﺍﻟﺒﺘﻪ ﺍﮔﺮ ﺑﻪ ﺻﻮﺭﺕ ﺣﻘﻴﻘﻲ ﺍﻳﻦ ﻓﺎﻳﻞ ﻣﻮﺟﻮﺩ ﺑﺎﺷﺪ( ، ﺍﺯ ‪ DLL‬ﻃﺮﺍﺣﻲ ﺷﺪﻩ‬ ‫ﺑﺮﺍﻱ ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻱ ﭼﺎﭖ ﺑﺮ ﭘﺎﻳﻪ ﻭﺏ ﻳﻚ ﺩﺳﺘﮕﻴﺮﻩ1 ﺩﺭﺧﻮﺍﺳﺖ ﻣﻲ ﻛﻨﺪ.‬ ‫ﺍﻳﻦ ﻣﻌﻤﺎﺭﻱ ‪ ، 2 ISAPI‬ﻧﺎﻣﮕﺬﺍﺭﻱ ﺷﺪﻩ ﺍﺳﺖ. ﭘﻴﺶ ﭘﺮﺩﺍﺯﻧﺪﻩ ﻫﺎﺋﯽ ﻧﻈﻴﺮ ‪ ColdFusion‬ﻭ ‪ PHP‬ﺍﺯ‬ ‫‪ ISAPI‬ﺍﺳﺘﻔﺎﺩﻩ ﻣﯽ ﻧﻤﺎﻳﻨﺪ.‪ ، IIS‬ﺍﺯ ﻓﻴﻠﺘﺮﻫﺎﯼ ‪ ISAPI‬ﺩﻳﮕﺮ ﺑﺮﺍﯼ ﺍﻧﺠﺎﻡ ﻋﻤﻠﻴﺎﺕ ﻣﺮﺗﺒﻂ ﺑﺎ ‪) ASP‬‬ ‫‪ ( Server Side Includes) SSI ، ( Active Server Pages‬ﻭ ﺍﺷﺘﺮﺍﮎ ﭼﺎﭖ ﻣﺒﺘﻨﯽ ﺑﺮ ﻭﺏ ،‬ ‫ﺍﺳﺘﻔﺎﺩﻩ ﻣﯽ ﻧﻤﺎﻳﺪ ﺗﻌﺪﺍﺩ ﺯﻳﺎﺩﯼ ﺍﺯ ﻓﻴﻠﺘﺮﻫﺎﯼ ‪ ، ISAPI‬ﻣﺴﺘﻠﺰﻡ ﻋﻤﻠﻴﺎﺕ ﺧﺎﺹ ﻭ ﺟﺪﺍﮔﺎﻧﻪ ﺍﯼ ﺑﺮﺍﯼ‬ ‫ﻧﺼﺐ ﻧﺒﻮﺩﻩ ﻭ ﻋﻤﻼ" ﺑﺼﻮﺭﺕ ﭘﻴﺶ ﻓﺮﺽ ﻭ ﺩﺭ ﺯﻣﺎﻥ ﻧﺼﺐ ‪ IIS‬ﺑﺮ ﺭﻭﺱ ﺳﻴﺴﺘﻢ ﻣﺴﺘﻘﺮ )ﻧﺼﺐ(‬ ‫ﻣﯽ ﮔﺮﺩﻧﺪ ﻫﻤﻴﻦ ﺍﻣﺮ ﺑﺎﻋﺚ ﺷﺪﻩ ﺑﻮﺩ ﻛﻪ ﻧﻔﻮﺫﮔﺮﺍﻥ ﺑﺴﻴﺎﺭﻱ ﺑﻪ ﻭﺳﻴﻠﻪ ﺁﻟﻮﺩﻩ ﻛﺮﺩﻥ ﻭﺭﻭﺩﻱ ﻫﺎﻱ ﺑﺎ‬ ‫ﻛﺪ ﻫﺎﻱ ﻏﻴﺮ ﻣﺠﺎﺯ ﺍﺯ ﺍﻳﻦ ﻧﻮﻉ ﻓﺎﻳﻠﻬﺎ ﺳﻮﺀﺍﺳﺘﻔﺎﺩﻩ ﻛﻨﻨﺪ. ﺁﻧﻬﺎ ﺧﻴﻠﻲ ﺳﺎﺩﻩ ﺍﺯ ﺳﺮﻭﺭ ﻭﺏ ، ﺗﻮﺳﻂ‬ ‫‪ URL‬ﻫﺎﻳﻲ ﻛﻪ ﺑﻪ ﺻﻮﺭﺕ ﺩﺳﺘﻲ ﺗﻨﻈﻴﻢ ﺷﺪﻩ ﺑﻮﺩ ، ﻳﻚ ﻓﺎﻳﻞ ﺭﺍ ﺩﺭﺧﻮﺍﺳﺖ ﻣﻲ ﻛﺮﺩﻧﺪ ﻭ ﻭﺭﻭﺩﻱ‬ ‫ﻫﺎ ﺭﺍ ﺑﻪ ‪ DLL‬ﻫﺎﻱ ‪ ISAPI‬ﺑﻪ ﻭﺳﻴﻠﻪ ﻫﻤﺎﻥ ﺩﺭﺧﻮﺍﺳﺖ ﻫﺎ ﺗﺤﻮﻳﻞ ﻣﻲ ﺩﺍﺩﻧﺪ. ﺗﻨﺎﻳﺞ ﺍﻳﻨﮕﻮﻧﻪ‬ ‫ﺩﺭﺧﻮﺍﺳﺘﻬﺎ ﺑﺮﺍﻱ ﺑﺴﻴﺎﺭﻱ ﺍﺯ ﺳﺮﻭﺭﻫﺎﻱ ‪ IIS‬ﻓﺠﻴﻊ ﺑﻮﺩ! ﻭ ﺩﺭ ﺍﻳﻦ ﺳﺎﻟﻬﺎﻱ ﺍﺧﻴﺮ ﺑﻪ ﺻﻮﺭﺕ‬ ‫ﻣﺘﻤﺎﺩﻱ ﺍﺯ ﺍﻳﻦ ﻃﺮﻳﻖ، ﻣﻮﺭﺩ ﺣﻤﻠﻪ ﻗﺮﺍﺭ ﻣﻲ ﮔﺮﻓﺘﻪ ﺍﻧﺪ.‪ Code red‬ﻭ 2 ‪ ، Code Red‬ﻧﻤﻮﻧﻪ ﻫﺎﺋﯽ‬ ‫ﺍﺯ ﺑﺮﻧﺎﻣﻪ ﻫﺎﯼ ﻣﺨﺮﺏ ﻣﯽ ﺑﺎﺷﻨﺪ ﮐﻪ ﺍﺯ ﺿﻌﻒ ﻓﻮﻕ ﺩﺭ ﺟﻬﺖ ﭘﻴﺸﺒﺮﺩ ﺍﻫﺪﺍﻑ ﺧﻮﺩ ﺍﺳﺘﻔﺎﺩﻩ ﻧﻤﻮﺩﻩ‬ ‫ﺍﻧﺪ . ﻋﺪﻡ ﺑﻬﻨﮕﺎﻡ ﺳﺎﺯﯼ ﻭ ﻧﮕﻬﺪﺍﺭﯼ ﻣﻨﺎﺳﺐ ‪ IIS‬ﭘﺲ ﺍﺯ ﻧﺼﺐ ﺍﻭﻟﻴﻪ ، ﺍﺯ ﺩﻳﮕﺮ ﻣﻮﺍﺭﺩﯼ ﺍﺳﺖ ﮐﻪ‬ ‫ﺯﻣﻴﻨﻪ ﺗﻬﺎﺟﻢ ﺑﺮﺍﯼ ﻣﻬﺎﺟﻤﺎﻥ ﺭﺍ ﻓﺮﺍﻫﻢ ﻣﯽ ﺁﻭﺭﺩ .ﻣﺜﻼ" ﻧﻘﺎﻁ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ‪ntdll.dll WebDAV‬‬ ‫ﺩﺭ 0.5 ‪ ، IIS‬ﺍﻣﮑﺎﻥ ﺣﻤﻼﺕ ﺍﺯ ﻧﻮﻉ ‪ ) DoS‬ﻏﻴﺮﻓﻌﺎﻝ ﻧﻤﻮﺩﻥ ﺳﺮﻭﻳﺲ ( ﺭﺍ ﻓﺮﺍﻫﻢ ﻣﻲ ﻛﻨﺪ ﻭ‬ ‫ﻣﻬﺎﺟﻤﺎﻥ ﺩﺭ ﺍﺩﺍﻣﻪ ﻗﺎﺩﺭ ﺑﻪ ﺍﻳﺠﺎﺩ ﻭ ﺍﺟﺮﺍﯼ ﺍﺳﮑﺮﻳﭙﺖ ﻫﺎﯼ ﻣﻮﺭﺩ ﻧﻈﺮ ﺧﻮﺩ ﺑﺮ ﺭﻭﯼ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ‬ ‫ﻣﯽ ﮔﺮﺩﻧﺪ . ﺩﺭ ﻣﻮﺍﺭﺩﯼ ﺩﻳﮕﺮ ﻭ ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﻧﻘﺎﻁ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﻣﻮﺟﻮﺩ ، ﻣﻬﺎﺟﻤﺎﻥ ﻗﺎﺩﺭ ﺑﻪ ﺍﺟﺮﺍﯼ‬ ‫ﺩﺳﺘﻮﺭﺍﺕ ﺩﻟﺨﻮﺍﻩ ﺧﻮﺩ ﺑﺮ ﺭﻭﯼ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻣﯽ ﺑﺎﺷﻨﺪ ) ﺩﺭﺧﻮﺍﺳﺖ ﺩﻗﻴﻖ ﻭ ﻣﺎﻫﺮﺍﻧﻪ ﺁﺩﺭﺱ‬ ‫ﻫﺎﯼ ‪. ( URL‬‬ ‫ﺍﻣﮑﺎﻧﺎﺕ ﻭ ﭘﺘﺎﻧﺴﻴﻞ ﻫﺎﺋﯽ ﮐﻪ ﺩﺭ ﺍﺩﺍﻣﻪ ﻭ ﺑﺎ ﺗﻮﺟﻪ ﺑﻪ ﺿﺮﻭﺭﺕ ﺑﺮ ﺭﻭﯼ ‪ IIS‬ﻧﺼﺐ ﻣﯽ ﮔﺮﺩﻧﺪ ) ﻧﻈﻴﺮ‬ ‫‪ ColdFusion‬ﻭ ‪ ( PHP‬ﻧﻴﺰ ﻣﯽ ﺗﻮﺍﻧﺪ ﺯﻣﻴﻨﻪ ﺑﺮﻭﺯ ﻧﻘﺎﻁ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺟﺪﻳﺪﯼ ﺭﺍ ﻓﺮﺍﻫﻢ ﻧﻤﺎﻳﺪ‬ ‫.ﺍﻳﻨﮕﻮﻧﻪ ﻧﻘﺎﻁ ﺁﺳﻴﺐ ﭘﺬﻳﺮ، ﻣﯽ ﺗﻮﺍﻧﺪ ﺑﺪﻟﻴﻞ ﻋﺪﻡ ﭘﻴﮑﺮﺑﻨﺪﯼ ﺻﺤﻴﺢ ﻭ ﻳﺎ ﻭﺟﻮﺩ ﺿﻌﻒ ﻭ ﺍﺷﮑﺎﻝ‬ ‫ﺍﻣﻨﻴﺘﯽ ﺩﺭ ﻣﺤﺼﻮﻝ ﻧﺼﺐ ﺷﺪﻩ ﺍﯼ ﺑﺎﺷﺪ ﮐﻪ ﺑﻪ ‪ IIS‬ﻧﻴﺰ ﺳﺮﺍﻳﺖ ﻣﯽ ﻧﻤﺎﻳﺪ ) ﺗﻮﺍﺭﺙ ﻣﺸﮑﻼﺕ ﻭ‬ ‫ﺿﻌﻒ ﻫﺎﯼ ﺍﻣﻨﻴﺘﯽ ﺍﺯ ﻳﮏ ﻣﺤﺼﻮﻝ ﺑﻪ ﻣﺤﺼﻮﻝ ﺩﻳﮕﺮ( .‬ ‫ﻣﺜﺎﻟﻬﺎﻱ ﺍﺑﺘﺪﺍﻳﻲ ﺩﺭ ﺯﻳﺮ ﺁﻭﺭﺩﻩ ﺷﺪﻩ ﺍﺳﺖ ﻭ ﺗﻮﺿﻴﺢ ﻣﺨﺘﺼﺮﻱ ﺩﺭﺑﺎﺭﻩ ﺁﻧﻬﺎ ﺑﻴﺎﻥ ﺷﺪﻩ ﺍﺳﺖ. ﺍﻟﺒﺘﻪ‬ ‫ﺍﻳﻨﻬﺎ ﺟﺰﺀ ﻣﺜﺎﻟﻬﺎﻱ ﺍﺑﺘﺪﺍﻳﻲ ﻭ ﺍﻭﻟﻴﻪ ﺑﻮﺩﻧﺪ ﻛﻪ ﺩﺭ ﺳﺎﻟﻬﺎﻱ ﮔﺬﺷﺘﻪ ﺍﺯ ﺁﻧﻬﺎ ﺳﻮﺀﺍﺳﺘﻔﺎﺩﻩ ﻣﻲ ﻛﺮﺩﻩ ﺍﻧﺪ.‬ ‫ﺍﻣﺎ ﺍﺟﺎﺯﻩ ﺑﺪﻫﻴﺪ ﻧﻈﺮﻱ ﻭﺍﻗﻌﻲ ﺗﺮ ﺑﻪ ﺍﻳﻨﮕﻮﻧﻪ ﺣﻤﻼﺕ ﺍﺯ ﻃﺮﻳﻖ ‪ ISAPI‬ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﻢ.‬ ‫‪1 - Handel‬‬ ‫‪2 - Internet Server Application Programing Interface‬‬ ‫2‬ ‫‪© www.WebSecurityMgz.com‬‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺩﺭ ‪ISAPI DLL‬‬ ‫ﻳﻜﻲ ﺍﺯ ﺑﻴﺸﺘﺮﻳﻦ ﺣﻤﻼﺗﻲ ﻛﻪ ﺭﻭﻱ ‪ ISAPI‬ﺍﻧﺠﺎﻡ ﻣﻲ ﺷﻮﺩ ، ﺣﻤﻼﺕ ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﻣﻲ ﺑﺎﺷﺪ.ﺩﺭ‬ ‫ﺍﻭﺍﺧﺮ ﺳﺎﻝ 1002 ﻭ ﺍﻭﺍﻳﻞ ﺳﺎﻝ 2002 ﺑﺴﻴﺎﺭﻱ ﺍﺯ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪ IIS‬ﺗﻮﺳﻂ ﻛﺮﻣﻬﺎﻱ‬ ‫‪ CodeRed‬ﻭ ‪ Nimda‬ﻭﻳﺮﺍﻥ ﺷﺪﻧﺪ. ﻫﺮ ﺩﻭﻱ ﺍﻳﻦ ﺣﻤﻼﺕ ﺑﺮ ﭘﺎﻳﻪ ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﭘﻴﺎﺩﻩ ﺳﺎﺯﻱ ﺷﺪﻩ‬ ‫ﺍﺳﺖ ﻛﻪ ﺑﺮ ﺍﺳﺎﺱ ﺳﻮﺭﺍﺥ ﺍﻣﻨﻴﺘﻲ ﻛﻪ ﺩﺭ ‪ ISAPI DLL‬ﻫﺎﻱ ﻣﻨﺘﺸﺮ ﺷﺪﻩ ﺭﻭﻱ ﻭﺏ ﻣﻮﺟﻮﺩ ﺑﻮﺩ‬ ‫ﺁﻧﻬﺎ ﺭﺍ ﺁﻟﻮﺩﻩ ﻣﻲ ﻛﺮﺩﻩ ﺍﻧﺪ.ﺩﺭ ﺁﻭﺭﻳﻞ ﺳﺎﻝ 2002 ﻳﻜﻲ ﺩﻳﮕﺮ ﺍﺯ ﺿﻌﻔﻬﺎﻱ ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺭﻭﻱ‬ ‫‪ ISAPI DLL‬ﻣﺮﺑﻮﻁ ﺑﻪ ﺻﻔﺤﺎﺕ ‪ ASP‬ﻣﻨﺘﺸﺮ ﺷﺪ. ﻣﺎ ﺩﺭ ﺍﻳﻦ ﺑﺨﺶ ﺍﺯ ﻳﻜﻲ ﺍﺯ ﺳﻮﺭﺍﺧﻬﺎﻱ‬ ‫ﺍﻣﻨﻴﺘﻲ ﻣﺜﺎﻟﻲ ﺑﻴﺎﻥ ﻣﻲ ﻛﻨﻴﻢ.‬ ‫ﺩﺭ ﻣﻲ 1002 ، ‪ eEye Digital Security‬ﻛﺸﻒ ﻳﻚ ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺭﺍ ﺩﺭﻭﻥ ﻓﻴﻠﺘﺮﻫﺎ‪ ISAPI‬ﺍﻱ‬ ‫)‬ ‫ﻓﺎﻳﻠﻬﺎ‬ ‫ﺍﻳﻦ‬ ‫ﻛﺮﺩ.‬ ‫ﺍﻋﻼﻥ‬ ‫3‬ ‫،‬ ‫ﮔﻴﺮﻧﺪ‬ ‫ﻣﻲ‬ ‫ﺩﺳﺖ‬ ‫ﺑﻪ‬ ‫ﺭﺍ‬ ‫‪.printer‬‬ ‫ﻓﺎﻳﻠﻬﺎﻱ‬ ‫ﻛﻪ‬ ‫) ‪ ( IPP‬ﺭﺍ ﭘﺸﺘﻴﺒﺎﻧﻲ ﻣﻲ‬ ‫‪ ( C:\WinNT\System32\msw3prt.dll‬ﭘﺮﻭﺗﻜﻞ ﭼﺎﭖ ﺍﻳﻨﺘﺮﻧﺖ‬ ‫ﻛﺮﺩﻧﺪ. ‪ IPP‬ﻣﻲ ﺗﻮﺍﻧﺴﺖ ﺟﻨﺒﻪ ﻫﺎﻱ ﻣﺨﺘﻠﻒ ﭼﺎﭖ ﺍﺯ ﻃﺮﻳﻖ ﭼﺎﭘﮕﺮﻫﺎﻱ ﺷﺒﻜﻪ ﺭﺍ ﭘﺸﺘﻴﺒﺎﻧﻲ ﻛﻨﺪ.‬ ‫ﺍﻳﻦ ﺳﻮﺭﺍﺥ ﺍﻣﻨﻴﺘﻲ ﻭﻗﺘﻲ ﺑﻪ ﻭﺟﻮﺩ ﻣﻲ ﺁﻳﺪ ﻛﻪ ﻳﻚ ﺑﺎﻓﺮ ﺗﻘﺮﻳﺒﺎ 024 ﺑﺎﻳﺘﻲ ﺗﻮﺳﻂ ﻳﻚ ﺳﺮﺁﻣﺪ‬ ‫:‪ HTTP Host‬ﺑﺮﺍﻱ ﻳﻚ ﺩﺭﺧﻮﺍﺳﺖ ‪ .printer ISAPI‬ﻓﺮﺳﺘﺎﺩﻩ ﺷﻮﺩ. ﺍﮔﺮ ﺩﺭ ﻣﺜﺎﻝ ﺯﻳﺮ ﺩﺭ‬ ‫ﻗﺴﻤﺖ ]‪ 420 [buffer‬ﻛﺎﺭﺍﻛﺘﺮ ﻗﺮﺍﺭ ﺩﻫﻴﻢ ﺍﻳﻦ ﺍﺗﻔﺎﻕ ﻮﺍﻫﺪ ﺍﻓﺘﺎﺩ.‬ ‫0.1 / ‪GET /NUL.printer HTTP‬‬ ‫]‪Host: [buffer‬‬ ‫ﺍﻳﻦ ﺩﺭﺧﻮﺍﺳﺖ ﺳﺎﺩﻩ ، ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﺑﺎﻓﺮ ﺳﺮﺭﻳﺰ ﺷﻮﺩ ﻭ ‪ IIS‬ﺑﺴﺘﻪ ﻣﻲ ﺷﻮﺩ. ﺍﮔﺮ ﭼﻪ ﻭﻳﻨﺪﻭﺯ‬ ‫0002 ﺑﻪ ﺻﻮﺭﺕ ﺍﺗﻮﻣﺎﺗﻴﻚ ‪ IIS‬ﺭﺍ ﺩﻭﺑﺎﺭﻩ ﺍﺟﺮﺍ ﻣﻲ ﻛﻨﺪ ) ‪ ( Inetinfo.exe‬ﻭ ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﻛﻪ‬ ‫‪ IIS‬ﺳﺮﻭﻳﺴﻬﺎﻱ ﻭﺏ ﺭﺍ ﺑﻪ ﺣﺎﻟﺘﻬﺎﻱ ﺍﻭﻟﻴﻪ ﻭ ﭘﻴﺶ ﻓﺮﺽ ﺭﺍﻩ ﺍﻧﺪﺍﺯﻱ ﻛﻨﺪ. ﺍﻟﺒﺘﻪ ﭼﻨﻴﻦ ﺿﻌﻒ ﺍﻣﻨﻴﺘﻲ‬ ‫ﻫﻴﭻ ﺍﺛﺮ ﻣﺤﺴﻮﺳﻲ ﻧﺪﺍﺭﺩ ) ﺑﻪ ﺟﺰ ﺍﻳﻨﻜﻪ ﻭﻗﺘﻲ ﺑﻪ ﺻﻮﺭﺕ ﺩﻧﺒﺎﻟﻪ ﺩﺍﺭﻱ ﺍﺩﺍﻣﻪ ﭘﻴﺪﺍ ﻛﻨﺪ ﺑﺎﻋﺚ ﻧﭙﺬﻳﺮﻓﺘﻦ‬ ‫ﺳﺮﻭﻳﺴﻬﺎﻱ ﺍﺻﻠﻲ ﺷﻮﺩ ( . ﻫﻨﮕﺎﻣﻴﻜﻪ ‪ IIS‬ﺩﻭﺑﺎﺭﻩ ﺭﺍﻩ ﺍﻧﺪﺍﺯﻱ ﻣﻲ ﺷﻮﺩ ، ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﻛﻪ‬ ‫ﺧﻄﺎﻫﺎﻱ ﺗﺼﺎﺩﻓﻲ ﺩﺭ ‪ IIS‬ﺭﺥ ﺩﻫﺪ ﻭ ﺳﺮﻭﺭ ﺭﺍ ﺩﺭ ﺣﺎﻟﺖ ﻧﺎﻣﻌﻠﻮﻣﻲ ﻗﺮﺍﺭ ﺩﻫﺪ!‬ ‫ﺳﻮﺭﺍﺥ ﺍﻣﻨﻴﺘﻲ ﺍﻓﺸﺎ ﺳﺎﺯﻱ ﻣﻨﺎﺑﻊ ) ‪ ( Source Disclosure‬ﺩﺭ ‪ISAPI DLL‬‬ ‫ﻫﻤﻪ ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ‪ ISAPI DLL‬ﺑﻪ ﺑﺮﺟﺴﺘﮕﻲ ﻭ ﺭﻭﺷﻨﻲ ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ‪ .printer‬ﻧﻤﻲ‬ ‫ﺑﺎﺷﺪ. ﺩﺭ ﺍﻳﻦ ﻗﺴﻤﺖ ﻣﺜﺎﻟﻲ ﺩﺭﺑﺎﺭﻩ ﺿﻌﻒ ﺍﻣﻨﻴﺘﻲ ﺍﻓﺸﺎ ﺳﺎﺯﻱ ﻣﻨﺎﺑﻊ ﺧﻮﺍﻫﻴﻢ ﺁﻭﺭﺩ ﻛﻪ ﺗﻮﺳﻂ‬ ‫ﺑﺎﮔﻲ ﺑﻪ ﻭﺟﻮﺩ ﺁﻣﺪﻩ ﺍﺳﺖ ﻛﻪ ﺩﺭ ‪ ISAPI DLL‬ﻭﺟﻮﺩ ﺩﺍﺷﺘﻪ ﺍﺳﺖ. ﺍﻓﺸﺎ ﺳﺎﺯﻱ ﻣﻨﺎﺑﻊ ﻳﻚ ﺭﺩﻩ‬ ‫‪3 - Internet Printing Protocol‬‬ ‫3‬ ‫‪© www.WebSecurityMgz.com‬‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﺑﺰﺭﮒ ﺍﺯ ﻣﺒﺎﺣﺜﻲ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﻪ ﻛﺎﺭﺑﺮﺍﻥ ﺍﻃﻼﻋﺎﺗﻲ ﺭﺍ ﻧﻤﺎﻳﺶ ﻣﻲ ﺩﻫﺪ ﻛﻪ ﺩﺭ ﺣﺎﻟﺖ ﻋﺎﺩﻱ ،‬ ‫ﻣﺠﻮﺯﻱ ﺑﺮﺍﻱ ﻧﻤﺎﻳﺶ ﺁﻧﻬﺎ ﺑﻪ ﺁﻥ ﻛﺎﺭﺑﺮﺍﻥ ﻭﺟﻮﺩ ﻧﺪﺍﺭﺩ.‬ ‫ﺿﻌﻒ ﺍﻣﻨﻴﺘﻲ ‪ +.htr‬ﻣﺜﺎﻝ ﺧﻮﺑﻲ ﺍﺯ ﺍﻓﺸﺎ ﺳﺎﺯﻱ ﻛﺪ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺩﺭ ‪ 4 IIS‬ﻭ 5 ﻭﺟﻮﺩ ﺩﺍﺭﺩ. ﻭﻗﺘﻲ‬ ‫‪ +.htr‬ﺭﺍ ﺑﻪ ﻳﻚ ﺩﺭﺧﻮﺍﺳﺖ ﻓﺎﻳﻞ ﻓﻌﺎﻝ ﻣﻲ ﺍﻓﺰﺍﻳﻴﻢ ، ‪ 4 IIS‬ﻭ 5 ، ﻗﻄﻌﺎﺕ ﺩﺍﺩﻩ ﻫﺎﻱ ﻣﻨﺎﺑﻊ ﻓﺎﻳﻞ ﺭﺍ‬ ‫ﺳﺮﻳﻌﺘﺮ ﺍﺯ ﺍﺟﺮﺍ ﻛﺮﺩﻥ ﺁﻥ ﺳﺮﻭﻳﺲ ﻣﻲ ﺩﻫﺪ ! ﻳﻌﻨﻲ ﻗﺒﻞ ﺍﺯ ﺍﻳﻨﻜﻪ ﺩﺭﺧﻮﺍﺳﺖ ﺗﻮﺳﻂ ‪ IIS‬ﺍﺟﺮﺍ ﺷﻮﺩ‬ ‫، ﺑﻪ ﺻﻮﺭﺕ ﻣﺘﻨﻲ ﺳﺎﺩﻩ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ ﻣﻲ ﺷﻮﺩ. ﺍﻳﻦ ﻣﺜﺎﻟﻲ ﻣﻲ ﺑﺎﺷﺪ ﺍﺯ ﻳﻚ ‪ ISAPI DLL‬ﻛﻪ‬ ‫‪ ISM.DLL‬ﻧﺎﻣﻴﺪﻩ ﻣﻲ ﺷﻮﺩ ﻭ ﺩﺭﺧﻮﺍﺳﺖ ﻓﻮﻕ ﺭﺍ ﺑﻪ ﻏﻠﻂ ﺗﻔﺴﻴﺮ ﻣﻲ ﻛﻨﺪ. ﭘﺴﻮﻧﺪ ‪ .htr‬ﻓﺎﻳﻞ ﺭﺍ ﺑﻪ‬ ‫‪ ISM.DLL‬ﻧﮕﺎﺷﺖ ﻣﻲ ﻛﻨﺪ ﻭ ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﺍﻳﻦ ﻓﺎﻳﻞ ﻳﻚ ﻣﻨﺒﻊ ﻏﻠﻂ ﺭﺍ ﺗﻔﺴﻴﺮ ﻛﻨﺪ ﺩﺭ ﺍﻳﻨﺠﺎ ﻳﻚ‬ ‫ﻓﺎﻳﻞ ﺑﻪ ﻧﺎﻡ ‪ htr.txt‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ‪ Netcat‬ﺍﺯ ﺍﻳﻦ ﺳﻮﺭﺍﺥ ﺍﻣﻨﻴﺘﻲ ﺑﻬﺮﻩ‬ ‫ﺑﺮﺩﺍﺭﻱ ﻛﻨﻴﺪ. ﺗﻮﺟﻪ ﻛﻨﻴﺪ ﻛﻪ ‪ +.htr‬ﺑﻪ ﺭﺧﻮﺍﺳﺖ ﺷﻤﺎ ﺑﺴﺘﮕﻲ ﺩﺍﺭﺩ.‬ ‫0.1/‪GET /site1/global.asa+.htr HTTP‬‬ ‫]‪[CRLF‬‬ ‫]‪[CRLF‬‬ ‫ﺑﺎ ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﺍﺭﺗﺒﺎﻃﻲ ﻛﻪ ﺑﻪ ﻭﺳﻴﻠﻪ ‪ netcat‬ﺑﺎ ﻳﻚ ﺳﺮﻭﺭ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺑﺮﻗﺮﺍﺭ ﺷﺪﻩ ﺍﺳﺖ ﺷﻤﺎ ﻣﻲ‬ ‫ﺗﻮﺍﻧﻴﺪ ﻧﺘﺎﻳﺞ ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﻛﻨﻴﺪ:‬ ‫‪C:\> nc –vv‬‬ ‫‪www.victim.com‬‬ ‫08‬ ‫‪< htr.txt‬‬ ‫‪www.victim.com [10.0.0.10] 80 (http) open‬‬ ‫‪HTTP/1.0 200 OK‬‬ ‫0.5/‪Server: Microsoft-IIS‬‬ ‫‪Date: Thu , 25 Jan 2001 00:50:17 GMT‬‬ ‫)”‪<!- - filename = global.asa - - > (“Profiles_ConnectString‬‬ ‫”‪“DSN=profile; UID=company_user; password=secret‬‬ ‫)”‪(“DB_ConnectString‬‬ ‫”‪= “DSN=db; UID=company_user; password=secret‬‬ ‫)”‪(“PHFConectionString‬‬ ‫”=‪= “DSN=phf; UID=sa; PWD‬‬ ‫”‪(“SiteSearchConnectionString”) = “DSN=SiteSearch; UID=company_user; password=simple‬‬ ‫)”‪(“connectionString‬‬ ‫”‪= “DSN=company; UID=company_user; password=guessme‬‬ ‫)”‪(“eMail_pwd‬‬ ‫”‪= “sendaemon‬‬ ‫)”‪(“LDAPServer‬‬ ‫”983:‪= “LDAP://directory.company.com‬‬ ‫)”‪(“LDAPUserId‬‬ ‫”‪= “cn=Directory Admin‬‬ ‫)”‪(“LDAPPwd‬‬ ‫”‪= “slapdme‬‬ ‫ﻫﻤﺎﻧﻄﻮﺭ ﻛﻪ ﻣﺸﺎﻫﺪﻩ ﻛﺮﺩﻳﺪ ﻓﺎﻳﻞ ‪ ، global.asa‬ﻛﻪ ﺑﻪ ﺻﻮﺭﺕ ﻣﻌﻤﻮﻝ ﺑﺮﺍﻱ ﻛﺎﺭﺑﺮﺍﻥ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻩ‬ ‫ﻧﻤﻲ ﺷﻮﺩ ، ﺑﺎ ﺍﻓﺰﻭﺩﻥ ‪ +.htr‬ﺑﻪ ﺩﻧﺒﺎﻟﻪ ﺁﻥ ﺑﺎﻋﺚ ﻧﻤﺎﻳﺶ ﺩﺍﺩﻥ ﺁﻥ ﺷﺪﻩ ﺍﺳﺖ. ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ‬ ‫ﺍﻃﻼﻋﺎﺕ ﺑﺴﻴﺎﺭ ﺳﺮﻱ ﺍﺯ ﻛﻠﻤﺎﺕ ﺭﻣﺰﻱ ﻛﻪ ﺩﺭ ﻓﺎﻳﻞ ‪ global.asa‬ﻗﺮﺍﺭ ﺩﺍﺭﺩ ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﻛﻨﻴﺪ. ﺣﺎﻝ‬ ‫ﻣﺘﻮﺟﻪ ﺷﺪﻳﺪ ﻛﻪ ﺑﺎ ﻳﻚ ﺍﺷﺘﺒﺎﻫﻲ ﻛﻪ ﺗﻴﻢ ﺗﻮﻟﻴﺪ ﻛﻨﻨﺪﻩ ﺳﺮﻭﺭ ﻣﺮﺗﻜﺐ ﺷﺪﻩ ﺍﺳﺖ ﭼﻪ ﻓﺎﺟﻌﻪ ﺍﻱ ﺭﺥ‬ ‫ﺩﺍﺩﻩ ﺍﺳﺖ!‬ ‫4‬ ‫‪© www.WebSecurityMgz.com‬‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﺭﺍﻫﻬﺎﻱ ﻣﻘﺎﺑﻠﻪ ﺑﺎ ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ‪ISAPI DLL‬‬ ‫ﻣﺎ ﺩﺭ ﺍﻳﻨﺠﺎ ﭼﻨﺪﻳﻦ ﺭﻭﺵ ﻣﺨﺘﻠﻒ ﺑﺮﺍﻱ ﺷﻨﺎﺳﺎﻳﻲ ﻭ ﭘﻴﺸﮕﻴﺮﻱ ﺍﺯ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻳﻬﺎﻱ ‪ISAPI DLL‬‬ ‫ﺑﻴﺎﻥ ﻣﻲ ﻛﻨﻴﻢ ﻭ ﺩﺭﺑﺎﺭﻩ ﻫﻤﻪ ﺁﻧﻬﺎ ﻣﻔﺼﻞ ﺑﺤﺚ ﺧﻮﺍﻫﻴﻢ ﻛﺮﺩ.‬ ‫ﺣﺬﻑ ﻧﮕﺎﺷﺖ ﻛﻨﻨﺪﻩ ﻫﺎﻱ ﺍﺿﺎﻓﻲ ﺑﻲ ﺍﺳﺘﻔﺎﺩﻩ‬ ‫ﺍﮔﺮ ﺑﺨﻮﺍﻫﻴﻢ ﺑﻪ ﺻﻮﺭﺕ ﺭﻳﺸﻪ ﺍﻱ ﺑﻴﺎﻥ ﻛﻨﻴﻢ ، ﻋﻠﺖ ﺍﺻﻠﻲ ﻭﺟﻮﺩ ﺳﻮﺭﺍﺧﻬﺎﻱ ﺍﻣﻨﻴﺘﻲ ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ‬ ‫ﺩﺭ ‪ .Printer‬ﻭ ﺍﻓﺸﺎ ﺳﺎﺯﻱ ﻣﻨﺎﺑﻊ ‪ +.htr‬ﺩﺭ ‪ ISAPI DLL‬ﻫﺎﻳﻲ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﺎﻳﺪ ﺑﻪ ﺩﺭ ﺑﺮﻧﺎﻣﻪ‬ ‫ﻛﺎﺭﺑﺮﺩﻱ ﻣﺎ ﻏﻴﺮ ﻓﻌﺎﻝ ﺑﺎﺷﻨﺪ ﻭ ﻋﺪﻡ ﺣﺬﻑ ﺁﻧﻬﺎ ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﺍﻃﻼﻋﺎﺕ ﻭﺭﻭﺩﻱ ﺭﻭﻱ ﺁﻧﻬﺎ‬ ‫ﻧﮕﺎﺷﺖ ﺷﻮﺩ ﻭ ﻣﺸﻜﻼﺕ ﻋﺪﻳﺪﻩ ﻓﻮﻕ ﻇﺎﻫﺮ ﮔﺮﺩﻧﺪ. ﺑﺮﺍﻱ ﺣﺬﻑ ﺁﻧﻬﺎ ﺑﺎﻳﺪ ﺑﻪ ﺻﻮﺭﺕ ﭘﺎﻳﻪ ﻫﺎﻱ‬ ‫ﻓﺎﻳﻠﻬﺎﻱ ‪ DLL‬ﺍﻱ ﺭﺍ ﻛﻪ ﺑﻪ ﺁﻧﻬﺎ ﻣﺮﺑﻮﻁ ﻣﻲ ﺷﻮﻧﺪ ﺭﺍ ﺣﺬﻑ ﻛﺮﺩ. ﻫﻤﻴﻦ ﺍﻣﺮ ﺑﺎﻋﺚ ﻣﻲ ﺷﻮﺩ ﻛﻪ‬ ‫ﻓﺎﻳﻠﺎﻱ ‪ DLL‬ﻫﻤﺮﺍﻩ ﺑﺎ ﺍﺟﺮﺍﻱ ‪ IIS‬ﺑﻪ ﺣﺎﻓﻈﻪ ﺑﺎﺭ ﻧﺸﻮﻧﺪ ﻭ ﺑﺮﻧﺎﻣﻪ ﻛﺎﺭﺑﺮﺩﻱ ﻣﺎ ﺭﺍ ﺍﺯ ﺣﻤﻼﺕ‬ ‫ﺍﺣﺘﻤﺎﻟﻲ ﻣﺤﺎﻓﻈﺖ ﻣﻲ ﻛﻨﺪ.‬ ‫» ﺑﻪ ﻋﻠﺖ ﺍﻳﻨﻜﻪ ﺑﻴﺸﺘﺮ ﻣﺒﺎﺣﺚ ﺍﻣﻨﻴﺘﻲ ‪ IIS‬ﺑﺎ ﻧﮕﺎﺷﺘﻬﺎﻳﻲ ﻛﻪ ﺩﺭ ﻓﺎﻳﻠﻬﺎﻱ ‪ ISAPI DLL‬ﻣﻲ‬ ‫ﺷﻮﺩ ، ﺍﺭﺗﺒﺎﻁ ﺩﺍﺭﺩ ، ﺍﻳﻦ ﺭﻭﺵ ﻣﺤﺎﻓﻈﺖ ، ﻳﻜﻲ ﺍﺯ ﻣﻬﻤﺘﺮﻳﻦ ﺭﻭﺷﻬﺎﻱ ﻣﻘﺎﺑﻠﻪ ﺑﺎ ﺍﻳﻨﮕﻮﻧﻪ ﺣﻤﻼﺕ‬ ‫ﻣﻲ ﺑﺎﺷﺪ. «‬ ‫ﺑﺮﺍﻱ ﻏﻴﺮ ﻓﻌﺎﻝ ﻛﺮﺩﻥ ‪ DLL‬ﻫﺎ ﺑﺮ ﺍﺳﺎﺱ ﭘﺴﻮﻧﺪ ﻓﺎﻳﻞ ﻫﺎﻳﻲ ﻛﻪ ﺑﺎﻋﺚ ﻧﮕﺎﺷﺖ ﺑﺮ ﺭﻭﻱ ﺍﻳﻦ ‪DLL‬‬ ‫ﻣﻲ ﺷﻮﻧﺪ ، ﺭﻭﻱ ‪ Computer‬ﺍﻱ ﻛﻪ ﺷﻤﺎ ﺁﻥ ﺭﺍ ﻣﺪﻳﺮﻳﺖ ﻣﻲ ﻛﻨﻴﺪ، ﻛﻠﻴﻚ ﺭﺍﺳﺖ ﻛﻨﻴﺪ ﻭ ﺳﭙﺲ‬ ‫‪ Properties‬ﺭﺍ ﺍﻧﺘﺨﺎﺏ ﻛﻨﻴﺪ ، ﺳﭙﺲ ﻣﻮﺍﺭﺩ ﺯﻳﺮ ﺭﺍ ﻣﺸﺎﻫﺪﻩ ﻣﻲ ﻛﻨﻴﺪ:‬ ‫•‬ ‫•‬ ‫•‬ ‫•‬ ‫•‬ ‫•‬ ‫•‬ ‫•‬ ‫‪Master Properties‬‬ ‫‪WWW Service‬‬ ‫‪Edit‬‬ ‫‪Properties of the Default Web Site‬‬ ‫‪Home Directory‬‬ ‫‪Application Setting‬‬ ‫‪Configuration‬‬ ‫‪App Mappings‬‬ ‫5‬ ‫‪© www.WebSecurityMgz.com‬‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﻣﺎﻧﻨﺪ ﺷﻜﻞ ﺯﻳﺮ ، ﻓﺎﻳﻞ ‪ msw3prt.dll‬ﻛﻪ ﻓﺎﻳﻠﻬﺎﻱ ﺑﺎ ﭘﺴﻮﻧﺪ ‪ .printer‬ﺭﻭﻱ ﺁﻥ ﻧﮕﺎﺷﺖ ﻣﻲ ﺷﻮﺩ ﺭﺍ‬ ‫ﺣﺬﻑ ﻛﻨﻴﺪ.‬ ‫ﻫﺎﻱ ﺩﻳﮕﺮ ﻣﺮﺑﻮﻁ‬ ‫‪ISAPI DLL‬‬ ‫ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﻛﻪ ﻫﻤﮕﻲ ﺑﻪ‬ ‫‪ISS‬‬ ‫ﺍﻟﺒﺘﻪ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻳﻬﺎﻱ ﺯﻳﺎﺩﻱ ﺩﺭ‬ ‫ﺑﻴﺎﻥ ﻛﺮﺩﻩ ﺍﻳﻢ.‬ ‫ﻣﻲ ﺷﻮﻧﺪ ﻛﻪ ﺩﺭ ﺟﺪﻭﻝ ﺯﻳﺮ ﺑﻌﻀﻲ ﺍﺯ ﺁﻧﻬﺎ ﺭﺍ ﺑﻪ ﻫﻤﺮﺍﻩ ‪ DLL‬ﻫﺎﻳﻲ ﻛﻪ ﺑﻪ ﺁﻧﻬﺎ ﻧﮕﺎﺷﺖ ﻣﻲ ﺷﻮﺩ‬ ‫ﺍﮔﺮ ﻧﻴﺎﺯ ﻧﺪﺍﺭﻳﺪ!‬ ‫‪Active Server Pages‬‬ ‫‪functionality‬‬ ‫‪Web-based Password reset‬‬ ‫‪.asp‬‬ ‫‪.htr‬‬ ‫ﭘﺴﻮﻧﺪ‬ ‫ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ‬ ‫810-20‪Buffer Overflows, MS‬‬ ‫400-10‪+.htr source disclosure , MS‬‬ ‫‪Internet Database Connector .idc‬‬ ‫‪Server-side include‬‬ ‫‪Internet Printer‬‬ ‫‪Index Server‬‬ ‫‪FrontPage Server Extension‬‬ ‫‪RAD support‬‬ ‫‪.stm , .shtm , shtml‬‬ ‫‪.printer‬‬ ‫‪.ida , idq‬‬ ‫‪Uninstall FPSE‬‬ ‫‪RAD Support‬‬ ‫ﺁﺷﻜﺎﺭ ﻛﺮﺩﻥ ﻣﺴﻴﺮ ﻫﺎﻱ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ‬ ‫986391‪Q‬‬ ‫ﻭﺏ ،‬ ‫ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺳﻴﺴﺘﻢ ﺩﻭﺭ‬ ‫440-10‪MS‬‬ ‫ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺳﻴﺴﺘﻢ ﺭﺍﻩ ﺩﻭﺭ ،‬ ‫320-10‪Ms‬‬ ‫ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺳﻴﺴﺘﻢ ﺭﺍﻩ ﺩﻭﺭ ،‬ ‫330-10‪Ms‬‬ ‫ﻳﺎ ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺳﻴﺴﺘﻢ‬ ‫‪Remote IUSR‬‬ ‫530-10‪MS‬‬ ‫6‬ ‫‪© www.WebSecurityMgz.com‬‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﻧﮕﻬﺪﺍﺭﻱ ﺑﻪ ﻭﺳﻴﻠﻪ ﻧﺼﺐ ﺳﺮﻭﻳﺴﻬﺎ ‪ Pach‬ﻭ ‪ Hotfix‬ﻣﻴﻜﺮﻭﺳﺎﻓﺖ‬ ‫ﺩﺭﺳﺖ ﺍﺳﺖ ﻛﻪ ﺣﺬﻑ ﭘﺘﺎﻧﺴﻴﻞ ﻫﺎﻱ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺩﺭ ﻧﮕﺎﺷﺖ ﻛﻨﻨﺪﻩ ﻫﺎﻱ ‪ ISAPI DLL‬ﻳﻚ ﺭﺍﻩ ﺣﻞ‬ ‫ﻛﺎﻣﻞ ﺑﺮﺍﻱ ﻣﺸﻜﻼﺕ ‪ ISAPI DLL‬ﻣﻲ ﺑﺎﺷﺪ ﻭﻟﻲ ﺭﺍﻫﻬﺎﻱ ﻣﺨﺘﻠﻒ ﺩﻳﮕﺮﻱ ﻧﻴﺰ ﺑﺮﺍﻱ ﺭﻓﻊ ﺍﻳﻨﮕﻮﻧﻪ‬ ‫ﻣﺸﻜﻼﺕ ﻭﺟﻮﺩ ﺩﺍﺭﺩ. ﺍﺯ ﺟﻤﻠﻪ ﺍﻳﻨﻜﻪ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺍﺯ ‪ Patch‬ﻫﺎﻳﻲ ﺍﺳﺘﻔﺎﺩﻩ ﻛﻨﻴﺪ ﻛﻪ ﺷﺮﻛﺖ‬ ‫ﻣﻴﻜﺮﻭﺳﺎﻓﺖ ﺑﺮﺍﻱ ﺭﻓﻊ ﺍﻳﻨﮕﻮﻧﻪ ﻣﺸﻜﻼﺕ ﺁﻣﺎﺩﻩ ﻛﺮﺩﻩ ﺍﺳﺖ. ﺍﺑﻼﻏﻴﻪ ﻫﺎﻱ ﺍﻣﻨﻴﺘﻲ ﻣﻴﻜﺮﻭﺳﺎﻓﺖ4 ﺑﻪ‬ ‫ﺻﻮﺭﺕ ﻣﺪﺍﻭﻡ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻳﻬﺎﻳﻲ ﻛﻪ ﺩﺭ ‪ ISAPI DLL‬ﺑﻪ ﻭﺟﻮﺩ ﺁﻣﺪﻩ ﺍﺳﺖ ﺭﺍ ﮔﺰﺍﺭﺵ ﻛﺮﺩﻩ ﺍﺳﺖ)‬ ‫ﺁﻧﻬﺎ ﺑﻪ ﻭﺳﻴﻠﻪ ﺑﺮﭼﺴﺐ ﻫﺎﻳﻲ ﻃﺒﻘﻪ ﺑﻨﺪﻱ ﺷﺪﻩ ﺍﻧﺪ ﻣﺎﻧﻨﺪ: 620-10‪ MS‬ﻛﻪ ﻧﺸﺎﻥ ﺩﻫﻨﺪﻩ 62 ﺍﻣﻴﻦ‬ ‫ﺍﺑﻼﻏﻴﻪ ﺳﺎﻝ 1002 ﻣﻲ ﺑﺎﺷﺪ ( ﺩﺭ ﻫﺮ ﻛﺪﺍﻡ ﺍﺯ ﺍﻳﻦ ﺍﺑﻼﻏﻴﻪ ﻫﺎﻱ ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ‪ Patch‬ﻣﻮﺭﺩ ﻧﻈﺮ ﺭﺍ‬ ‫ﺑﺮﺍﻱ ﺁﻥ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﭘﻴﺪﺍ ﻛﻨﻴﺪ.‬ ‫ﺍﻟﺒﺘﻪ ﺑﺮﺍﻱ ﺳﻬﻮﻟﺖ ﺩﺭ ﺍﻣﺮ ﺑﻪ ﺭﻭﺯ ﺭﺳﺎﻧﻲ ﺳﺮﻭﺭ ‪ IIS‬ﺷﻤﺎ ﺑﺎ ‪ Patch‬ﻫﺎﻱ ﺟﺪﻳﺪ، ﻣﻴﻜﺮﻭﺳﺎﻓﺖ ﭼﻚ‬ ‫ﻛﻨﻨﺪﻩ ‪ Hotfix‬ﺷﺒﻜﻪ5 ) ‪ ( hfnetchk.exe‬ﺭﺍ ﻣﻨﺘﺸﺮ ﻛﺮﺩﻩ ﺍﺳﺖ. ‪ Hfnetchk‬ﺗﻤﺎﻣﻲ ﺯﻳﺮ ﺷﺒﻜﻪ ﻫﺎ‬ ‫ﺭﺍ ﭘﻮﻳﺶ ﻣﻲ ﻛﻨﺪ ﻭ ﮔﺰﺍﺭﺵ ‪ Service Pack‬ﻭ ﺳﻄﺢ ‪ Hotfix‬ﺭﺍ ﺑﺮﺍﻱ ﻫﺮ ﺳﻴﺴﺘﻢ ﺍﺭﺍﺋﻪ ﻣﻲ ﺩﻫﺪ.‬ ‫ﺍﻟﺒﺘﻪ ﻗﺒﻞ ﺍﺯ ﺍﻳﻨﻜﻪ ‪ hfnetchk‬ﺷﺮﻭﻉ ﺑﻪ ﭘﻮﻳﺶ ﺑﻜﻨﺪ ﺍﻃﻼﻋﺎﺕ ﺧﻮﺩ ﺭﺍ ﺩﺭﺑﺎﺭﻩ ﺁﺧﺮﻳﻦ ‪ Patch‬ﻫﺎﻱ‬ ‫ﮔﺰﺍﺭﺵ ﺩﺍﺩﻩ ﺷﺪﻩ ﺗﻮﺳﻂ ﻣﻴﻜﺮﻭﺳﺎﻓﺖ ، ﺑﻪ ﺭﻭﺯ ﻣﻲ ﻛﻨﺪ ﻭ ﺍﻳﻦ ﻛﺎﺭ ﺭﺍ ﺑﻪ ﻭﺳﻴﻠﻪ ‪ XML‬ﺍﻱ ﻛﻪ ﺍﺯ‬ ‫ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﻣﻴﻜﺮﻭﺳﺎﻓﺖ ﺩﺭﻳﺎﻓﺖ ﻛﺮﺩﻩ ﺍﺳﺖ ، ﺍﻧﺠﺎﻡ ﻣﻲ ﺩﻫﺪ.‬ ‫ﺩﺭ ﺻﻮﺭﺗﻴﮑﻪ ﺍﺯ ﺑﺮﻧﺎﻣﻪ ﻫﺎﯼ ﺍﺿﺎﻓﻪ ﺷﺪﻩ ﺍﯼ ﻧﻈﻴﺮ ‪ PerlIIS، CouldDusion‬ﻭ ﻳﺎ ‪ PHP‬ﺑﻬﻤﺮﺍﻩ‬ ‫‪ IIS‬ﺍﺳﺘﻔﺎﺩﻩ ﻣﯽ ﮔﺮﺩﺩ ، ﻻﺯﻡ ﺍﺳﺖ ﺑﻪ ﺳﺎﻳﺖ ﻫﺎﯼ ﻋﺮﺿﻪ ﮐﻨﻨﺪﮔﺎﻥ ﻫﺮ ﻳﮏ ﺍﺯ ﻣﺤﺼﻮﻻﺕ ﻓﻮﻕ‬ ‫ﻣﺮﺍﺟﻌﻪ ﻛﻨﻴﺪ ﻭ ﻧﺴﺒﺖ ﺑﻪ ﺁﺧﺮﻳﻦ ‪ patch‬ﺍﺭﺍﺋﻪ ﺷﺪﻩ ﺩﺭ ﺭﺍﺑﻄﻪ ﺑﺎ ﻫﺮ ﻣﺤﺼﻮﻝ ﺁﮔﺎﻩ ﻭ ﺁﻧﺎﻥ ﺭﺍ ﺑﺎ‬ ‫ﺗﻮﺟﻪ ﺑﻪ ﺗﻮﺻﻴﻪ ﻫﺎﯼ ﺍﻧﺠﺎﻡ ﺷﺪﻩ ﺑﺮ ﺭﻭﯼ ﺳﻴﺴﺘﻢ ﻧﺼﺐ ﻧﻤﺎﻳﻴﺪ . ﺍﻣﮑﺎﻥ ‪ Update Windows‬ﻭ‬ ‫ﺳﺎﻳﺮ ﺳﺮﻭﻳﺲ ﻫﺎﯼ ﺑﻬﻨﮕﺎﻡ ﺳﺎﺯﯼ ﺍﺭﺍﺋﻪ ﺷﺪﻩ ﺗﻮﺳﻂ ﻣﻴﮑﺮﻭﺳﺎﻓﺖ ، ﺷﺎﻣﻞ ‪ Patch‬ﻫﺎﯼ ﻻﺯﻡ ﻭ‬ ‫ﻣﺮﺗﺒﻂ ﺑﺎ ﻣﺤﺼﻮﻻﺕ ﺍﺿﺎﻓﻪ ﺷﺪﻩ ﺳﺎﻳﺮ ﺷﺮﮐﺖ ﻫﺎ ﺩﺭ ﺑﺮﻧﺎﻣﻪ ‪ IIS‬ﻣﺎﻳﮑﺮﻭﺳﺎﻓﺖ ﻧﺒﻮﺩﻩ ﻭ ﻻﺯﻡ‬ ‫ﺍﺳﺖ ﻣﺪﻳﺮﺍﻥ ﺳﻴﺴﺘﻢ ﺑﻬﻨﮕﺎﻡ ﺳﺎﺯﯼ ﻣﺤﺼﻮﻻﺕ ﺍﺿﺎﻓﻪ ﺷﺪﻩ ) ﻏﻴﺮ ﻣﻴﮑﺮﻭﺳﺎﻓﺖ ( ﺩﺭ ‪ IIS‬ﺭﺍ ﺧﻮﺩ‬ ‫ﺭﺍﺳﺎ" ﺍﻧﺠﺎﻡ ﺩﻫﻨﺪ .‬ ‫ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ‪ IISLochdown‬ﻭ ‪URLScan‬‬ ‫ﺩﺭ ﺍﻭﺍﺧﺮ ﺳﺎﻝ 1002 ، ﻣﻴﻜﺮﻭﺳﺎﻓﺖ ﺍﺑﺰﺍﺭﻱ ﺑﻪ ﻧﺎﻡ ‪ ISSLockdown Wizard‬ﺭﺍ ﻣﻨﺘﺸﺮ ﻛﺮﺩ‬ ‫ﻭ ﻫﻤﺎﻧﻄﺭ ﻛﻪ ﺍﺯ ﻧﺎﻣﺶ ﻣﺸﺨﺺ ﺍﺳﺖ ، ﻳﻚ ﺍﺑﺰﺍﺭ ﺧﻮﺩﻛﺎﺭ ﻣﻲ ﺑﺎﺷﺪ ﺑﺮﺍﻱ ﭘﻴﻜﺮﺑﻨﺪﻱ ‪ IIS‬ﺑﺮ ﭘﺎﻳﻪ‬ ‫ﻣﺴﺎﻳﻞ ﺍﻣﻨﻴﺘﻲ ﺁﻥ. ﺑﺎ ﺍﺟﺮﺍﯼ ﺑﺮﻧﺎﻣﻪ ﻓﻮﻕ ﺩﺭ ﺣﺎﻟﺖ " ‪ " Custom‬ﻭ ﻳﺎ " "‪ ، Expert‬ﻣﯽ ﺗﻮﺍﻥ ﺗﻐﻴﻴﺮﺍﺕ‬ ‫‪4 - Microsoft Security Bulletine‬‬ ‫‪5 - Network Hotfix Checker‬‬ ‫7‬ ‫‪© www.WebSecurityMgz.com‬‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﻣﻮﺭﺩ ﻧﻈﺮ ﺧﻮﺩ ﺭﺍ ﺩﺭ ﺍﺭﺗﺒﺎﻁ ﺑﺎ ﻧﺼﺐ ‪ IIS‬ﻣﺸﺨﺺ ﻧﻤﻮﺩ. ﺑﺪﻳﻦ ﺗﺮﺗﻴﺐ ، ﺍﻣﮑﺎﻥ ﺍﻋﻤﺎﻝ ﺗﻐﻴﻴﺮﺍﺕ ﺯﻳﺮ‬ ‫ﺩﺭ ﺭﺍﺑﻄﻪ ﺑﺎ ﻧﺼﺐ ‪ ، IIS‬ﻓﺮﺍﻫﻢ ﻣﯽ ﮔﺮﺩﺩ :‬ ‫ﺳﺮﻭﻳﺴﻬﺎﻱ ﺍﻳﻨﺘﺮﻧﺖ: ﺍﺟﺎﺯﻩ ﻣﻲ ﺩﻫﺪ ﻛﻠﻴﻪ ﺳﺮﻭﻳﺲ ﻫﺎﻱ ‪ ISS‬ﺭﺍ ﻏﻴﺮ ﻓﻌﺎﻝ ﻛﻨﻴﺪ. )‬ ‫‪ SMTP ، FTP ، WWW‬ﻭ ‪ ( NNTP‬ﺍﻟﺒﺘﻪ ﺑﺴﺘﻪ ﻧﻘﺸﻲ ﻛﻪ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﺷﻤﺎ ﺩﺍﺭﺩ.‬ ‫ﻣﺴﺎﻳﻞ ﺍﻣﻨﻴﺘﻲ ﺍﺿﺎﻓﻲ : ﻏﻴﺮ ﻓﻌﺎﻝ ﻧﻤﻮﺩﻥ ‪ ) WebDAV‬ﻣﮕﺮ ﺍﻳﻨﮑﻪ ﻣﺤﻴﻂ ﻣﻮﺭﺩ ﻧﻈﺮ ﺷﻤﺎ ﺑﻪ‬ ‫ﻭﺟﻮﺩ ﺁﻥ ﺑﺮﺍﯼ ﻧﺸﺮ ﻣﺤﺘﻮﯼ ﻭﺏ ، ﻧﻴﺎﺯ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ ( ﻭ ﺣﺬﻑ ﻧﻤﻮﻧﻪ ﺑﺮﻧﺎﻣﻪ ﻫﺎﯼ ﺍﺭﺍﺋﻪ ﺷﺪﻩ‬ ‫ﺑﻬﻤﺮﺍﻩ ‪ IIS‬ﻭ ﻫﻤﭽﻨﻴﻦ ﻣﻨﻊ ﺳﺮﻭﻳﺲ ﺩﻫﻨﺪﻩ ﻭﺏ ﺍﺯ ﺍﺟﺮﺍﺀ ﺩﺳﺘﻮﺭﺍﺕ ﺳﻴﺴﺘﻤﯽ ﻣﺘﺪﺍﻭﻝ ﮐﻪ ﻋﻤﻮﻣﺎ"‬ ‫ﺗﻮﺳﻂ ﻣﻬﺎﺟﻤﺎﻥ ﺍﺳﺘﻔﺎﺩﻩ ﻣﯽ ﮔﺮﺩﺩ) ﻧﻈﻴﺮ ‪ cmd.exe‬ﻭ ﻳﺎ ‪. ( tftp.exe‬‬ ‫‪ : Script Maps‬ﻏﻴﺮ ﻓﻌﺎﻝ ﻧﻤﻮﺩﻥ ‪ ISAPI extensions‬ﻫﺎﯼ ﻏﻴﺮ ﺿﺮﻭﺭﯼ ) ﻧﻈﻴﺮ : ‪idq . ،htr‬‬ ‫, .‪( . printer. ، ism‬‬ ‫‪ : UrlScan‬ﺍﺑﺰﺍﺭﻱ ﺑﺮﺍﻱ ﻓﻴﻠﺘﺮ ﻧﻤﻮﺩﻥ ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻱ ﺩﺍﺩﻩ ﺷﺪﻩ ﺑﻪ ‪ IIS‬ﻭ ﻧﭙﺬﻳﺮﻓﺘﻦ ﺁﻧﻬﺎ ﺩﺭ‬ ‫ﺻﻮﺭﺗﻲ ﻛﻪ ﺁﻧﻬﺎ ﺍﺯ ﻣﺸﺨﺼﺎﺕ ﺧﺎﺻﻲ ﭘﻴﺮﻭﻱ ﻣﻲ ﻛﺮﺩﻧﺪ!‬ ‫•‬ ‫•‬ ‫•‬ ‫•‬ ‫ﻧﻤﻮﻧﻪ ﻫﺎﻱ ﺑﺎﻻ ﻳﻚ ﻟﻴﺴﺖ ﺗﻘﺮﻳﺒﺎ ﺧﻮﺑﻲ ﺍﺯ ﺭﺍﻫﻬﺎﻱ ﭘﻴﻜﺮﺑﻨﺪﻱ ﻣﺨﺼﻮﺹ ‪ IIS‬ﻣﻲ ﺑﺎﺷﺪ ، ﺍﻟﺒﺘﻪ‬ ‫ﺑﻌﻀﻲ ﻣﺴﺎﻳﻞ ﺍﺯ ﻗﻠﻢ ﺍﻓﺘﺎﺩﻩ ﺍﺳﺖ. ‪ IISLockdown‬ﺩﺭﺑﺎﺭﻩ ﻧﺼﺐ ‪ Service Pack‬ﻭ ‪ Hotfix‬ﻫﺎ ﻫﻴﭻ‬ ‫ﻛﺎﺭﻱ ﺍﻧﺠﺎﻡ ﻧﻤﻲ ﺩﻫﺪ ، ﻫﻤﭽﻨﻴﻦ ﻫﻴﭻ ﻣﺤﺎﻓﻈﺖ ﻭ ﻋﻤﻠﻜﺮﺩﻱ ﺩﺭﺑﺎﺭﻩ ﺟﻨﺒﻪ ﻫﺎﻱ ﺩﻳﮕﺮ ﺳﻴﺴﺘﻢ ﻋﺎﻣﻞ‬ ‫ﻭﻳﻨﺪﻭﺯ ﻧﺪﺍﺭﺩ ﻭ ﻳﺎ ﻫﻴﭻ ﺩﻳﻮﺍﺭ ﺁﺗﺸﻲ ﺩﺭ ﺟﻠﻮ ﺳﺮﻭﻳﺲ ﺩﻫﺪﻩ ﻭﺏ ﻣﺎ ﺍﻳﺠﺎﺩ ﻧﻤﻲ ﻛﻨﺪ. ‪IISLockdown‬‬ ‫ﻳﻚ ﺍﺑﺰﺍﺭ ﻣﺨﺘﺼﺮ ﻭ ﺳﺎﺩﻩ ﻣﻲ ﺑﺎﺷﺪ ﻭ ﻧﻤﻲ ﺗﻮﺍﻥ ﺑﻪ ﻃﻮﺭ ﻛﺎﻣﻞ ﺭﻭﻱ ﺁﻥ ﺗﻜﻴﻪ ﻛﺮﺩ ﻭ ﺍﺯ ﺟﻨﺒﻪ ﻫﺎﻱ‬ ‫ﺩﻳﮕﺮ ﻏﺎﻓﻞ ﺷﺪ.‬ ‫ﺍﺯ ﻣﻴﺎﻥ ﭼﻴﺰﻫﺎﻳﻲ ﻛﻪ ‪ IISLockdown‬ﺑﻪ ﺻﻮﺭﺗﻲ ﺩﺳﺘﻲ ﭘﻴﻜﺮ ﺑﻨﺪﻱ ﻣﻲ ﻛﻨﺪ ، ﻳﻜﻲ ﺍﺯ ﺁﻧﻬﺎ ﺧﻴﻠﻲ‬ ‫ﻧﻤﺎﻳﺎﻥ ﺍﺳﺖ ،‪! URLScan‬‬ ‫ﺍﻟﺒﺘﻪ ‪ URLScan‬ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﻪ ﺻﻮﺭﺕ ﺟﺪﺍﮔﺎﻧﻪ ﺍﻱ ﺍﺯ ﺭﻭﻱ ﻧﺼﺐ ﻛﻨﻨﺪﻩ ‪) IISLockdown‬‬ ‫‪ ( iislock.exe‬ﻧﺼﺐ ﺷﻮﺩ. ﺷﻤﺎ ﻣﻲ ﺗﻮﺍﻧﻴﺪ ﺑﺎ ﺩﺳﺘﻮﺭ ﺯﻳﺮ ﺍﻳﻦ ﻛﺎﺭ ﺭﺍ ﺍﻧﺠﺎﻡ ﺩﻫﻴﺪ:‬ ‫‪C:\> iislock.exe /q /c /t : c:\lockdown_files‬‬ ‫ﺍﻟﺒﺘﻪ ﺭﻭﺵ ﺩﻳﮕﺮ ﺑﺮﺍﻱ ﻧﺼﺐ ‪ URLScan‬ﺍﺯ ﻃﺮﻳﻖ ‪ IISLockdown Wizard‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﻪ‬ ‫ﺻﻮﺭﺕ ﺧﻮﺩﻛﺎﺭ ﻣﻲ ﺗﻮﺍﻧﺪ ﻧﺼﺐ ﺷﻮﺩ.‬ ‫‪ URLScan‬ﺷﺎﻣﻞ ﺩﻭ ﻓﺎﻳﻞ ‪ URLScan.dll‬ﻭ ‪ URLScan.ini‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﺎﻳﺪ ﺩﺭ ﻫﻤﺎﻥ‬ ‫ﺩﺍﻳﺮﻛﺘﻮﺭﻱ ﻧﺼﺐ ، ﻗﺮﺍﺭ ﮔﻴﺮﺩ. ‪ URLScan.dll‬ﻳﻚ ﻓﻴﻠﺘﺮ ‪ ISAPI‬ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﺎﻳﺪ ﺟﻠﻮ ‪ IIS‬ﻗﺮﺍﺭ‬ ‫ﮔﻴﺮﺩ ﻭ ﻣﺎﻧﻨﺪ ﻳﻚ ﺣﺎﺋﻞ ﻋﻤﻞ ﻛﻨﺪ ﻭ ﻗﺒﻞ ﺍﺯ ﺍﻳﻨﻜﻪ ‪ IIS‬ﺩﺭﺧﻮﺍﺳﺘﻬﺎ ﺭﺍ ﺩﺭﻳﺎﻓﺖ ﻛﻨﺪ ، ﺑﺘﻮﺍﻧﺪ ﺁﻧﻬﺎ ﺭﺍ‬ ‫8‬ ‫‪© www.WebSecurityMgz.com‬‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﺗﺤﻠﻴﻞ ﻛﻨﺪ ﻭ ‪ URLScan.ini‬ﻳﻚ ﻓﺎﻳﻞ ﭘﻴﻜﺮﺑﻨﺪﻱ ﻣﻲ ﺑﺎﺷﺪ ﻭ ﺗﺼﻤﻴﻢ ﻣﻲ ﮔﻴﺮﺩ ﻛﻪ ﭼﻪ ﻧﻮﻉ‬ ‫ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻱ ‪ HTTP‬ﻧﺒﺎﻳﺪ ﺗﻮﺳﻂ ‪ URLScan ISAPI‬ﭘﺬﻳﺮﻓﺘﻪ ﺷﻮﺩ. ﺩﺭﺧﻮﺍﺳﺖ ﻫﺎﻱ ﭘﺬﻳﺮﻓﺘﻪ‬ ‫ﻧﺸﺪﻩ ﺩﺭ ﻳﻚ ﻓﺎﻳﻞ ﺑﻪ ﻧﺎﻡ ‪ URLScan.log‬ﺩﺭ ﻫﻤﺎﻥ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ ﻧﺼﺐ ﺫﺧﻴﺮﻩ ﻣﻲ ﺷﻮﺩ. )ﺍﻟﺒﺘﻪ ﻓﺎﻳﻞ‬ ‫ﻫﺎﻱ ﺛﺒﺖ ﮔﺰﺍﺭﺵ ﻣﻤﻜﻦ ﺍﺳﺖ ﺑﻪ ﻧﺎﻡ ‪ URLScan.MMDDYY.log‬ﺫﺧﻴﺮﻩ ﺷﻮﺩ( ‪ URLScan‬ﺑﺮﺍﻱ‬ ‫ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻱ ﻛﻪ ﺭﺩ ﻣﻲ ﻛﻨﺪ ﭘﺎﺳﺦ ‪ HTTP 404 Object not found‬ﺭﺍ ﻣﻲ ﻓﺮﺳﺘﺪ.‬ ‫ﻣﻲ ﺗﻮﺍﻥ ﺑﺎ ﭘﻴﻜﺮﺑﻨﺪﻱ ‪ URLScan‬ﺗﻤﺎﻣﻲ ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻱ ‪ HTTP‬ﺍﻱ ﺭﺍ ﻛﻪ ﺑﺮ ﭘﺎﻳﻪ ﻣﻮﺍﺭﺩ ﺯﻳﺮ ﻣﻲ‬ ‫ﺑﺎﺷﻨﺪ ﻧﭙﺬﻳﺮﻓﺖ:‬ ‫ﺑﺮ ﺍﺳﺎﺱ ﺭﻭﺷﻬﺎﻱ ﺩﺭﺧﻮﺍﺳﺖ ) ﻳﺎ ﻛﻠﻤﺎﺕ ، ﻣﺎﻧﻨﺪ ‪ HEAD ، POST ، GET‬ﻭ ﻏﻴﺮﻩ (‬ ‫ﺑﺮ ﺍﺳﺎﺱ ﭘﺴﻮﻧﺪ ﻓﺎﻳﻠﻬﺎﻱ ﺩﺭﺧﻮﺍﺳﺖ ﺷﺪﻩ‬ ‫ﺑﺮ ﺍﺳﺎﺱ ‪ URL‬ﻫﺎﻱ ﺭﻣﺰﺷﺪﻩ ﻣﺸﻜﻮﻙ )ﺩﺭ ﻣﺒﺎﺣﺚ ﺑﻌﺪﻱ ﺧﻮﺍﻫﻴﺪ ﺩﻳﺪ ﻛﻪ ﺍﻳﻦ ﻗﺴﻤﺖ‬ ‫ﭼﻘﺪﺭ ﻣﻬﻢ ﻣﻲ ﺑﺎﺷﺪ!(‬ ‫ﺑﺮ ﺍﺳﺎﺱ ﺣﻀﻮﺭ ﻛﺎﺭﺍﻛﺘﺮﻫﺎﻱ ‪ non-ASCII‬ﺩﺭ ‪ URL‬ﻫﺎ‬ ‫ﺑﺮ ﺍﺳﺎﺱ ﺣﻀﻮﺭ ﺗﺮﺗﻴﺐ ﺧﺎﺻﻲ ﺍﺯ ﻛﺎﺭﺍﻛﺘﺮﻫﺎ‬ ‫ﺑﺮ ﺍﺳﺎﺱ ﺣﻀﻮﺭ ﺳﺮﺁﻣﺪﻫﺎﻱ ﻣﺨﺼﻮﺹ ﺩﺭ ﺩﺭﺧﻮﺍﺳﺘﻬﺎ‬ ‫‬‫‬‫‬‫‬‫‬‫-‬ ‫ﺑﺮﺍﻱ ﻫﺮ ﻛﺪﺍﻡ ﺍﺯ ﺍﻳﻦ ﻣﻮﺍﺭﺩ ﭘﺎﺭﺍﻣﺘﺮﻫﺎﻱ ﻣﺸﺨﺺ ﻭﺟﻮﺩ ﺩﺍﺭﺩ ﻛﻪ ﺑﺎﻳﺪ ﻃﺒﻖ ﻳﻚ ﺿﻮﺍﺑﻄﻲ ﺩﺭ ﻓﺎﻳﻞ‬ ‫‪ URLScan.ini‬ﮔﺬﺍﺷﺘﻪ ﺷﻮﻧﺪ.‬ ‫ﻧﻜﺘﻪ: ‪ URLScan.ini‬ﻓﻘﻂ ﺩﺭ ﺯﻣﺎﻥ ﺍﺟﺮﺍ ﺷﺪﻥ ‪ IIS‬ﻣﻲ ﺗﻮﺍﻧﺪ ﺑﺎﺭﮔﺬﺍﺭﻱ ﺷﻮﺩ ﻭ ﻫﺮ ﮔﻮﻧﻪ ﺗﻐﻴﻴﺮﺍﺗﻲ‬ ‫ﺩﺭ ﺁﻥ ﻓﻘﻂ ﺯﻣﺎﻧﻲ ﺍﻋﻤﺎﻝ ﻣﻲ ﺷﻮﺩ ﻛﻪ ‪ IIS‬ﺩﻭﺑﺎﺭﻩ ﺭﺍﻩ ﺍﻧﺪﺍﺯﻱ ﺷﻮﺩ.‬ ‫ﭘﻴﺎﺩﻩ ﺳﺎﺯﻱ ﻳﻚ ﻓﻴﻠﺘﺮ ﻛﻨﻨﺪﻩ ﺩﺭﺯﻫﺎﻱ ﺷﺒﻜﻪ‬ ‫ﺍﻭﻟﻴﻦ ﭼﻴﺰﻱ ﻛﻪ ﻣﻌﻤﻮﻻ ﺑﻪ ﺫﻫﻦ ﻳﻚ ﻫﻜﺮ ﻣﻲ ﺁﻳﺪ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ﺑﻪ ﭼﻪ ﺻﻮﺭﺕ ﻣﻲ ﺗﻮﺍﻧﺪ ﺩﺳﺘﻮﺭﺍ‬ ‫ﺭﺍ ﺩﺭ ﺳﺮﻭﺭ ﺑﻪ ﺍﺟﺮﺍ ﺩﺭﺑﻴﺎﻭﺭﺩ ﺗﺎ ﺑﺘﻮﺍﻧﺪ ﺑﻪ ﺳﺮﻭﺭ ﺗﺴﻠﻂ ﭘﻴﺪﺍ ﻛﻨﺪ ﻭ ﻓﺎﻳﻠﻬﺎﻳﻲ ﺭﺍ ﺍﺯ ﺧﺎﺭﺝ ﺑﻪ ﺳﺮﻭﺭ‬ ‫ﻭﺍﺭﺩ ﻛﻨﺪ . ﺣﺎﻝ ﻣﻲ ﺗﻮﺍﻥ ﺑﺎ ﻗﺮﺍﺭ ﺩﺍﺩﻥ ﻳﻚ ﻓﻴﻠﺘﺮ ﻛﻨﻨﺪﻩ ﺧﺮﻭﺟﻲ ﺑﻪ ﻭﺳﻴﻠﻪ ﺩﻳﻮﺍﺭﻩ ﺁﺗﺶ ﺩﺭ ﻣﻘﺎﺑﻞ‬ ‫ﺳﺮﻭﺭ ﻭﺏ ﺟﻠﻮ ﺗﻤﺎﻣﻲ ﺧﺮﻭﺟﻲ ﻫﺎﻳﻲ ﺭﺍ ﻛﻪ ﻣﻲ ﺧﻮﺍﻫﻨﺪ ﺑﻪ ﭘﻮﺭﺗﻬﺎﻱ ﺩﻳﮕﺮ ﺍﺭﺗﺒﺎﻁ ﺑﺮﻗﺮﺍﺭ ﻛﻨﻨﺪ ،‬ ‫ﺑﮕﻴﺮﻳﻢ. ﻳﻚ ﺭﺍﻩ ﺳﺎﺩﻩ ﺁﻥ ﺍﺳﺖ ﻛﻪ ﺗﻤﺎﻣﻲ ﺍﺭﺗﺒﺎﻃﺎﺕ ﺍﺯ ﺩﺍﺧﻞ ﺑﻪ ﺑﻴﺮﻭﻥ ﺍﺯ ﺷﺒﻜﻪ ﺭﺍ ﺭﺩ ﻛﻨﻴﻢ ﺑﻪ ﺟﺰ‬ ‫ﺁﻧﻬﺎﻳﻲ ﻛﻪ ﺍﺯ ﻗﺒﻞ ﻗﺮﺍﺭ ﺩﺍﺩﻩ ﺍﻳﻢ ﻭ ﺍﻳﻦ ﻛﺎﺭ، ﺑﺎ ﺑﻠﻮﻛﻪ ﻛﺮﺩﻥ ﺗﻤﺎﻣﻲ ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻳﻲ ﺍﻧﺠﺎﻡ ﻣﻲ ﺷﻮﺩ ﻛﻪ‬ ‫ﻓﻘﻂ ﻳﻚ ﭘﺮﭼﻢ ‪6 TCP SYN‬ﺩﺍﺭﻧﺪ. ﺍﻟﺒﺘﻪ ﺑﺎ ﺍﻳﻦ ﻛﺎﺭ ﭘﺎﺳﺨﻬﺎﻳﻲ ﻛﻪ ﺑﻪ ﺩﺭﺧﻮﺍﺳﺘﻬﺎﻱ ﻣﺸﺮﻭﻉ ﻛﻪ ﺑﻪ‬ ‫6- هﻤﺎﻧﻄﻮر ﮐﻪ ﻣﻰ داﻧﻴﺪ ﺑﺮاى ﺑﺮﻗﺮارى ﻳﮏ ارﺗﺒﺎط ﺑﻪ روش دﺳﺖ ﺗﮑﺎﻧﻰ ﺳﻪ ﻣﺮﺣﻠﻪ اى ، در ﻣﺮﺣﻠﻪ اول اﺑﺘﺪا ﻳﮏ ﺑﺴﺘﻪ ‪TCP‬‬ ‫درسﺖ ﻣﻰ ﺷﻮد ﮐﻪ ﻓﻴﻠﺪ ‪ SYN‬آن ﻣﻘﺪار ﻳﮏ دارد!‬ ‫9‬ ‫‪© www.WebSecurityMgz.com‬‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﺩﺍﺧﻞ ﻣﻲ ﺁﻳﻨﺪ ﺑﻠﻮﻛﻪ ﻧﻤﻲ ﺷﻮﺩ ﻭ ﺑﺮﺍﻱ ﺳﺮﻭﺭ ﺍﻳﻦ ﺍﻣﻜﺎﻥ ﺭﺍ ﺍﻳﺠﺎﺩ ﻣﻲ ﻛﻨﺪ ﻛﻪ ﺑﺘﻮﺍﻧﺪ ﺑﻪ ﺑﻴﺮﻭﻥ‬ ‫ﺩﺳﺘﺮﺳﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﺪ. )ﺩﺭﺳﺖ ﮔﻔﺘﻢ ؟! (‬ ‫ﺩﻳﺪﻩ ﺑﺎﻧﻲ ﻭ ﺛﺒﺖ ﻭﻗﺎﻳﻊ‬ ‫ﻳﻜﻲ ﺩﻳﮕﺮ ﺍﺯ ﺭﻭﺷﻬﺎﻱ ﻣﻘﺎﺑﻠﻪ ﻓﻬﻤﻴﺪﻥ ﺍﻳﻦ ﻣﻮﺿﻮﻉ ﺍﺳﺖ ﻛﻪ ، ﻭﻗﺘﻲ ﻳﻚ ﻧﻔﻮﺫﮔﺮ ﺩﺭ ﺗﺪﺍﺭﻙ ﻳﻚ ﺣﻤﻠﻪ‬ ‫ﺑﻪ ﺯﻳﺮ ﻭ ﺑﻢ ‪ ISAPI DLL‬ﻣﻲ ﺑﺎﺷﺪ ، ﺩﻧﺒﺎﻝ ﭼﻪ ﭼﻴﺰﻱ ﻣﻲ ﮔﺮﺩﺩ . ﺩﻭ ﺗﺎ ﺍﺯ ﻭﻳﺮﺍﻥ ﻛﻨﻨﺪﻩ ﺗﺮﻳﻦ ﻧﺘﺎﻳﺞ‬ ‫ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺩﺭ ﻧﮕﺎﺷﺖ ﻛﻨﻨﺪﻩ ﻫﺎ ﺭﻭﻱ ﭘﺴﻮﻧﺪ ﻫﺎﻱ ‪ ida/idq ISAPI‬ﺑﻮﺩ ﻛﻪ ﺑﺎﻋﺚ ﺗﻮﻟﺪ ﮔﻮﻧﻪ‬ ‫ﺟﺪﻳﺪﻱ ﺍﺯ ﻛﺮﻣﻬﺎﻱ ﺍﻳﻨﺘﺮﻧﺘﻲ ﺑﻪ ﻧﺎﻡ ‪ Code Red‬ﻭ ‪ Nimda‬ﮔﺮﺩﻳﺪ. ﺍﻳﻦ ﻛﺮﻣﻬﺎ ﻫﻤﺎﻧﻨﺪ ﻭﻳﺮﻭﺱ ﻫﺎ‬ ‫ﺧﻮﺩﺷﺎﻥ ﺭﺍ ﻣﻨﺘﺸﺮ ﻣﻲ ﻛﺮﺩﻧﺪ ﻭ ﺩﺭ ﺍﻭﺍﺧﺮ ﺳﺎﻝ 1002 ﻭ ﺗﺎ ﺍﻭﺍﻳﻞ 2002 ﺑﺴﻴﺎﺭﻱ ﺍﺯ ﺳﺮﻭﺭﻫﺎﻱ‬ ‫ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﺍﺯ ﺍﻳﻦ ﺳﺮﺭﻳﺰﻱ ﺑﺎﻓﺮ ﺭﺍ ﺁﻟﻮﺩﻩ ﻛﺮﺩﻧﺪ. ﻓﺎﻳﻞ ﺛﺒﺖ ﻭﻗﺎﻳﻊ ﺳﺮﻭﺭﻫﺎﻳﻲ ﻛﻪ ﺁﻟﻮﺩﻩ ﺷﺪﻩ ﺑﻮﺩﻧﺪ‬ ‫ﺑﻪ ﻛﺮﻡ ‪ Code Red‬ﻣﺤﺘﻮﻱ ﻣﺪﺧﻠﻲ ﺷﺒﻴﻪ ﺑﻪ ﺯﻳﺮ ﺑﻮﺩﻧﺪ:‬ ‫‪GET / default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN‬‬ ‫‪NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN‬‬ ‫‪NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN‬‬ ‫87‪NNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u‬‬ ‫00‪01%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b‬‬ ‫7‪%u531b%u53ff%u0078%u0000%u00=a‬‬ ‫‪ Code Red‬ﻭ ‪ Nimda‬ﻫﻤﭽﻨﻴﻦ ﺗﻌﺪﺍﺩﻱ ﻓﺎﻳﻞ ﺭﺍ ﺩﺭ ﺳﻴﺴﺘﻢ ﻫﺎﻱ ﻟﻮﺩﻩ ﺍﻳﺠﺎﺩ ﻣﻲ ﻛﻨﻨﺪ . ﺑﻪ ﻋﻨﻮﺍﻥ‬ ‫ﻣﺜﺎﻝ ﺣﻀﻮﺭ ﺩﺍﻳﺮﻛﺘﻮﺭﻱ ‪ %System%\notworm‬ﻧﺸﺎﻥ ﺩﻫﻨﺪﻩ ﺍﻳﻦ ﻣﻮﺿﻮﻉ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺳﻴﺴﺘﻢ‬ ‫ﺩﺭ ﺣﺎﻝ ﺣﺎﺿﺮ ﺑﻪ ﻛﺮﻡ ‪ Code Red‬ﺁﻟﻮﺩﻩ ﻣﻲ ﺑﺎﺷﺪ. ﻫﻤﭽﻨﻴﻦ ﺍﺳﺖ ﺣﻀﻮﺭ ﻓﺎﻳﻞ ‪ root.exe‬ﻛﻪ ﻓﺎﻳﻞ‬ ‫ﺩﺳﺘﻮﺭﺍﺕ ﺷﻞ ﻭﻳﻨﺪﻭﺯ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﺑﻪ ﺍﻳﻦ ﻧﺎﻡ ﺗﻐﻴﻴﺮ ﭘﻴﺪﺍ ﻛﺮﺩﻩ ﺍﺳﺖ ، ﻧﺸﺎﻥ ﺩﻫﻨﺪﻩ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ‬ ‫ﺳﻴﺴﺘﻢ ﺁﻟﻮﺩﻩ ﺑﻪ ﻛﺮﻡ ‪ Nimda‬ﻣﻲ ﺑﺎﺷﺪ‬ ‫ﭘﺲ ﺑﺎﻳﺪ ﺑﻪ ﺻﻮﺭﺕ ﻣﻨﻈﻤﻲ ﻓﺎﻳﻞ ﻫﺎﻱ ﺛﺒﺖ ﻭﻗﺎﻳﻊ ﺭﺍ ﺑﺮﺭﺳﻲ ﻛﻨﻴﺪ ﻭ ﻫﻤﭽﻨﻴﻦ ﻓﺎﻳﻞ ﻫﺎﻱ ﺳﺮﻭﺭ ﺭﺍ‬ ‫ﺑﺎﺯﺑﻴﻨﻲ ﻛﻨﻴﺪ ﺗﺎ ﺩﺭ ﺻﻮﺭﺕ ﺑﺮﺧﻮﺭﺩ ﺑﺎ ﻣﻮﺍﺭﺩ ﻣﺸﻜﻮﻙ ﺁﻧﻬﺎ ﺭﺍ ﭘﻴﮕﻴﺮﻱ ﻛﻨﻴﺪ. ﻫﻤﻪ ﺍﻳﻦ ﻧﻜﺎﺕ ﺑﻪ ﺷﻤﺎ‬ ‫ﻛﻤﻚ ﻣﻲ ﻛﻨﺪ ﻛﻪ ﻳﻚ ﺳﺮﻭﺭ ﺍﻣﻨﻲ ﺩﺍﺷﺘﻪ ﺑﺎﺷﻴﺪ.‬ ‫ﺩﺍﺩﻩ ﻫﺎﻱ ﭘﻨﻬﺎﻧﻲ ﺭﺍ ﺩﺭ ﻛﺪ ﻣﻨﺎﺑﻊ8 ﺍﺗﺎﻥ ﻗﺮﺍﺭ ﻧﺪﻫﻴﺪ‬ ‫7- ﻧﻜﺘﻪ ﺍﻱ ﻛﻪ ﺍﻳﻨﺠﺎ ﻣﻲ ﺑﺎﺷﺪ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ﻣﻬﺎﺟﻢ ﺩﺳﺘﻮﺭﺍﺕ ﺍﺳﻤﺒﻠﻲ ﺭﺍ ﺑﻪ ﻳﻮﻧﻴﻜﺪ ﺭﻣﺰﮔﺬﺍﺭﻱ ﻛﺮﺩﻩ ﺍﺳﺖ. ﺑﺮﺍﻱ‬ ‫ﻣﺜﺎﻝ 0909‪ %u‬ﺑﻪ 09‪ 0x90 0x‬ﺗﺒﺪﻳﻞ ﻣﻲ ﺷﻮﺩ ﻛﻪ ﻫﺮ ﻛﺪﺍﻡ ﺩﺭ ﺯﺑﺎﻥ ﻣﺎﺷﻴﻦ 68‪ x‬ﺑﻪ ﻣﻌﻨﻲ ﺩﺳﺘﻮﺭ ‪ NOP‬ﻣﻲ ﺑﺎﺷﺪ‬ ‫!‬ ‫‪8 - Source Code‬‬ ‫01‬ ‫‪© www.WebSecurityMgz.com‬‬ ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ ‪IIS‬‬ ‫ﺁﻧﭽﻪ ﻛﻪ ﻣﺸﺨﺺ ﺍﺳﺖ ‪ IIS‬ﻣﺸﻜﻞ ﺍﻓﺸﺎ ﺳﺎﺯﻱ ﻛﺪ ﺭﺍ ﺩﺍﺭﺩ. ﺍﻳﻦ ﻓﺮﺽ ﻏﻠﻄﻲ ﻣﻲ ﺑﺎﺷﺪ ﻛﻪ ﻓﻜﺮ ﻛﻨﻴﺪ‬ ‫ﻫﻴﭻ ﻛﺲ ﻗﺎﺩﺭ ﺑﻪ ﺩﻳﺪﻥ ﻛﺪﻫﺎﻱ ﻣﻨﺎﺑﻊ ﺷﻤﺎ ﻧﻤﻲ ﺑﺎﺷﺪ! ﺑﺮﻧﺎﻣﻪ ﻧﻮﻳﺲ ﻫﺎ ﺑﺎﻳﺪ ﻳﺎﺩ ﺑﮕﻴﺮﻧﺪ ﻛﻪ ﻣﺮﺗﻜﺐ‬ ‫ﭼﻨﻴﻦ ﺍﺷﻜﺎﻟﻲ ﻧﺸﻮﻧﺪ ﺑﻌﻀﻲ ﺍﺯ ﻋﻤﻮﻣﻲ ﺗﺮﻳﻦ ﺧﻄﺎﻫﺎ ﺷﺎﻣﻞ ﻣﻮﺍﺭﺩ ﺯﻳﺮ ﻣﻲ ﺑﺎﺷﺪ:‬ ‫ﺭﺷﺘﻪ ﻫﺎﻱ ﺑﺎ ﻣﺘﻮﻥ ﻭﺍﺿﺢ ﻭ ﺭﻭﺷﻦ ﺑﺮﺍﻱ ﺍﺭﺗﺒﺎﻁ ﺑﺎ ﭘﺎﻳﮕﺎﻩ ﺩﺍﺩﻩ ﺑﻪ ﻭﺳﻴﻠﻪ ﺩﺳﺘﻮﺭﺍﺕ ‪SQL‬‬ ‫-‬ ‫ﻛﻪ ﺩﺭ ﺍﺳﻜﺮﻳﭙﺘﻬﺎﻱ ‪ ASP‬ﻧﻮﺷﺘﻪ ﻣﻲ ﺷﻮﻧﺪ.‬ ‫ﻛﻠﻤﺎﺕ ﺭﻣﺰﻱ ﻛﻪ ﺑﻪ ﺻﻮﺭﺕ ﻣﺘﻮﻥ ﺳﺎﺩﻩ ﻭ ﺭﻭﺷﻦ ﺩﺭ ﻓﺎﻳﻞ ‪ global.asa‬ﺑﻪ ﻛﺎﺭ ﻣﻲ ﺭﻭﺩ.‬ ‫ﺍﺳﺘﻔﺎﺩﻩ ﺍﺯ ﻓﺎﻳﻠﻬﺎﻱ ‪ include‬ﺑﺎ ﭘﺴﻮﻧﺪ ﻫﺎﻱ ‪ ، .inc‬ﻛﻪ ﻣﻲ ﺗﻮﺍﻥ ﺁﻧﻬﺎ ﺭﺍ ﺑﺎ ﭘﺴﻮﻧﺪ ‪ .asp‬ﺑﻪ‬ ‫ﻛﺎﺭ ﺑﺮﺩ ﻭ ﺩﺭ ﺍﺳﻜﺮﻳﭙﺘﻬﺎﻱ ﺩﻳﮕﺮ ﻧﻴﺰ ﺍﻳﻦ ﺗﻐﻴﻴﺮ ﻧﺎﻡ ﺭﺍ ﺍﻋﻤﺎﻝ ﻛﺮﺩ.‬ ‫ﺗﻮﺿﻴﺤﺎﺕ ﺩﺭﻭﻥ ﺍﺳﻜﺮﻳﭙﺘﻬﺎ ﻛﻪ ﻣﺤﺘﻮﻱ ﺍﻃﻼﻋﺎﺕ ﻣﺨﻔﻲ ﻣﻲ ﺑﺎﺷﺪ ﻣﺎﻧﻨﺪ ﺁﺩﺭﺱ ﺍﻳﻤﻴﻞ ،‬ ‫ﺍﻃﻼﻋﺎﺗﻲ ﺩﺭﺑﺎﺭﻩ ﺳﺎﺧﺘﻤﺎﻥ ﺩﺍﻳﺮﻛﺘﻮﺭﻳﻬﺎ ، ﻛﻠﻤﺎﺕ ﺭﻣﺰ ﻭ ...‬ ‫ﺑﻪ ﺻﻮﺭﺕ ﻣﻨﻈﻢ ﺷﺒﻜﻪ ﺧﻮﺩ ﺭﺍ ﺑﺮﺍﻱ ﭘﻴﺪﺍ ﻛﺮﺩﻥ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻳﻬﺎ ﭘﻮﻳﺶ ﻛﻨﻴﺪ‬ ‫ﺷﺎﻳﺪ ﻳﻜﻲ ﺍﺯ ﺑﺘﺮﻳﻦ ﺭﻭﺷﻬﺎﻱ ﻣﺤﺎﻓﻈﺖ ﺍﺯ ﭼﻨﻴﻦ ﺣﻤﻼﺗﻲ ﺍﻳﻦ ﺍﺳﺖ ﻛﻪ ﺑﻪ ﺻﻮﺭﺕ ﻣﻨﻈﻢ ﺳﺮﻭﺭ ﺭﺍ‬ ‫ﭘﻮﻳﺶ ﻛﻨﻴﺪ ﺗﺎ ﺑﻪ ﻧﻘﺎﻁ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻱ ﻛﻪ ﻣﻬﺎﺟﻤﺎﻥ ﺍﺯ ﺁﻧﻬﺎ ﺑﻬﺮﻩ ﻣﻲ ﺑﺮﻧﺪ ﺁﮔﺎﻩ ﺷﻮﻳﺪ. ﭘﺲ ﻗﺒﻞ ﺍﺯ‬ ‫ﺍﻳﻨﻜﻪ ﺩﻳﮕﺮﺍﻥ ﺍﻳﻦ ﻛﺎﺭ ﺭﺍ ﻋﻠﻴﻪ ﺷﻤﺎ ﺍﻧﺠﺎﻡ ﺩﻫﻨﺪ ، ﺧﻮﺩﺗﺎﻥ ﺩﺳﺖ ﺑﻪ ﻛﺎﺭ ﺷﻮﻳﺪ ﻭ ﺁﺳﻴﺐ ﭘﺬﻳﺮﻳﻬﺎﻱ‬ ‫ﺳﻴﺴﺘﻢ ﺧﻮﺩ ﺭﺍ ﭘﻴﺪﺍ ﻛﺮﺩﻩ ﻭ ﺩﺭ ﺟﻬﺖ ﺭﻓﻊ ﺁﻧﻬﺎ ﺍﻗﺪﺍﻡ ﻛﻨﻴﺪ.‬ ‫ﺩﺭ ﻣﺒﺎﺣﺚ ﺑﻌﺪﻱ ﺩﺭﺑﺎﺭﻩ ﺍﻳﻨﮕﻮﻧﻪ ﭘﻮﻳﺸﮕﺮﻫﺎ ﺑﻪ ﻃﻮﺭ ﻣﻔﺼﻞ ﺑﺤﺚ ﺧﻮﺍﻫﻴﻢ ﻛﺮﺩ.‬ ‫‬‫‬‫-‬ ‫11‬ ‫‪© www.WebSecurityMgz.com‬‬ IIS ‫ﺭﻭﺷﻬﺎﻱ ﻧﻔﻮﺫ ﺩﺭ ﺳﺮﻭﺭﻫﺎﻱ ﻭﺏ‬ ‫ﭘﺎﺳﺦ ﺁﺳﻴﺐ ﭘﺬﻳﺮ ﻗﺎﺑﻞ ﭘﻴﺶ‬ ‫ﺑﻴﻨﻲ‬ 200 OK(/default.asp source must be present ) 200 OK (/file.stm must be present) 500 Internal server error; HTML contains Error in Web printer install 200 OK; HTML contains The IDQ file .. could not be found 200 OK; HTML contains The format of QUERY_STRING is invalid 501 Not Implementd HTTP GET /default.asp+.htr ‫ﺁﺳﻴﺐ ﭘﺬﻳﺮﻳﻬﺎﻱ ﻣﺸﻬﻮﺭ‬ +.htr source disclosure, MS01-004 Web directory path disclosure,Q193689 Server side includes buffer overflow .printer buffer overflow,MS01-023 Index Server buffer overflow,MS01-033 Webhits source disclosure,MS00-006 500 Error performing query /null.idc /file.stm,.shtm,.shtml /null.printer /null.ida,idp /null.htw FrontPage Server /_vti_bin/_vti_aut/fp30reg.dll Extension buffer overflow,MS01-035 : ‫ﻣﻨﺎﺑﻊ‬ 1- Hacking Exposed – Web Application , JOEL SCAMBRAY , MIKE SHEMA 2- Web Hacking - Attacks and Defense, Stuart McClure, Saumil Shah, Shreeraj Shah 3- www.SRCO.ir 12 © www.WebSecurityMgz.com ...
View Full Document

Ask a homework question - tutors are online