Vulnerabilities > CVE-2007-2897 - Unspecified vulnerability in Microsoft Internet Information Server 6.0
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN microsoft
nessus
Summary
Microsoft Internet Information Services (IIS) 6.0 allows remote attackers to cause a denial of service (server instability or device hang), and possibly obtain sensitive information (device communication traffic); and might allow attackers with physical access to execute arbitrary code after connecting a data stream to a device COM port; via requests for a URI containing a '/' immediately before and after the name of a DOS device, as demonstrated by the /AUX/.aspx URI, which bypasses a blacklist for DOS device requests.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Nessus
NASL family Web Servers NASL id ASP_NET_DEVICE_DOS.NASL description The web server running on the remote host appears to be using Microsoft ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL containing an MS-DOS device name can cause the web server to become temporarily unresponsive. An attacker could repeatedly request these URLs, resulting in a denial of service. Additionally, there is speculation that this vulnerability could result in code execution if an attacker with physical access to the machine connects to a serial port. last seen 2020-06-01 modified 2020-06-02 plugin id 64588 published 2013-02-13 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64588 title Microsoft ASP.NET MS-DOS Device Name DoS code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(64588); script_version("1.5"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2007-2897"); script_bugtraq_id(51527); script_xref(name:"EDB-ID", value:"3965"); script_name(english:"Microsoft ASP.NET MS-DOS Device Name DoS"); script_summary(english:"Attempts a PoC"); script_set_attribute(attribute:"synopsis", value: "A framework used by the remote web server has a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The web server running on the remote host appears to be using Microsoft ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL containing an MS-DOS device name can cause the web server to become temporarily unresponsive. An attacker could repeatedly request these URLs, resulting in a denial of service. Additionally, there is speculation that this vulnerability could result in code execution if an attacker with physical access to the machine connects to a serial port."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/May/378"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/May/415"); # https://groups.google.com/forum/?fromgroups=#!msg/microsoft.public.inetserver.iis/OUygrC7gO_A/Z0Juq-hkfZ0J script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d32fbf50"); script_set_attribute(attribute:"solution", value: "Use an ISAPI filter to block requests for URLs with MS-DOS device names."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2007-2897"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:asp.net"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("http_version.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); if (!get_kb_item('Settings/ParanoidReport')) audit(AUDIT_PARANOID); port = get_http_port(default:80, asp:TRUE); url = '/AUX/.aspx'; timeout = get_read_timeout() + 10; http_set_read_timeout(timeout); res = http_send_recv3(method:'GET', item:url, port:port, exit_on_fail:TRUE); headers = parse_http_headers(status_line:res[0], headers:res[1]); if ( headers['$code'] == 500 || 'Runtime Error' >< res[2] || 'HttpException' >< res[2] ) { if (report_verbosity > 0) { header = 'Nessus received an HTTP 500 or related error message by requesting\n' + 'the following URL'; report = get_vuln_report(header:header, items:url, port:port); security_hole(port:port, extra:report); } else security_hole(port); } else audit(AUDIT_LISTEN_NOT_VULN, 'web server', port);NASL family Web Servers NASL id ASP_NET_DEVICE_DOS2.NASL description The web server running on the remote host appears to be using Microsoft ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL containing an MS-DOS device name can cause the web server to become temporarily unresponsive. An attacker could repeatedly request these URLs, resulting in a denial of service. Additionally, there is speculation that this vulnerability could result in code execution if an attacker with physical access to the machine connects to a serial port. This plugin does not attempt to exploit the vulnerability and only runs when last seen 2020-06-01 modified 2020-06-02 plugin id 64589 published 2013-02-13 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64589 title Microsoft ASP.NET MS-DOS Device Name DoS (PCI-DSS check) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(64589); script_version("1.7"); script_cvs_date("Date: 2019/12/04"); script_cve_id("CVE-2007-2897"); script_bugtraq_id(51527); script_xref(name:"EDB-ID", value:"3965"); script_name(english:"Microsoft ASP.NET MS-DOS Device Name DoS (PCI-DSS check)"); script_summary(english:"Checks the web sever banner"); script_set_attribute(attribute:"synopsis", value: "A framework used by the remote web server has a denial of service vulnerability."); script_set_attribute(attribute:"description", value: "The web server running on the remote host appears to be using Microsoft ASP.NET, and may be affected by a denial of service vulnerability. Requesting a URL containing an MS-DOS device name can cause the web server to become temporarily unresponsive. An attacker could repeatedly request these URLs, resulting in a denial of service. Additionally, there is speculation that this vulnerability could result in code execution if an attacker with physical access to the machine connects to a serial port. This plugin does not attempt to exploit the vulnerability and only runs when 'Check for PCI-DSS compliance' is enabled in the scan policy. This plugin reports all web servers using ASP.NET 1.1. If it cannot determine the version, it will report all web servers using ASP.NET. Manual verification is required to determine if a vulnerability is present."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/May/378"); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2007/May/415"); # https://groups.google.com/forum/?fromgroups=#!msg/microsoft.public.inetserver.iis/OUygrC7gO_A/Z0Juq-hkfZ0J script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d32fbf50"); script_set_attribute(attribute:"solution", value: "Use an ISAPI filter to block requests for URLs with MS-DOS device names."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"manual"); script_set_attribute(attribute:"cvss_score_rationale", value:"An in-depth analysis by Tenable researchers revealed this to be a DOS only exploit."); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:asp.net"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("webmirror.nasl"); script_require_keys("Settings/PCI_DSS"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); if (!get_kb_item("Settings/PCI_DSS")) audit(AUDIT_PCI); port = get_http_port(default:80, asp:TRUE); banner = get_http_banner(port:port); # check the banner first if (!isnull(banner)) { headers = parse_http_headers(status_line:banner, headers:banner); poweredby = headers['x-powered-by']; aspnet_version = headers['x-aspnet-version']; if ( aspnet_version =~ '^1\\.' || (isnull(aspnet_version) && 'ASP.NET' >< poweredby) ) { security_warning(port); exit(0); } } # then check each dir (the x-aspnet-version header appears to show up on a per-app basis) foreach dir (cgi_dirs()) { url = dir + '/'; if (url == '/') continue; # already checked this res = http_send_recv3(method:'HEAD', item:url, port:port, exit_on_fail:TRUE); headers = parse_http_headers(status_line:res[0], headers:res[1]); aspnet_version = headers['x-aspnet-version']; if (aspnet_version =~ '^1\\.') { security_warning(port); exit(0); } } audit(AUDIT_LISTEN_NOT_VULN, 'web server', port);
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 51527 CVE ID: CVE-2007-2897 Internet Information Services(IIS,互联网信息服务)是由微软公司提供的基于运行Microsoft Windows的互联网基本服务。 IIS 6.0在请求特制路径时存在拒绝服务漏洞,远程攻击者可利用此漏洞使应用程序挂起或泄漏敏感信息,物理接触系统的攻击者可以当前用户权限执行任意代码。 0 Microsoft IIS 6.0 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/technet/security/ |
| id | SSV:30067 |
| last seen | 2017-11-19 |
| modified | 2012-02-01 |
| published | 2012-02-01 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-30067 |
| title | Microsoft IIS 6.0 DOS设备请求安全限制绕过漏洞 |
References
- http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0419.html
- http://archives.neohapsis.com/archives/fulldisclosure/2007-05/0419.html
- http://seclists.org/fulldisclosure/2007/May/0378.html
- http://seclists.org/fulldisclosure/2007/May/0378.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34418
- https://exchange.xforce.ibmcloud.com/vulnerabilities/34418