| Ãë¾àÁ¡ID |
12042 |
| À§Çèµµ |
40 |
| Æ÷Æ® |
80, ... |
| ÇÁ·ÎÅäÄÝ |
TCP |
| ºÐ·ù |
WWW |
| »ó¼¼¼³¸í |
Microsoft IIS 5.0 WebDAV ¼ºñ½º´Â ¹öÆÛ ¿À¹öÇÃ·Î¿ì °ø°Ý¿¡ Ãë¾àÇÏ´Ù.
WebDAV (Web Distributed Authoring and Versioning)´Â À¥ ÄÁÅÙÆ® (RFC2518)¿¡ ´ëÇÑ ºÐ»ê Á¦ÀÛ ¹× ¹öÀü °ü¸®¸¦ Ãß°¡Çϱâ À§ÇØ °í¾ÈµÈ HTTP 1.1 ÇÁ·ÎÅäÄÝÀÇ È®ÀåÀÌ´Ù. IIS 5.0Àº Microsoft Windows 2000 ½Ã½ºÅ۵鿡 ¼³Ä¡µÇ¾î ÀÛµ¿Çϸç WebDAV°¡ µðÆúÆ®·Î EnableµÇ¾î ÀÖ´Ù. ÀÌ WebDAV¿¡ ÀÖ´Â Ãë¾àÁ¡Àº ¿ø°ÝÁöÀÇ °ø°ÝÀÚ°¡ ¸ñÇ¥ ½Ã½ºÅÛ»ó¿¡ ÀÓÀÇÀÇ Äڵ带 ½ÇÇà½Ãų ¼ö ÀÖ°Ô ÇØ ÁØ´Ù.
(IIS WebDAV ±¸¼º¿ä¼Ò¿¡ ÀÇÇØ »ç¿ëµÇ¾î Áö´Â ÄÚµåÀÇ ÇÑ ºÎºÐÀÎ) ntdll.dll¿¡´Â ¹öÆÛ ¿À¹öÇ÷οì Ãë¾àÁ¡ÀÌ Á¸ÀçÇÑ´Ù. IIS 5.0 ¼¹ö·Î Àß Á¶ÀÛµÈ ¿äûÀ» º¸³¿À¸·Î½á °ø°ÝÀÚ´Â Local System ±ÇÇÑÀ¸·Î ÀÓÀÇÀÇ Äڵ带 ½ÇÇàÇÒ ¼ö ÀÖÀ¸¸ç ½Ã½ºÅÛ¿¡ ´ëÇÑ ¿ÏÀüÇÑ Á¦¾î±ÇÀ» ¾òÀ» ¼öµµ ÀÖ´Ù.
* Âü°í »çÀÌÆ®:
http://www.cert.org/advisories/CA-2003-09.html
http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
http://support.microsoft.com/default.aspx?kbid=241520
* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
Microsoft IIS 5.0
Windows 2000 Any version |
| ÇØ°áÃ¥ |
¸¸¾à IIS WebDAVÀÇ »ç¿ëÀÌ ÇÊ¿äÇÏ´Ù¸é, ´ÙÀ½ Microsoft º¸¾È °Ô½Ã¹° MS03-007À» ÂüÁ¶ÇÏ¿© ½Ã½ºÅÛ¿¡ ÀûÀýÇÑ ÆÐÄ¡¸¦ Àû¿ëÇÏ¿©¾ß ÇÑ´Ù:
http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en
-- ȤÀº --
¸¸¾à WebDAVÀÇ »ç¿ëÀÌ ÇÊ¿äÇÏÁö ¾Ê´Ù¸é ½Ã½ºÅÛÀ¸·ÎºÎÅÍ ÀÛµ¿ÁßÁö ½ÃÄÑ¾ß ÇÑ´Ù. WebDAV¸¦ ÀÛµ¿ÁßÁö ½ÃÅ°±â À§Çؼ´Â:
1. IIS lockdown ÅøÀ» ÀÌ¿ëÇ϶ó. ÀÌ ÅøÀ» ´ÙÀ½ »çÀÌÆ®¿¡¼ ±¸ÇÒ ¼ö ÀÖ´Ù:
http://www.microsoft.com/download/en/details.aspx?id=25064
2. ¶Ç ´Ù¸¥ ¹æ¹ýÀ¸·Î, MicrosoftÀÇ Knowledgebase Article 241520, "How to Disable WebDAV for IIS 5.0"¿¡ ÀÖ´Â ¸í·ÉµéÀ» µû¸§À¸·Î½á ÀÛµ¿ÁßÁö ½Ãų ¼ö ÀÖ´Ù:
http://support.microsoft.com/default.aspx?scid=kb;en-us;241520
PUT°ú DELETE ¿äûÀ» Æ÷ÇÔÇÏ¿© WebDAV¸¦ ¿ÏÀüÈ÷ Disable ½ÃÅ°±â À§Çؼ ·¹Áö½ºÆ®¸®¿¡¼ ´ÙÀ½°ú °°Àº ¼öÁ¤À» °¡ÇÏ¿©¾ß ÇÑ´Ù.
1) ·¹Áö½ºÆ®¸® ÆíÁý±â¸¦ ½ÃÀÛÇÑ´Ù. (Regedt32.exe).
2) ·¹Áö½ºÆ®¸®¿¡¼ ´ÙÀ½ Å°¸¦ ã¾Æ Ŭ¸¯ÇÑ´Ù:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters
3) ÆíÁý ¸Þ´º¿¡¼ °ª Ãß°¡¸¦ Ŭ¸¯ÇÏ°í ´ÙÀ½ ·¹Áö½ºÆ®¸® °ªÀ» Ãß°¡ÇÏ¿©¾ß ÇÑ´Ù:
°ª À̸§: DisableWebDAV
µ¥ÀÌÅÍ À¯Çü: DWORD
°ª µ¥ÀÌÅÍ: 1
3. ¶ÇÇÑ URLScanÀ» »ç¿ëÇÒ ¼ö Àִµ¥ ÀÌ´Â 'PROPFIND' ¸Þ½îµå¿¡ ´ëÇÑ À¥ ¿äûµéÀ» Â÷´ÜÇÒ ¼ö ÀÖ´Ù. URLScan¿¡ ´ëÇÑ Á¤º¸´Â ´ÙÀ½ »çÀÌÆ®¿¡¼ ÀÌ¿ë °¡´ÉÇÏ´Ù:
http://support.microsoft.com/default.aspx?scid=kb;[LN];326444
-- ȤÀº --
¸¸¾à IIS lockdown ÅøÀ̳ª URLScan µÑ´Ù »ç¿ëÇÒ ¼ö ¾ø´Ù¸é MicrosoftÀÇ URL Buffer Size Registry ÅøÀ» ÀÌ¿ëÇÏ¿© IIS°¡ ¿äûµéÀ» ó¸®Çϴµ¥ »ç¿ëÇÏ´Â ¹öÆÛÀÇ Å©±â¸¦ Á¦ÇÑÇÏ´Â ¹æ¾ÈÀÌ ÀÖ´Ù. ÀÌ ÅøÀº Windows 2000 Service Pack 2³ª Service Pack 3ÀÌ ¼³Ä¡µÈ ·ÎÄà ȤÀº ¿ø°ÝÁöÀÇ Windows 2000 ½Ã½ºÅÛ¿¡ ´ëÇØ »ç¿ëÇÒ ¼ö ÀÖ´Ù. »ç¿ë¹ý°ú ¼öµ¿À¸·Î ·¹Áö½ºÆ®¸®¿¡ ¼öÁ¤À» °¡ÇÏ´Â ¹æ¹ý¿¡ °üÇÑ ¸í·ÉµéÀº ´ÙÀ½ »çÀÌÆ®¸¦ Âü°íÇÏ¸é µÈ´Ù:
URL Buffer Size Registry Tool - http://go.microsoft.com/fwlink/?LinkId=14875
Microsoft Knowledge Base Article 816930 - http://support.microsoft.com/default.aspx?scid=kb;en-us;816930
Microsoft Knowledge Base Article 260694 - http://support.microsoft.com/default.aspx?scid=kb;en-us;260694 |
| °ü·Ã URL |
CVE-2003-0109 (CVE) |
| °ü·Ã URL |
7116 (SecurityFocus) |
| °ü·Ã URL |
11533 (ISS) |
|
