English
¢¸¢· µÚ·Î
Ãë¾àÁ¡ID 21227
À§Çèµµ 40
Æ÷Æ® 80, ...
ÇÁ·ÎÅäÄÝ TCP
ºÐ·ù CGI
»ó¼¼¼³¸í ¾î¶² Windows CGI ÀÎÅÍÇÁ¸®ÅÍ ÆÄÀÏÀÌ ÇØ´ç À¥ ¼­¹ö »óÀÇ CGI bin µð·ºÅ丮¿¡¼­ ¹ß°ßµÈ´Ù. ÀϹÝÀûÀÎ À¥ ¼­¹ö ¼³Á¤¿À·ù´Â (/cgi-bin/, /scripts/¿Í °°Àº) CGI bin µð·ºÅ丮¿¡ Shell ÀÎÅÍÇÁ¸®ÅÍ(cmd.exe)¸¦ µÎ´Â °ÍÀÌ´Ù. ¶ÇÇÑ ¸î¸î Ãʱâ À¥ ¼­¹öÀÇ ¹®¼­¿¡´Â (perl.exe, java.exe µî°ú °°Àº) CGI ½ºÅ©¸³Æ® ÀÎÅÍÇÁ¸®Å͵éÀÌ CGI bin µð·ºÅ丮¿¡ À§Ä¡ÇÏ¿©¾ß ÇÑ´Ù°í ¸»ÇÏ°í ÀÖ´Ù.
CGI bin µð·ºÅ丮¿¡ Shell ÀÎÅÍÇÁ¸®Å͵éÀ̳ª CGI ½ºÅ©¸³Æ® ÀÎÅÍÇÁ¸®Å͵éÀÌ À§Ä¡ÇÏ°Ô µÇ¸é ¿ø°ÝÁöÀÇ °ø°ÝÀÚ¿¡°Ô ±× ÀÎÅÍÇÁ¸®Å͵éÀ» ÅëÇØ ÀÓÀÇÀÇ ¸í·ÉµéÀ» ½ÇÇà½Ãų ¼ö ÀÖ°Ô ÇØ ÁÙ ¼ö ÀÖ´Ù. Àß Á¶ÀÛµÈ HTTP ¿äûÀ» º¸³¿À¸·Î½á, ¿ø°ÝÁöÀÇ °ø°ÝÀÚ´Â ÀÌ·¯ÇÑ ShellµéÀÌ ¼­¹ö »ó¿¡ ÀÓÀÇÀÇ ¸í·ÉµéÀ» ½ÇÇà½Ãų ¼ö ÀÖ°Ô ÇÒ ¼ö ÀÖ´Ù.

* Âü°í »çÀÌÆ®:
http://www.cert.org/advisories/CA-1996-11.html

* ¿µÇâÀ» ¹Þ´Â Ç÷§Æû:
¸ðµç HTTP ¼­¹ö ¸ðµç ¹öÀü
Microsoft Windows Any version
ÇØ°áÃ¥ CGI ½ºÅ©¸³Æ® ȤÀº Shell ÀÎÅÍÇÁ¸®ÅÍÀÇ ¾×¼¼½º°¡ ÇÊ¿äÇÑ ¾î¶² CGI ÇÁ·Î±×·¥µéÀÌ ÀÖ´Ù¸é WWW Root ¿ÜºÎ¿¡ ±× ÀÎÅÍÇÁ¸®Å͸¦ ¿Å°Ü ³õ¾Æ¾ß ÇÑ´Ù. ±×¸®°í ±× CGI ÇÁ·Î±×·¥µéÀÌ »õ·Î¿î À§Ä¡¿¡ ÀÖ´Â ÀÎÅÍÇÁ¸®Å͸¦ ãÀ» ¼ö ÀÖµµ·Ï ¼öÁ¤ÇØ¾ß ÇÑ´Ù.

-- ±×¸®°í --

CGI ½ºÅ©¸³Æ® ȤÀº Shell ÀÎÅÍÇÁ¸®Å͸¦ »ç¿ëÇÏ´Â ÇÁ·Î±×·¥µéÀÌ ¾ø´Ù¸é CGI bin µð·ºÅ丮·ÎºÎÅÍ ±× ÀÎÅÍÇÁ¸®Å͸¦ Á¦°ÅÇÏ¿©¾ß ÇÑ´Ù.
°ü·Ã URL CVE-1999-0509 (CVE)
°ü·Ã URL (SecurityFocus)
°ü·Ã URL 146 (ISS)