|
|
Code Blue WormÀÇ ÃâÇö ¹× ´ëÀÀ¹æ¹ý |
A3 º¸¾È ÄÁ¼³Æà |
|
2001³â 09¿ù 11ÀÏ 00:00:00 |
À̼®±â ÄÁ¼³ÅÏÆ®
|
|
|
|
1. ¼³¸í
Window NT/2000½Ã½ºÅÛ¿¡ žÀçµÇ¾îÀÖ´Â IIS ¼¹öÀÇ UNICODE À¥¼¹ö Æú´õ Traversal Ãë¾àÁ¡À» ÀÌ¿ëÇÏ´Â »õ·Î¿î Á¾·ùÀÇ ¿úÀÌ Áß±¹¿¡¼ ¹ß°ßµÇ¾î ÇØ´ç½Ã½ºÅÛÀÇ °ü¸®ÀÚ/°³Àλç¿ëÀÚÀÇ °¢º°ÇÑ ÁÖÀÇ°¡ ¿ä±¸µÈ´Ù.
UNICODE À¥¼¹ö Æú´õ Traversal Ãë¾àÁ¡Àº IIS 4.0/IIS 5.0ÀÇ url extended unicode¸¦ ÀÌ¿ëÇÑ canonical ¿¡·¯·Î ÀÌ IIS ¿¡·¯¸¦ ÀÌ¿ëÇÏ¿© µð·ºÅ丮 traversalÀÌ °¡´ÉÇÏ´Ù.
º¸´Ù ÀÚ¼¼ÇÑ ³»¿ëÀº ¾Æ·¡ »çÀÌÆ®¸¦ ÂüÁ¶Çϵµ·Ï ÇÑ´Ù.
- http://www.microsoft.com/technet/security/bulletin/MS00-057.asp
- http://www.microsoft.com/technet/security/bulletin/MS00-078.asp
- http://www.kb.cert.org/vuls/id/111677
2. ´ë»ó½Ã½ºÅÛ
IIS ¼¹ö¸¦ ¿î¿µÇÏ´Â Windows NT/2000 ½Ã½ºÅÛ(IIS 4.0°ú IIS 5.0)
3. °ø°Ý¹æ¹ý
Code Blue¿úÀº IIS ¼¹öÀÇ UNICODE À¥¼¹ö Æú´õ Traversal Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© Windows NT/2000 ½Ã½ºÅÛ¿¡ ´ëÇÑ °ø°ÝÀ» ÇÑ´Ù.
4. Áõ»ó
Code Blue¿ú¿¡ °¨¿°µÈ ÇÇÇؽýºÅÛµéÀº ¼Óµµ°¡ ÇöÀúÈ÷ ÀúÇϵǸç, °æ¿ì¿¡ µû¶ó¼´Â À¥¼ºñ½º³ª ½Ã½ºÅÛ ÀÚü°¡ ¿ÏÀüÈ÷ ¸¶ºñµÉ ¼ö ÀÖ´Ù. ¶ÇÇÑ ½Ã½ºÅÛ Àç ºÎÆýà ÀÚµ¿½ÇÇàµÇµµ·Ï ·¹Áö½ºÆ®¸®¸¦ ¼öÁ¤ÇÏ¿© ¾Æ·¡ÀÇ ·¹Áö½ºÆ®¸®Å°¸¦ »ý¼º½ÃŲ´Ù.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Domain Manager=¡°c:\svchost.exe¡±.
¶ÇÇÑ c:\Svchost.exe, c:\d.vbs ¹× À¥¼ºñ½ºÀÇ ½ÇÇà°¡´É µð·ºÅ丮ÀÎ C:\Inetpub\wwwroot\scripts¿¡ Httpext.dllÀÌ »ý¼ºµÈ´Ù.
¡Ø ÁÖÀÇ : ¾Æ·¡ÀÇ ÆÄÀÏÀº Á¤»óÀûÀÎ ÆÄÀÏÀÌ´Ù.
c:\windows\system32\Svchost.exe
c:\windows\system32\dllcache\Svchost.exe
c:\windows\system32\dllcache\httpext.dll
c:\windows\system32\intsrv\httpext.dll
httpext.dll°ú °°Àº ÆÄÀϵéÀÌ ½Ã½ºÅÛ³»¿¡ »ý¼ºµÉ ¼ö ÀÖ´Ù. ¶ÇÇÑ ¿ÀÀü 10½Ã ~ ¿ÀÀü 11½Ã »çÀÌ¿¡ Áß±¹ÂÊ¿¡ ÇÒ´çµÈ IPÀÎ 211.99.196.135·Î Á¢¼Ó½Ãµµ¸¦ °¨ÇàÇÏ¿© ¼ºñ½º°ÅºÎ°ø°ÝÀ» À¯¹ß½ÃŲ´Ù.
5. ÇØ°á¹æ¹ý
Windows NT/2000 ½Ã½ºÅÛ¿¡ ´ëÇØ ¾Æ·¡ÀÇ ÆÐÄ¡¸¦ Áï½Ã Àû¿ëÇÏ¿© °ø°Ý¿¡ ¾Ç¿ëµÇ´Â Ãë¾àÁ¡À» Á¦°ÅÇÑ´Ù.
o IIS 4.0 http://www.microsoft.com/ntserver/nts/downloads/critical/q269862/default.asp
o IIS 5.0 http://www.microsoft.com/windows2000/downloads/critical/q269862/default.asp
¡Ø Microsoft»çÀÇ MS00-057ÆÐÄ¡(Unicode Ãë¾à¼º ÆÐÄ¡)¸¦ Àû¿ëÇÑ »ç¿ëÀÚ´Â ÀÌ Ãë¾àÁ¡¿¡ ´ëÇؼ Ãß°¡ÀûÀÎ ÆÐÄ¡¸¦ Àû¿ëÇÒ ÇÊ¿ä°¡ ¾ø´Ù. ÀÌ¹Ì ¾Ë·ÁÁø IIS 4.0/5.0ÀÇ Ãë¾àÁ¡À» ÀÌ¿ëÇÏ¿© °ø°ÝÇϹǷΠÇØ´ç patch¸¦ Àû¿ëÇÑ ¼¹ö´Â ÇØ´ç Ãë¾àÁ¡ÀÌ Á¸ÀçÇÏÁö ¾Ê´Â´Ù.
¡Ø IIS 4.0 ÆÐÄ¡´Â Window NT 4.0 ¼ºñ½ºÆÑ 5¿Í 6a¿¡ Àû¿ë°¡´ÉÇϸç, IIS 5.0 ÆÐÄ¡´Â Windows 2000 ¼ºñ½ºÆÑ 1¿¡ Àû¿ë°¡´ÉÇϸç, ¼ºñ½ºÆÑ 2¿¡´Â ÀÌ¹Ì ÇØ´çÃë¾àÁ¡¿¡ ´ëÇÑ ÆÐÄ¡°¡ Æ÷ÇԵǾî ÀÖÀ¸¹Ç·Î ¼ºñ½ºÆÑ 2¸¦ ÀÌ¹Ì ¼³Ä¡ÇÏ¿´À» °æ¿ì Ãß°¡ÀûÀÎ ÆÐÄ¡°¡ ÇÊ¿ä¾ø´Ù.
(ÀÚ·áÃâó: www.certcc.or.kr) |
|
|
|
|
|
|
¨Ï µ¥ÀÌÅͳÝ(http://t564.ndsoftnews.com) ¹«´ÜÀüÀç ¹× Àç¹èÆ÷±ÝÁö | ÀúÀ۱ǹ®ÀÇ |
|
|
|
|
|
| |
°¡Àå ¸¹ÀÌ º» ±â»ç |
|
|
|