IIS4\IIS5 CGI environment block forged 0day vulnerabilities-vulnerability warning-the black bar safety net

2014-04-10T00:00:00
ID MYHACK58:62201444399
Type myhack58
Reporter 佚名
Modified 2014-04-10T00:00:00

Description

About 1 4 years ago find until now the 0day

Is IIS4\IIS5 vulnerabilities, corresponding to theoperating systemis a winnt and win2000 system that Microsoft no longer supports the software, their strategies want to knock out these systems, 1 to 1 of the report, after Microsoft decided to no longer repair. Be considered a very serious vulnerability that just affects the software now, use rate is relatively low, but the total also many.

Specific vulnerability details are as follows:

IIS loads the CGI environment block forgery vulnerability Hazard rating: high-risk Hazard type: buffer overflow, remote code execution, information disclosure Impact platform: Winnt\win2000 Affected Software: IIS4 AND IIS5

Basic situation:

IIS4 AND IIS5 load the CGI, the process environment block when the error of the“\n”characters with“\x00”alternative, the result can be forged in any environment block. IIS loads the CGI of the time, put their request to add“HTTP_”prefix added to the environment variables and local environmental variables distinguish, through the use of”\n”replaced by”\0”loopholes you can put these prefixes is removed, so that any forgery of the environment block variables. The attacker can be in the http header submitted“a=b\nPATH_TRANSLATED:var”makes IIS load the CGI when the environment block variables become”HTTP_a=b”and“PATH_TRANSLATED=var”, a successful forgery of the environment block“PATH_TRANSLATED=var”, the php. exe execute the script file“var”, thereby executing arbitrary commands.

CGI is loaded, there are two ways, one is itself compiled into. exe executable programs, these common there are some counters, some sites develop their own applications, and some applications of the relatively Wide WEB application, etc. There is also a generic script mapped to. EXE interpreted mapped to. the dll is an isapi, not affected by these common PHP\PERL scripts and the like.

Specific hazards see specific CGI program on the environment of the block processing mode, may cause the portion of the results:

1, CGI process the local environment variable when the buffer overflows, some of the CGI processing local environmental variables, because these variables generally cannot be set or could have been credible, did not consider the buffer size check, etc. 2, some of the environment block variable effects some of the CGI processing logic, trust relationship, etc. 3, loading the dll or loaded process because forged the path environment variable to load the attacker's program.

Verification steps:

1, win2000+iis5 配置 .php 映射 到 php.exe(i.e., the cgi way, if alluding to. dll is isapi the way, does not have this vulnerability)

2, the request is sent:

“GET /a.php HTTP/1.1\r\na=b\nPATH_TRANSLATED:c:\windows\win. ini\r\nHOST: a 192.168.0.1\r\n\r\n”

3, iis will return the win. ini content.

4, You can also use the iis log file write php commands, advantage of this vulnerability allows php. exe call iis log files perform system commands, etc.

The exploit procedure:

<http://hi.baidu.com/yuange1975/item/cefea0c63156032f46d5c050>

4 on 1, April Fool's Day version:

<http://seclists.org/fulldisclosure/2012/Apr/13>

usage:

iisexp411 127.0.0.1 /AprilFools'Day.php PATH_TRANSLATED c:\windows\win.ini

Original address