Full Disclosure mailing list archives
Re: iis4\iis5 cgi bug and WEB Service CGI Interface Vulnerability Analysis (continued)
From: yuange <yuange1975 () hotmail com>
Date: Sat, 11 Dec 2010 14:10:02 +0000
Ms test that was given, but the developers do not think ms loopholes, really interesting, have to make to provide a successful test case. Do not bother them again, and developers say. The following test: 1, the environment, the latest patch win2003 iis6; 2, configure, make maps. Ida -> c: \ windows \ system32 \ idq.dll,. Php-> c: \ php \ php.exe 3, test, first open the procexp to view the process environment variables, request: http://127.0.0.1/test.php/bb.ida W3wp.exe process quickly with procexp open a new process under the php.exe, view the environment variables: SCRIPT_NAME = / test.php PATH_INFO = / test.php / bb.idq PATH_TRANSLATED = c: \ inetpub \ wwwroot \ test.php \ bb.ida Indicating the request http://127.0.0.1/test.php/bb.ida, IIS6 identification is mapped. Php, cgi and variable PATH_TRANSLATED is the execution of the program script, PATH_TRANSLATED = c: \ inetpub \ wwwroot \ test.php \ bb. ida, that to carry out. ida file. "What that means is, that I can go to any implementation of an interpreter of a mapping file." The consequences of a simple script file contents can leak, severe control of the server can execute the command. 曾经发给ms的测试说明,不过ms的开发人员认为不是漏洞,真有意思,非得让提供成功测试案例.懒得再和他们开发人员说了. 如下测试: 1、环境,最新补丁的win2003+iis6; 2、配置,做映射 .ida -> c:\windows\system32\idq.dll, .php-> c:\php\php.exe 3、测试,先打开procexp用于查看进程环境变量,请求:http://127.0.0.1/test.php/bb.ida 迅速用procexp打开w3wp.exe进程下新进程php.exe,查看环境变量: SCRIPT_NAME=/test.php PATH_INFO=/test.php/bb.ida PATH_TRANSLATED=c:\inetpub\wwwroot\test.php\bb.ida 说明请求http://127.0.0.1/test.php/bb.ida,IIS6识别是映射.php,而变量PATH_TRANSLATED是cgi程序执行的脚本, PATH_TRANSLATED=c:\inetpub\wwwroot\test.php\bb.ida,说明去执行了.ida文件。 “那意思是什么呢,就是说我可以任意以一种解释程序去执行一种影射文件”。 简单的后果是可以泄露脚本文件内容,严重的就可以执行命令控制服务器。 From: www417 () gmail com Date: Sat, 11 Dec 2010 18:48:09 +0800 Subject: Re: [Full-disclosure] iis4\iis5 cgi bug and WEB Service CGI Interface Vulnerability Analysis (continued) To: yuange1975 () hotmail com yuange: 这篇文章的中文版以前就看过,但是当时没什么感觉。今天重读觉得有些启发。 如果没弄错,我想iiscmd程序应该是让php.exe去解释了c:\winnt\win.ini文件。 但是我想不出执行任意命令是怎么实现的。。。 应该不是缓冲区溢出那种暴力的方式,应该是一种比较巧妙的方法。 3w417 在 2010年12月11日 下午2:06,yuange <yuange1975 () hotmail com>写道: Too many bad things in the belly of the fast. 2000 of iis, unicode \ decode \ cgi \ webdav \ etc vulnerability, reaching a peak, and later transferred to rpc study. Now there is a 01 or so found a serious flaw, iis4, 5 set error load ing cgi vulnerability, execute arbitrary commands or view arbitrary files. Spent nearly a decade, this vulnerability have been quickly eaten away. Because iis5.1 core code into the kernel start iis, this exploit code has been dropped, so will not need a later version. There are loopholes in some time ago to write an article. Did not intend to put out, and feel that soon decayed, it released together. http://hi.baidu.com/yuange1975/blog/item/6432bffa52252f0fa8d311ac.html C:\tool>iiscmd -s 192.168.0.112 -f c:\winnt\win.ini recv: HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Sat, 11 Dec 2010 05:21:17 GMT Connection: close X-Powered-By: PHP/4.0.0 Content-type: text/html ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] asf=MPEGVideo asx=MPEGVideo ivf=MPEGVideo m3u=MPEGVideo mp2v=MPEGVideo mp3=MPEGVideo mpv2=MPEGVideo wax=MPEGVideo wm=MPEGVideo wma=MPEGVideo wmv=MPEGVideo wvx=MPEGVideo Server close! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- how to anti Zozzle yuange (Dec 05)
- iis4\iis5 cgi bug and WEB Service CGI Interface Vulnerability Analysis (continued) yuange (Dec 10)
- Message not available
- Re: iis4\iis5 cgi bug and WEB Service CGI Interface Vulnerability Analysis (continued) yuange (Dec 11)
- Message not available
- iis4\iis5 cgi bug and WEB Service CGI Interface Vulnerability Analysis (continued) yuange (Dec 10)