IIS4 \ IIS5 CGI Environment block forgery 0 day

It was found about 14 years ago that the current 0-day vulnerability was IIS4 \ IIS5. The corresponding operating systems were winnt and win2000. Microsoft no longer supported these software and their strategies wanted to eliminate these systems, after the 11-year report, Microsoft decided not to fix it. It is a very serious vulnerability, but the affected software currently has a relatively low usage, but the total amount is also quite large. Detailed vulnerability information is as follows: Damage Level of IIS loading CGI Environment block Forgery Vulnerability: high risk hazard type: Buffer Overflow, remote code execution, Information Leakage impact platform: Winnt \ win2000 affected software: IIS4 and IIS5: When IIS4 and IIS5 load CGI and process the environment block, the \ n character is replaced with \ x00 by mistake, which can forge any environment block. When IIS loads CGI, it adds "HTTP _" prefix to its request and environment variables to distinguish them from local environment variables, by replacing "\ n" with "\ 0", you can remove these prefixes to forge any environment block variables. Attackers can submit "a = B \ nPATH_TRANSLATED: var" in the http header to execute arbitrary commands. Cgi.pdf has two methods, one for compiling executable programs compiled into .exe. Common examples include counters, applications developed by some websites, and WEB applications with a wide range of applications. There is also a general script mapped to. EXE interpretation execution (isapi is mapped to. dll, not affected), these common include PHP \ PERL scripts. For specific hazards, see the processing method of the specific CGI program on the Environment block. Some results may be: 1. Buffer overflow when CGI processes local environment variables, some CGI processes local environment variables because these variables cannot be set or are originally trusted, and the buffer size check is not considered. 2. Some environment block variables affect the processing logic and trust relationship of some CGI instances. 3. When loading a dll or a process, the attacker's program is loaded due to forged path environment variables. Verification steps: 1、win2000+iis5 .php ing to php.exe (that is, cgi Mode, if the shadow. dll is an isapi method, without this vulnerability) 2. Send a request: "GET/. php HTTP/1.1 \ r \ na = B \ nPATH_TRANSLATED: c: \ windows \ win. ini \ r \ nHOST: 192.168.0.1 \ r \ n "3. iis returns win. ini content. You can also use iis's log file to write the php Command, and use php.exe to call iis log files to execute system commands. Vulnerability exploitation program: http://hi.baidu.com/yuange1975/item/cefea0c63156032f46d5c050 November April 1: http://seclists.org/fulldisclosure/2012/Apr/13 Usage: iisexp411 127.0.0.1/AprilFools 'Day. php PATH_TRANSLATED c: \ windows \ win. ini