Confirmed working, however it can only overwrite environment variables whose name is all capital, you can't overwrite Path.
So, you can overwrite CONTENT_LENGTH, which may trigger buffer overflow in some applications that depends on this variable to allocate buffer, or have the application allocating a huge amount of memory. And HTTPS/REMOTE_ADDR/REMOTE_HOST, which might trick some apps to lower their security level like allowing plaintext authentication since you're using HTTPS, or even bypassing auth altogether since it thinks the remote host is trusted. Or overwrite PATHEXT to put .CMD/.BAT/.VBS etc. before .EXE Or, PATH_TRANSLATED, so that you can have the CGI program read anything you want as its input, as long as the account running it have sufficient privilege. Anyway, there's a lot of possible ways of exploiting this. '\n' must be present in the header name for this to work, like this: junk=whatever\nEnvironment-Variable: Something Which becomes 2 seperate environment variables like this: HTTP_JUNK=WHATEVER ENVIRONMENT_VARIABLE=Something And this: junk\nEnvironment-Variable: Something Gets turned into this: ENVIRONMENT_VARIABLE=Something If, for whatever reason, you really have to stick to Windows 2000+IIS 5, have an IDS/IPS and configure a rule to detect '\n' in the HTTP header name may help. Otherwise, time to upgrade. 2014-04-19 4:15 GMT+08:00 Homer Parker <hpar...@homershut.net>: > On Wed, 2014-04-16 at 12:25 +0200, Reindl Harald wrote: > > Am 16.04.2014 08:39, schrieb Davide Davini: > > > YiFei Yang wrote: > > >> It is a bug affecting IIS4/5 using CGI on Windows NT/2000. Microsoft > is > > >> aware of it and won't fix it. > > > > > > Is there any workaround this bug? I might be slow but I can't find any > > > > just don't use unsupported OS versions if you care about > > security - i know people even forgot NT/2000 existed > > Oh? > > < > http://news.netcraft.com/archives/2014/04/08/thousands-of-websites-still-hosted-on-windows-xp.html > > > > -- > Homer Parker <hpar...@homershut.net> > > > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
