You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Christopher Klaus <ck...@iss.net> on 1996/07/02 00:06:44 UTC
BoS: Microsoft Web Server Exploit
Here are the details on how the Microsoft IIS web server is exploited. These
were obtained from OMNA's Web Page a few weeks ago and have been widely
circulated among the hacker community. We will be adding the information
to our Vulnerability Database (www.iss.net) and build in the necessary checks
in upcoming products.
Microsoft Internet Information Server v 1.0
".bat" Security Bug
0. Abstract
.bat and .cmd BUG is well-known in Netscape server and described in WWW
security FAQ Q59. Implementation of this bug (undocumented remote
administration feature) in MicroSoft IIS Web server beats the all top
scores.
-----------------------------------------------------------------------
1. Default Configuration
Let's consider fresh IIS Web server installation where all settings are
default:
1) CGI directory is /scripts
2) There are no files abracadabra.bat or abracadabra.cmd in the
/scripts directory.
3) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore
registry key
HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
has the following string:
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
-----------------------------------------------------------------------
2. Attack
In this case a hacker with a malicious intent can send either one of
the two command lines to the server:
a) /scripts/abracadabra.bat?&dir+c:\+?&time
b) /scripts/abracadabra.cmd?&dir+c:\+?&time
and the following happens:
1) Browser asks how you want to save a document. Notepad.exe or any
other viewer would do for this "type" of application.
2) Browser starts the download session. The download window appears on
the screen.
3) The hacker clicks the "cancel" button on the download window,
because the "time" command on the server never terminates.
4) Nothing is logged on the server side by the IIS Web server, because
the execution process was not successfully terminated!!! (Thanks to the
"time" command.) The only way to see that something happened is to
review all your NT security logs. But they do not contain information
like REMOTE_IP. Thus the hacker's machine remains fully anonymous.
-----------------------------------------------------------------------
3. Resume
1) IIS Web server allows a hacker to execute his "batch file" by typing
/scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN
In a similar situation with the Netscape server, only single command
can be executed.
2) There is no file abracadabra.bat in /scripts directory, but .bat
extension is mapped to C:\WINNT35\System32\cmd.exe
In a similar situation with the Netscape server, actual .bat file must
exist.
3) In case a hacker enters a command like "time" or "date" as
COMMAND[N], nothing will be logged by IIS Web server.
In a similar situation with the Netscape server, the error log will
have a record about remote IP and command you trying to execute.
-----------------------------------------------------------------------
4. Workaround
Disable .BAT and .CMD file extensions for external CGI scripts in file
mapping feature of IIS Web server.
-----------------------------------------------------------------------
5. Reply from MicroSoft
We sent the description of this bug to MicroSoft. Here one can see
their reply and acknowledgement.
-----------------------------------------------------------------------
NOTE:
We have studied MicroSoft bug "fix" and found out that the problem has
not been fixed! If one uses a little bit more complicated command
string, an arbitrary command on a server can be still effectively
executed. And again, nothing will be logged by IIS. We will publish a
detailed report on this bug in the nearest future.
In addition, our network security partners recommend to avoid the usage
of IIS because of an even more severe "purple security bug," wich they
recently have discovered in IIS.
Microsoft Internet Information Server v 1.0
".bat" Security Bug, Part II.
----------------------------------------------------------------------------
0. Abstract
.bat and .cmd BUG for Microsoft Internet Information Server is
described here . Microsoft claims to fix this problem. The patch is
available from the Microsoft's site. We have studied this patch and
found out that the problem has not been fixed! If one uses a little bit
more complicated command string, an arbitrary command on a server can
be still effectively executed. And again, nothing will be logged by
IIS.
-----------------------------------------------------------------------
1. Default Configuration
We will consider the following settings:
1) IIS Web server with the .bat/.cmd patch from Microsoft installed.
(or IIS downloaded after March 5, 1996)
2) CGI directory is /scripts
3) Consider test.bat in the /scripts directory:
@echo off
echo Content-type: text/plain
echo.
echo Hello World!
4) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore
registry key
HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
has the following string:
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
-----------------------------------------------------------------------
2. Attack
In this case a hacker with a malicious intent can send this command
line to the server:
/scripts/test.bat+%26dir+%26time+%26abracadabra.exe
with the results described in details previously .
The good news is that now file test.bat must be actually present in
scripts directory.
3. Resume
As long as IIS does not log information about unsuccessful hits there
are the ways for hackers to break your entire NT box. I don't want to
discuss this matter in more details, but our network security partners
recommend to avoid the usage of IIS because of an even more severe
"purple security bug," which they recently have discovered in IIS.
4. Workaround
Disable .BAT and .CMD file extensions for external CGI scripts in file
mapping feature of IIS Web server or don't use .bat or .cmd files as a
scripts.
--
Christopher William Klaus Voice: (404)252-7270. Fax: (404)252-2427
Internet Security Systems, Inc. "Internet Scanner finds
Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328 your network security holes
Web: http://iss.net/ Email: cklaus@iss.net before the hackers do."
----- End of forwarded message from Christopher Klaus -----
--
Sameer Parekh Voice: 510-986-8770
Community ConneXion, Inc. FAX: 510-986-8777
The Internet Privacy Provider
http://www.c2.net/ sameer@c2.net