From cklaus@iss.net Tue Jul 2 08:07:18 1996 Received: from phoenix.iss.net (cklaus@phoenix.iss.net [204.241.60.5]) by suburbia.net (8.7.4/Proff-950810) with SMTP id IAA23878 for ; Tue, 2 Jul 1996 08:07:05 +1000 Received: (from cklaus@localhost) by phoenix.iss.net (8.6.13/8.6.12) id SAA13872 for best-of-security@suburbia.net; Mon, 1 Jul 1996 18:06:44 -0400 From: Christopher Klaus Message-Id: <199607012206.SAA13872@phoenix.iss.net> Subject: Microsoft Web Server Exploit To: best-of-security@suburbia.net Date: Mon, 1 Jul 1996 18:06:44 -0400 (EDT) Reply-To: cklaus@iss.net X-Mailer: ELM [version 2.4 PL24 PGP2] Content-Type: text Here are the details on how the Microsoft IIS web server is exploited. These were obtained from OMNA's Web Page a few weeks ago and have been widely circulated among the hacker community. We will be adding the information to our Vulnerability Database (www.iss.net) and build in the necessary checks in upcoming products. Microsoft Internet Information Server v 1.0 ".bat" Security Bug 0. Abstract .bat and .cmd BUG is well-known in Netscape server and described in WWW security FAQ Q59. Implementation of this bug (undocumented remote administration feature) in MicroSoft IIS Web server beats the all top scores. ----------------------------------------------------------------------- 1. Default Configuration Let's consider fresh IIS Web server installation where all settings are default: 1) CGI directory is /scripts 2) There are no files abracadabra.bat or abracadabra.cmd in the /scripts directory. 3) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore registry key HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap has the following string: .bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s ----------------------------------------------------------------------- 2. Attack In this case a hacker with a malicious intent can send either one of the two command lines to the server: a) /scripts/abracadabra.bat?&dir+c:\+?&time b) /scripts/abracadabra.cmd?&dir+c:\+?&time and the following happens: 1) Browser asks how you want to save a document. Notepad.exe or any other viewer would do for this "type" of application. 2) Browser starts the download session. The download window appears on the screen. 3) The hacker clicks the "cancel" button on the download window, because the "time" command on the server never terminates. 4) Nothing is logged on the server side by the IIS Web server, because the execution process was not successfully terminated!!! (Thanks to the "time" command.) The only way to see that something happened is to review all your NT security logs. But they do not contain information like REMOTE_IP. Thus the hacker's machine remains fully anonymous. ----------------------------------------------------------------------- 3. Resume 1) IIS Web server allows a hacker to execute his "batch file" by typing /scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN In a similar situation with the Netscape server, only single command can be executed. 2) There is no file abracadabra.bat in /scripts directory, but .bat extension is mapped to C:\WINNT35\System32\cmd.exe In a similar situation with the Netscape server, actual .bat file must exist. 3) In case a hacker enters a command like "time" or "date" as COMMAND[N], nothing will be logged by IIS Web server. In a similar situation with the Netscape server, the error log will have a record about remote IP and command you trying to execute. ----------------------------------------------------------------------- 4. Workaround Disable .BAT and .CMD file extensions for external CGI scripts in file mapping feature of IIS Web server. ----------------------------------------------------------------------- 5. Reply from MicroSoft We sent the description of this bug to MicroSoft. Here one can see their reply and acknowledgement. ----------------------------------------------------------------------- NOTE: We have studied MicroSoft bug "fix" and found out that the problem has not been fixed! If one uses a little bit more complicated command string, an arbitrary command on a server can be still effectively executed. And again, nothing will be logged by IIS. We will publish a detailed report on this bug in the nearest future. In addition, our network security partners recommend to avoid the usage of IIS because of an even more severe "purple security bug," wich they recently have discovered in IIS. Microsoft Internet Information Server v 1.0 ".bat" Security Bug, Part II. ---------------------------------------------------------------------------- 0. Abstract .bat and .cmd BUG for Microsoft Internet Information Server is described here . Microsoft claims to fix this problem. The patch is available from the Microsoft's site. We have studied this patch and found out that the problem has not been fixed! If one uses a little bit more complicated command string, an arbitrary command on a server can be still effectively executed. And again, nothing will be logged by IIS. ----------------------------------------------------------------------- 1. Default Configuration We will consider the following settings: 1) IIS Web server with the .bat/.cmd patch from Microsoft installed. (or IIS downloaded after March 5, 1996) 2) CGI directory is /scripts 3) Consider test.bat in the /scripts directory: @echo off echo Content-type: text/plain echo. echo Hello World! 4) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore registry key HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap has the following string: .bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s ----------------------------------------------------------------------- 2. Attack In this case a hacker with a malicious intent can send this command line to the server: /scripts/test.bat+%26dir+%26time+%26abracadabra.exe with the results described in details previously . The good news is that now file test.bat must be actually present in scripts directory. 3. Resume As long as IIS does not log information about unsuccessful hits there are the ways for hackers to break your entire NT box. I don't want to discuss this matter in more details, but our network security partners recommend to avoid the usage of IIS because of an even more severe "purple security bug," which they recently have discovered in IIS. 4. Workaround Disable .BAT and .CMD file extensions for external CGI scripts in file mapping feature of IIS Web server or don't use .bat or .cmd files as a scripts. -- Christopher William Klaus Voice: (404)252-7270. Fax: (404)252-2427 Internet Security Systems, Inc. "Internet Scanner finds Ste. 115, 5871 Glenridge Dr, Atlanta, GA 30328 your network security holes Web: http://iss.net/ Email: cklaus@iss.net before the hackers do."