Re: IIS - .CMD/.BAT Patch Provides Security Enhancements to II

• To: backoffice-postmaster@canon.bhs.com, webserver-nt@delta.process.com
• Subject: Re: IIS - .CMD/.BAT Patch Provides Security Enhancements to II
• From: "Peter Trei" <trei@process.com>
• Date: Mon, 4 Mar 1996 10:39:10 -6
• CC: nt-announce@metric.com, iwntug@iwntug.org, www-security@ns2.rutgers.edu, eastlake@ns2.rutgers.edu, trei@ns2.rutgers.edu
• Comments: Authenticated sender is <trei@popserver>
• Organization: Process Software Corporation
• Priority: normal
• Reply-to: trei@process.com

> Date: Fri, 1 Mar 1996 21:44:18 -0800
> X-Mailer:  Microsoft Exchange Server Internet Mail Connector Version 4.12.736
> Encoding: 38 TEXT
> Sender: owner-www-security@ns2.Rutgers.EDU
> Precedence: bulk
> Errors-To: owner-www-security@ns2.Rutgers.EDU

> Subject: IIS  - .CMD/.BAT Patch Provides Security Enhancements to IIS 
> 
> Internet Information Server (IIS) 
> .CMD/.BAT Patch Provides Security Enhancements to IIS 
> 
> On Sunday, 2/25, Microsoft was alerted to a newsgroup posting regarding
> a security exposure, the ".CMD/.BAT Bug", whereby a complicated string
> of command line commands could be sent to IIS via a web browser and
> executed on the server.  
>
>[...]
>
> It turns out that this problem is not unique to IIS...similar problems
> exist with other NT web servers.  As a result, the Microsoft Developer
> Relations group is in the process of notifying these vendors about the
> problem and providing guidance so that they can address it where
> appropriate.
> The Internet Server Team

      Some, but not *all* NT servers are similarly vulnerable. Chris Adie, who 
wrote the EMWAC code upon which Process Software's Purveyor is based, 
anticipated this attack long ago, and blocked it in the CGI processing code.

    I myself independently thought of this attack about a year ago (soon after
joining Process) and was pleasantly suprised to find that it was already 
dealt with in our code. 

    I also anticipated and blocked the 'perl -s' attack at about the same time.

    The following NT servers are said to be vulnerable to the .CMD/ .BAT
attack: Microsoft IIS, Netscape (all NT versions), and O'Reilly Website. As
far as I know, Process Software's Purveyor is the only one immune, though
I have full confidence that the other vendors will block this hole quickly.

The general form of this attack involves finding a way in which a call to a
CGI interpreter ( whether the DOS shell, the perl interpreter, or a Unix
shell (one of the IBM servers is vulnerable through this)), can be fed extra
commands for that interpreter which are executed after or instead of the 
desired CGI script. This is an old hole, one exploited many times in the
past in other contexts - developers of firewall software have long been
aware of it. In general, a program should regard any requests it receives from
untrusted users with extreme paranoia, and check to ensure they contain
nothing which is unexpected.







Peter Trei
Senior Software Engineer
Purveyor Development Team                                
Process Software Corporation
http://www.process.com
trei@process.com

• Re: IIS - .CMD/.BAT Patch Provides Security Enhancements to II
• From: Adam Shostack <adam@bwh.harvard.edu>

• Previous: firewall page
• Next: No Subject
• Index(es):
  • Index
  • Thread