Microsoft Internet Information Server abracadabra.bat bug

Summary
Description:abracadabra.{bat,cmd} are insecure CGIs
Author:www.omna.com
Compromise:Execute arbitrary commands on the remote IIS Server
Vulnerable Systems:Microsoft IIS http server v.1.0, 2.0b
Date:June 1996
Details

Exploit:


                Microsoft Internet Information Server v 1.0
                            ".bat" Security Bug

                                   0. Abstract

     .bat and .cmd BUG is well-known in Netscape server and described in WWW
     security FAQ Q59. Implementation of this bug (undocumented remote
     administration feature) in MicroSoft IIS Web server beats the all top
     scores.

     -----------------------------------------------------------------------

                            1. Default Configuration

     Let's consider fresh IIS Web server installation where all settings are
     default:

     1) CGI directory is /scripts

     2) There are no files abracadabra.bat or abracadabra.cmd in the
     /scripts directory.

     3) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore
     registry key

     HKEY_LOCAL_MACHINE\
     SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap

     has the following string:

     .bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s

     -----------------------------------------------------------------------

                                    2. Attack

     In this case a hacker with a malicious intent can send either one of
     the two command lines to the server:
          a) /scripts/abracadabra.bat?&dir+c:\+?&time
          b) /scripts/abracadabra.cmd?&dir+c:\+?&time
     and the following happens:

     1) Browser asks how you want to save a document. Notepad.exe or any
     other viewer would do for this "type" of application.

     2) Browser starts the download session. The download window appears on
     the screen.

     3) The hacker clicks the "cancel" button on the download window,
     because the "time" command on the server never terminates.

     4) Nothing is logged on the server side by the IIS Web server, because
     the execution process was not successfully terminated!!! (Thanks to the
     "time" command.) The only way to see that something happened is to
     review all your NT security logs. But they do not contain information
     like REMOTE_IP. Thus the hacker's machine remains fully anonymous.

     -----------------------------------------------------------------------

                                    3. Resume

     1) IIS Web server allows a hacker to execute his "batch file" by typing
     /scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN
     In a similar situation with the Netscape server, only single command
     can be executed.

     2) There is no file abracadabra.bat in /scripts directory, but .bat
     extension is mapped to C:\WINNT35\System32\cmd.exe
     In a similar situation with the Netscape server, actual .bat file must
     exist.

     3) In case a hacker enters a command like "time" or "date" as
     COMMAND[N], nothing will be logged by IIS Web server.
     In a similar situation with the Netscape server, the error log will
     have a record about remote IP and command you trying to execute.

     -----------------------------------------------------------------------

                                  4. Workaround

     Disable .BAT and .CMD file extensions for external CGI scripts in file
     mapping feature of IIS Web server.

     -----------------------------------------------------------------------

                             5. Reply from MicroSoft

     We sent the description of this bug to MicroSoft. Here one can see
     their reply and acknowledgement.

     -----------------------------------------------------------------------
     NOTE:

     We have studied MicroSoft bug "fix" and found out that the problem has
     not been fixed! If one uses a little bit more complicated command
     string, an arbitrary command on a server can be still effectively
     executed. And again, nothing will be logged by IIS. We will publish a
     detailed report on this bug in the nearest future.

     In addition, our network security partners recommend to avoid the usage
     of IIS because of an even more severe "purple security bug," wich they
     recently have discovered in IIS.





                Microsoft Internet Information Server v 1.0
                       ".bat" Security Bug, Part II.

----------------------------------------------------------------------------

                                   0. Abstract

     .bat and .cmd BUG for Microsoft Internet Information Server is
     described here . Microsoft claims to fix this problem. The patch is
     available from the Microsoft's site. We have studied this patch and
     found out that the problem has not been fixed! If one uses a little bit
     more complicated command string, an arbitrary command on a server can
     be still effectively executed. And again, nothing will be logged by
     IIS.

     -----------------------------------------------------------------------

                            1. Default Configuration

     We will consider the following settings:

     1) IIS Web server with the .bat/.cmd patch from Microsoft installed.
     (or IIS downloaded after March 5, 1996)

     2) CGI directory is /scripts

     3) Consider test.bat in the /scripts directory:
          @echo off
          echo Content-type: text/plain
          echo.
          echo Hello World!

     4) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore
     registry key

     HKEY_LOCAL_MACHINE\
     SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap

     has the following string:

     .bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s

     -----------------------------------------------------------------------

                                    2. Attack

     In this case a hacker with a malicious intent can send this command
     line to the server:
          /scripts/test.bat+%26dir+%26time+%26abracadabra.exe
     with the results described in details previously .

     The good news is that now file test.bat must be actually present in
     scripts directory.

                                    3. Resume

     As long as IIS does not log information about unsuccessful hits there
     are the ways for hackers to break your entire NT box. I don't want to
     discuss this matter in more details, but our network security partners
     recommend to avoid the usage of IIS because of an even more severe
     "purple security bug," which they recently have discovered in IIS.

                                  4. Workaround

     Disable .BAT and .CMD file extensions for external CGI scripts in file
     mapping feature of IIS Web server or don't use .bat or .cmd files as a
     scripts.




More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]