Microsoft Internet Information Server abracadabra.bat bug
| Description: | abracadabra.{bat,cmd} are insecure CGIs |
| Author: | www.omna.com |
| Compromise: | Execute arbitrary commands on the remote IIS Server |
| Vulnerable Systems: | Microsoft IIS http server v.1.0, 2.0b |
| Date: | June 1996 |
Exploit:
Microsoft Internet Information Server v 1.0
".bat" Security Bug
0. Abstract
.bat and .cmd BUG is well-known in Netscape server and described in WWW
security FAQ Q59. Implementation of this bug (undocumented remote
administration feature) in MicroSoft IIS Web server beats the all top
scores.
-----------------------------------------------------------------------
1. Default Configuration
Let's consider fresh IIS Web server installation where all settings are
default:
1) CGI directory is /scripts
2) There are no files abracadabra.bat or abracadabra.cmd in the
/scripts directory.
3) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore
registry key
HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
has the following string:
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
-----------------------------------------------------------------------
2. Attack
In this case a hacker with a malicious intent can send either one of
the two command lines to the server:
a) /scripts/abracadabra.bat?&dir+c:\+?&time
b) /scripts/abracadabra.cmd?&dir+c:\+?&time
and the following happens:
1) Browser asks how you want to save a document. Notepad.exe or any
other viewer would do for this "type" of application.
2) Browser starts the download session. The download window appears on
the screen.
3) The hacker clicks the "cancel" button on the download window,
because the "time" command on the server never terminates.
4) Nothing is logged on the server side by the IIS Web server, because
the execution process was not successfully terminated!!! (Thanks to the
"time" command.) The only way to see that something happened is to
review all your NT security logs. But they do not contain information
like REMOTE_IP. Thus the hacker's machine remains fully anonymous.
-----------------------------------------------------------------------
3. Resume
1) IIS Web server allows a hacker to execute his "batch file" by typing
/scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN
In a similar situation with the Netscape server, only single command
can be executed.
2) There is no file abracadabra.bat in /scripts directory, but .bat
extension is mapped to C:\WINNT35\System32\cmd.exe
In a similar situation with the Netscape server, actual .bat file must
exist.
3) In case a hacker enters a command like "time" or "date" as
COMMAND[N], nothing will be logged by IIS Web server.
In a similar situation with the Netscape server, the error log will
have a record about remote IP and command you trying to execute.
-----------------------------------------------------------------------
4. Workaround
Disable .BAT and .CMD file extensions for external CGI scripts in file
mapping feature of IIS Web server.
-----------------------------------------------------------------------
5. Reply from MicroSoft
We sent the description of this bug to MicroSoft. Here one can see
their reply and acknowledgement.
-----------------------------------------------------------------------
NOTE:
We have studied MicroSoft bug "fix" and found out that the problem has
not been fixed! If one uses a little bit more complicated command
string, an arbitrary command on a server can be still effectively
executed. And again, nothing will be logged by IIS. We will publish a
detailed report on this bug in the nearest future.
In addition, our network security partners recommend to avoid the usage
of IIS because of an even more severe "purple security bug," wich they
recently have discovered in IIS.
Microsoft Internet Information Server v 1.0
".bat" Security Bug, Part II.
----------------------------------------------------------------------------
0. Abstract
.bat and .cmd BUG for Microsoft Internet Information Server is
described here . Microsoft claims to fix this problem. The patch is
available from the Microsoft's site. We have studied this patch and
found out that the problem has not been fixed! If one uses a little bit
more complicated command string, an arbitrary command on a server can
be still effectively executed. And again, nothing will be logged by
IIS.
-----------------------------------------------------------------------
1. Default Configuration
We will consider the following settings:
1) IIS Web server with the .bat/.cmd patch from Microsoft installed.
(or IIS downloaded after March 5, 1996)
2) CGI directory is /scripts
3) Consider test.bat in the /scripts directory:
@echo off
echo Content-type: text/plain
echo.
echo Hello World!
4) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore
registry key
HKEY_LOCAL_MACHINE\
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
has the following string:
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
-----------------------------------------------------------------------
2. Attack
In this case a hacker with a malicious intent can send this command
line to the server:
/scripts/test.bat+%26dir+%26time+%26abracadabra.exe
with the results described in details previously .
The good news is that now file test.bat must be actually present in
scripts directory.
3. Resume
As long as IIS does not log information about unsuccessful hits there
are the ways for hackers to break your entire NT box. I don't want to
discuss this matter in more details, but our network security partners
recommend to avoid the usage of IIS because of an even more severe
"purple security bug," which they recently have discovered in IIS.
4. Workaround
Disable .BAT and .CMD file extensions for external CGI scripts in file
mapping feature of IIS Web server or don't use .bat or .cmd files as a
scripts.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
