DATE:
COMMAND SOURCE:
AUTHOR:
IIS
SYSTEMS AFFECTED
Systems running IIS v1.0
PROBLEM
.bat and .cmd BUG is well-known in Netscape server and described
in WWW security FAQ Q59. Implementation of this bug (undocumented
remote administration feature) in MicroSoft IIS Web server beats
the all top scores.
Let's consider fresh IIS Web server installation where all
settings are default:
1) CGI directory is /scripts
2) There are no files abracadabra.bat or abracadabra.cmd in
the /scripts directory.
3) IIS Web server maps .bat and .cmd extensions to cmd.exe.
Therefore registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
has the following string:
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
In this case a hacker with a malicious intent can send either one
of the two command lines to the server:
a) /scripts/abracadabra.bat?&dir+c:\+?&time
b) /scripts/abracadabra.cmd?&dir+c:\+?&time
and the following happens:
1) Browser asks how you want to save a document. Notepad.exe
or any other viewer would do for this "type" of
application.
2) Browser starts the download session. The download window
appears on the screen.
3) The hacker clicks the "cancel" button on the download
window, because the "time" command on the server never
terminates.
4) Nothing is logged on the server side by the IIS Web
server, because the execution process was not successfully
terminated!!! (Thanks to the "time" command.) The only
way to see that something happened is to review all your
NT security logs. But they do not contain information
like REMOTE_IP. Thus the hacker's machine remains fully
anonymous.
Let's resume:
1) IIS Web server allows a hacker to execute his "batch file"
by typing
/scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN
In a similar situation with the Netscape server, only
single command can be executed.
2) There is no file abracadabra.bat in /scripts directory,
but .bat extension is mapped to C:\WINNT35\System32\cmd.exe
In a similar situation with the Netscape server, actual
.bat file must exist.
3) In case a hacker enters a command like "time" or "date" as
COMMAND[N], nothing will be logged by IIS Web server.
In a similar situation with the Netscape server, the error
log will have a record about remote IP and command you
trying to execute.
EXPLOIT
SOLUTION
MS made patch available. You can also disable .CMD and .BAT file
mapping (MIME mapping) so that the NT Command Interpreter will
not act on them. Do this manually by using REGEDT32.EXE, which
can be started from the Start Button | Run. Under
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Script Map
delete the keys which start with '.BAT' and '.CMD', and then
restart IIS. You can get patch from:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/IIS/fixes/cmdbat/