COMMAND

    Microsoft Internet Information Server v1.0

SYSTEMS AFFECTED

    Systems running IIS v1.0

PROBLEM


    .bat and .cmd BUG is  well-known in Netscape server and  described
    in WWW security FAQ Q59. Implementation of this bug  (undocumented
    remote administration feature) in  MicroSoft IIS Web server  beats
    the all top scores.

    Let's  consider  fresh  IIS  Web  server  installation  where  all
    settings are default:

        1) CGI directory is /scripts

        2) There  are no  files abracadabra.bat  or abracadabra.cmd in
           the /scripts directory.

        3) IIS Web server maps .bat and .cmd extensions to cmd.exe.

    Therefore registry key

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap

    has the following string:

        .bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s

    In this case a hacker with a malicious intent can send either  one
    of the two command lines to the server:

        a) /scripts/abracadabra.bat?&dir+c:\+?&time
        b) /scripts/abracadabra.cmd?&dir+c:\+?&time

    and the following happens:

        1) Browser asks how you  want to save a document.  Notepad.exe
           or  any  other   viewer  would  do   for  this  "type"   of
           application.

        2) Browser  starts the  download session.  The download window
           appears on the screen.

        3) The  hacker  clicks  the  "cancel"  button on the  download
           window,  because  the  "time"  command  on the server never
           terminates.

        4) Nothing  is  logged  on  the  server  side  by the IIS  Web
           server, because the execution process was not  successfully
           terminated!!!   (Thanks to  the "time"  command.) The  only
           way to see  that something happened  is to review  all your
           NT  security  logs.   But  they  do not contain information
           like REMOTE_IP.   Thus the  hacker's machine  remains fully
           anonymous.

    Let's resume:

        1) IIS Web server allows a hacker to execute his "batch  file"
           by typing

           /scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN

           In  a  similar  situation  with  the  Netscape server, only
           single command can be executed.

        2) There  is no  file abracadabra.bat  in /scripts  directory,
           but .bat extension is mapped to C:\WINNT35\System32\cmd.exe
           In a  similar situation  with the  Netscape server,  actual
           .bat file must exist.

        3) In case a hacker enters a command like "time" or "date"  as
           COMMAND[N],  nothing  will  be  logged  by  IIS Web server.
           In a similar situation with the Netscape server, the  error
           log will  have a  record about  remote IP  and command  you
           trying to execute.


SOLUTION

    MS made patch available. You  can also disable .CMD and  .BAT file
    mapping (MIME  mapping) so  that the  NT Command  Interpreter will
    not act  on them.  Do this  manually by  using REGEDT32.EXE, which
    can be started from the Start Button | Run.  Under

        HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Script Map

    delete  the  keys  which  start  with  '.BAT' and '.CMD', and then
    restart IIS.  You can get patch from:

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/IIS/fixes/cmdbat/