COMMAND
Microsoft Internet Information Server v1.0
SYSTEMS AFFECTED
Systems running IIS v1.0
PROBLEM
.bat and .cmd BUG for Microsoft Internet Information Server is
described here . "Microsoft claims to fix this problem. The patch
is available from the Microsoft's site. We have studied this
patch and found out that the problem has not been fixed! If one
uses a little bit more complicated command string, an arbitrary
command on a server can be still effectively executed. And again,
nothing will be logged by IIS."
We will consider the following settings:
1) IIS Web server with the .bat/.cmd patch from Microsoft
installed. (or IIS downloaded after March 5, 1996)
2) CGI directory is /scripts
3) Consider test.bat in the /scripts directory:
@echo off
echo Content-type: text/plain
echo.
echo Hello World!
4) IIS Web server maps .bat and .cmd extensions to cmd.exe.
Therefore registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap
has the following string:
.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s
In this case a hacker with a malicious intent can send this
command line to the server:
/scripts/test.bat+%26dir+%26time+%26abracadabra.exe
with the results described in details previously (see #1).
The good news is that now file test.bat must be actually present
in scripts directory.
SOLUTION
MS made patch available. You can also disable .CMD and .BAT file
mapping (MIME mapping) so that the NT Command Interpreter will
not act on them. Do this manually by using REGEDT32.EXE, which
can be started from the Start Button | Run. Under
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Sc
ript Map
delete the keys which start with '.BAT' and '.CMD', and then
restart IIS. You can get patch from:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/IIS/fixes/cmdbat/