Re: cmd.exe / root.exe question

From: Phaedrus (phaedrus@lycanon.org)
Date: 08/27/01 

Date: Mon, 27 Aug 2001 08:18:16 -0700
From: Phaedrus <phaedrus@lycanon.org>
Message-ID: <15546490359.20010827081816@lycanon.org>
To: focus-ms@securityfocus.com
Subject: Re: cmd.exe / root.exe question

On Saturday, August 25, 2001, 12:29:10 PM, Karl <karl_napp3@gmx.li> wrote:

kgl> Where exactly is the risk a cmd.exe (under what name ever) is placed in a
kgl> scriptable directory? I've put cmd.exe into wwwroot under iis5 and gave
kgl> scripting to the file.

"That would mean instant death."

kgl> Now tried to remotely execute it. I didn't succeed to get a remoteshell. Via
kgl> IE5 I could exceute the file but got a local shell, only. Netcat with 'nc
kgl> <ip> 80 -v' and 'GET /cmd.exe HTTP/1.0\n' gave my soundchip a ride to hell when
kgl> interpreting all the beeps ;-)

It's true that you can't get a remote shell from a scriptable cmd.exe;
you can't get a telnet-style window that allows you to type in
commands and see the output. However, I call your careful attention
to the "/c" parameter of CMD.EXE, which allows you to specify a
command line to be immediately executed. Simply running CMD.EXE has
no interesting results; but running, say, "CMD.EXE /C DEL /S /Q
C:\*.*" will have a very negative impact on system reliability.

On a less destructive note, don't forget that you can route the output
of a command to a file. So, for example, I can run "CMD.EXE /C
IPCONFIG ALL > C:\wwwroot\ipinfo.txt", and then view the results by
simply retrieving the ipinfo.txt file.

kgl> If cmd were boud to any port and listening I'd see security implications.
kgl> But with only a file lying around?

As an attacker, if I can run any command line I want and store the
results to a file for viewing, who needs an interactive shell? 

-- 
Best regards,
 Phaedrus                            mailto:phaedrus@lycanon.org

Relevant Pages

  • Re: non printable characters
    ... The ls command gives me an output but ... > C shells such as tcsh are not recommended for scripting. ... I said i prefer tcsh. ... When another shell does the trick i will use it. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Preferred language for shell scripting?
    ... Frankly I don't have that much call for it, so don't really live in the scripting world that much and haven't developed a strong preference for anything in particular. ... I'm a Unix guy from way back, who's enjoying learning C# and Windows programming. ... Overall, it's not such a difficult transition ), but there is one thing from Unix I miss the most - the command line. ... I'm wondering though, what do experienced Windows programmers use for shell commands, and scripts. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: extracting current month off of system in a script
    ... What I do know is the shell I am using C-shell is ... shell when teaching scripting, so you should probably plan on learning it. ... In Bourne shells, the syntax is: ... In either shell, if the value is the output of some other command, you ...
    (comp.unix.shell)