Re: cmd.exe / root.exe question

From: Phaedrus (phaedrus@lycanon.org)
Date: 08/27/01


Date: Mon, 27 Aug 2001 08:18:16 -0700
From: Phaedrus <phaedrus@lycanon.org>
Message-ID: <15546490359.20010827081816@lycanon.org>
To: focus-ms@securityfocus.com
Subject: Re: cmd.exe / root.exe question

On Saturday, August 25, 2001, 12:29:10 PM, Karl <karl_napp3@gmx.li> wrote:

kgl> Where exactly is the risk a cmd.exe (under what name ever) is placed in a
kgl> scriptable directory? I've put cmd.exe into wwwroot under iis5 and gave
kgl> scripting to the file.

"That would mean instant death."

kgl> Now tried to remotely execute it. I didn't succeed to get a remoteshell. Via
kgl> IE5 I could exceute the file but got a local shell, only. Netcat with 'nc
kgl> <ip> 80 -v' and 'GET /cmd.exe HTTP/1.0\n' gave my soundchip a ride to hell when
kgl> interpreting all the beeps ;-)

It's true that you can't get a remote shell from a scriptable cmd.exe;
you can't get a telnet-style window that allows you to type in
commands and see the output. However, I call your careful attention
to the "/c" parameter of CMD.EXE, which allows you to specify a
command line to be immediately executed. Simply running CMD.EXE has
no interesting results; but running, say, "CMD.EXE /C DEL /S /Q
C:\*.*" will have a very negative impact on system reliability.

On a less destructive note, don't forget that you can route the output
of a command to a file. So, for example, I can run "CMD.EXE /C
IPCONFIG ALL > C:\wwwroot\ipinfo.txt", and then view the results by
simply retrieving the ipinfo.txt file.

kgl> If cmd were boud to any port and listening I'd see security implications.
kgl> But with only a file lying around?

As an attacker, if I can run any command line I want and store the
results to a file for viewing, who needs an interactive shell?

-- 
Best regards,
 Phaedrus                            mailto:phaedrus@lycanon.org