RE: cmd.exe / root.exe questionFrom: McCammon, Keith (Keith.McCammon@eadvancemed.com)
- Previous message: Jon Zobrist: "Re: cmd.exe / root.exe question"
- Maybe in reply to: firstname.lastname@example.org: "cmd.exe / root.exe question"
- Next in thread: Matt Andreko: "Re: cmd.exe / root.exe question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <BB7FD4FF9E440648A731452E5D341FB065447C@hitsexchange01.advance-med.com> From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com> To: "'email@example.com'" <firstname.lastname@example.org>, email@example.com Subject: RE: cmd.exe / root.exe question Date: Mon, 27 Aug 2001 11:20:21 -0400
The executable file itself is not usually the problem. Most web servers
(some obviously much better than others) provide a certain amount of
protection to executable files, which will cause attempts such as yours to
fail. The problem is that coding problems within the server software (read:
buffer overflows) allow malicious users to bypass these protective measures
and send commands directly to the server/OS, with no checks performed by the
server software to validate the request. If you're running IIS (or if you
happen to attack IIS boxes for fun), you know that these overflows are
numerous with each new release, and are usually severe. And while you can't
exploit the system with a generic "GET /killmybox.exe" request, sooner or
later someone will figure that 1) there is an executable file in some lame
location, and 2) if you tack on "XXXXXXXXXXXXXXXXXXXXXXXXXXXX..." after your
GET, you magically have root access (sound familiar, anyone!).
That said, having that little "file lying around" isn't such a responsible
idea, is it?
Where exactly is the risk a cmd.exe (under what name ever) is placed in a
scriptable directory? I've put cmd.exe into wwwroot under iis5 and gave
scripting to the file.
Now tried to remotely execute it. I didn't succeed to get a remoteshell. Via
IE5 I could exceute the file but got a local shell, only. Netcat with 'nc
<ip> 80 -v' and 'GET /cmd.exe HTTP/1.0\n' gave my soundchip a ride to hell
interpreting all the beeps ;-)
If cmd were boud to any port and listening I'd see security implications.
But with only a file lying around?
-- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net