RE: cmd.exe / root.exe question

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 08/27/01 

Message-ID: <BB7FD4FF9E440648A731452E5D341FB065447C@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "'karl_napp3@gmx.li'" <karl_napp3@gmx.li>, focus-ms@securityfocus.com
Subject: RE: cmd.exe / root.exe question
Date: Mon, 27 Aug 2001 11:20:21 -0400

The executable file itself is not usually the problem. Most web servers
(some obviously much better than others) provide a certain amount of
protection to executable files, which will cause attempts such as yours to
fail. The problem is that coding problems within the server software (read:
buffer overflows) allow malicious users to bypass these protective measures
and send commands directly to the server/OS, with no checks performed by the
server software to validate the request. If you're running IIS (or if you
happen to attack IIS boxes for fun), you know that these overflows are
numerous with each new release, and are usually severe. And while you can't
exploit the system with a generic "GET /killmybox.exe" request, sooner or
later someone will figure that 1) there is an executable file in some lame
location, and 2) if you tack on "XXXXXXXXXXXXXXXXXXXXXXXXXXXX..." after your
GET, you magically have root access (sound familiar, anyone!).

That said, having that little "file lying around" isn't such a responsible
idea, is it?

Keith

-----Original Message-----
From: karl_napp3@gmx.li [mailto:karl_napp3@gmx.li]
Sent: Saturday, August 25, 2001 3:29 PM
To: focus-ms@securityfocus.com
Subject: cmd.exe / root.exe question

Where exactly is the risk a cmd.exe (under what name ever) is placed in a
scriptable directory? I've put cmd.exe into wwwroot under iis5 and gave
scripting to the file.
Now tried to remotely execute it. I didn't succeed to get a remoteshell. Via
IE5 I could exceute the file but got a local shell, only. Netcat with 'nc
<ip> 80 -v' and 'GET /cmd.exe HTTP/1.0\n' gave my soundchip a ride to hell
when
interpreting all the beeps ;-)

If cmd were boud to any port and listening I'd see security implications.
But with only a file lying around? 

-- 
Karl

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Relevant Pages

  • Re: windows w2k3 domain server - issue
    ... You may be unable to run an executable file or a script file from a UNC path when you have Windows Internet Explorer 7 installed on a Windows Server 2003-based computer ...
    (microsoft.public.windows.server.general)
  • Re: windows w2k3 domain server - issue
    ... You may be unable to run an executable file or a script file from a UNC path ... when you have Windows Internet Explorer 7 installed on a Windows Server ... It not a firewall setting ...
    (microsoft.public.windows.server.general)
  • Getting error message opening exe files from non domain 2000 server.
    ... How do I open a executable file from a windows 2000 ... "Some files can harm your computer. ... server to my domain. ...
    (microsoft.public.windowsxp.security_admin)
  • Application error 2058 for MQ on Win 2003 Server.
    ... I have one executable file which uses IBM MQ, ... perfectly fine on to win NT server. ... I checked that QManager with the requested name is created, ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: sqlserver.jdbcdriver Thread safe?
    ... I have been developing an application in Java that will connect to multiple modems at one time, push update files, and then remotely execute the right script to perform the update into the remote database... ... I am curious about streamlining this process and making multiple connections to all of the databases at once for each server. ... My question is it possible to use this library to establish different database connections for each server at the same time or simply, ...
    (microsoft.public.sqlserver.jdbcdriver)