RE: cmd.exe / root.exe question

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 08/27/01


Message-ID: <BB7FD4FF9E440648A731452E5D341FB065447C@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "'karl_napp3@gmx.li'" <karl_napp3@gmx.li>, focus-ms@securityfocus.com
Subject: RE: cmd.exe / root.exe question
Date: Mon, 27 Aug 2001 11:20:21 -0400

The executable file itself is not usually the problem. Most web servers
(some obviously much better than others) provide a certain amount of
protection to executable files, which will cause attempts such as yours to
fail. The problem is that coding problems within the server software (read:
buffer overflows) allow malicious users to bypass these protective measures
and send commands directly to the server/OS, with no checks performed by the
server software to validate the request. If you're running IIS (or if you
happen to attack IIS boxes for fun), you know that these overflows are
numerous with each new release, and are usually severe. And while you can't
exploit the system with a generic "GET /killmybox.exe" request, sooner or
later someone will figure that 1) there is an executable file in some lame
location, and 2) if you tack on "XXXXXXXXXXXXXXXXXXXXXXXXXXXX..." after your
GET, you magically have root access (sound familiar, anyone!).

That said, having that little "file lying around" isn't such a responsible
idea, is it?

Keith

-----Original Message-----
From: karl_napp3@gmx.li [mailto:karl_napp3@gmx.li]
Sent: Saturday, August 25, 2001 3:29 PM
To: focus-ms@securityfocus.com
Subject: cmd.exe / root.exe question

Where exactly is the risk a cmd.exe (under what name ever) is placed in a
scriptable directory? I've put cmd.exe into wwwroot under iis5 and gave
scripting to the file.
Now tried to remotely execute it. I didn't succeed to get a remoteshell. Via
IE5 I could exceute the file but got a local shell, only. Netcat with 'nc
<ip> 80 -v' and 'GET /cmd.exe HTTP/1.0\n' gave my soundchip a ride to hell
when
interpreting all the beeps ;-)

If cmd were boud to any port and listening I'd see security implications.
But with only a file lying around?

-- 
Karl

-- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net



Relevant Pages

  • Re: windows w2k3 domain server - issue
    ... You may be unable to run an executable file or a script file from a UNC path when you have Windows Internet Explorer 7 installed on a Windows Server 2003-based computer ...
    (microsoft.public.windows.server.general)
  • Re: windows w2k3 domain server - issue
    ... You may be unable to run an executable file or a script file from a UNC path ... when you have Windows Internet Explorer 7 installed on a Windows Server ... It not a firewall setting ...
    (microsoft.public.windows.server.general)
  • Re: Installing Thunderbird
    ... I don't see is an executable file or a way to kick off the ... sudo apt-get install thunderbird ... My client is set to delete posts after they are 1 month old, so probably that's why it only appeared when the reply was posted. ... Nothing wrong with the server, ...
    (alt.linux)
  • Application error 2058 for MQ on Win 2003 Server.
    ... I have one executable file which uses IBM MQ, ... perfectly fine on to win NT server. ... I checked that QManager with the requested name is created, ...
    (borland.public.delphi.thirdpartytools.general)
  • Getting error message opening exe files from non domain 2000 server.
    ... How do I open a executable file from a windows 2000 ... "Some files can harm your computer. ... server to my domain. ...
    (microsoft.public.windowsxp.security_admin)