RE: cmd.exe / root.exe question

From: McCammon, Keith (Keith.McCammon@eadvancemed.com)
Date: 08/27/01


Message-ID: <BB7FD4FF9E440648A731452E5D341FB065447C@hitsexchange01.advance-med.com>
From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com>
To: "'karl_napp3@gmx.li'" <karl_napp3@gmx.li>, focus-ms@securityfocus.com
Subject: RE: cmd.exe / root.exe question
Date: Mon, 27 Aug 2001 11:20:21 -0400

The executable file itself is not usually the problem. Most web servers
(some obviously much better than others) provide a certain amount of
protection to executable files, which will cause attempts such as yours to
fail. The problem is that coding problems within the server software (read:
buffer overflows) allow malicious users to bypass these protective measures
and send commands directly to the server/OS, with no checks performed by the
server software to validate the request. If you're running IIS (or if you
happen to attack IIS boxes for fun), you know that these overflows are
numerous with each new release, and are usually severe. And while you can't
exploit the system with a generic "GET /killmybox.exe" request, sooner or
later someone will figure that 1) there is an executable file in some lame
location, and 2) if you tack on "XXXXXXXXXXXXXXXXXXXXXXXXXXXX..." after your
GET, you magically have root access (sound familiar, anyone!).

That said, having that little "file lying around" isn't such a responsible
idea, is it?

Keith

-----Original Message-----
From: karl_napp3@gmx.li [mailto:karl_napp3@gmx.li]
Sent: Saturday, August 25, 2001 3:29 PM
To: focus-ms@securityfocus.com
Subject: cmd.exe / root.exe question

Where exactly is the risk a cmd.exe (under what name ever) is placed in a
scriptable directory? I've put cmd.exe into wwwroot under iis5 and gave
scripting to the file.
Now tried to remotely execute it. I didn't succeed to get a remoteshell. Via
IE5 I could exceute the file but got a local shell, only. Netcat with 'nc
<ip> 80 -v' and 'GET /cmd.exe HTTP/1.0\n' gave my soundchip a ride to hell
when
interpreting all the beeps ;-)

If cmd were boud to any port and listening I'd see security implications.
But with only a file lying around?

-- 
Karl

-- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net