Bugtraq mailing list archives
BoS: http:--www.omna.com-msiis-
From: proff () suburbia net (Julian Assange)
Date: Mon, 1 Jul 1996 11:03:21 -0500
New! If you are running Windows NT or Windows 95 you can test whether your connection to the internet is safe Right Now! _________________________________________________________________ Microsoft Internet Information Server vv. 1.x, 2.0b New Security Bugs Alert. June 30, 1996 _________________________________________________________________ 0. Abstract MWC, Inc. has discovered a new series of bugs ("4bugs") in the MS IIS in addition to the "BAT/CMD" bug Part I and Part II. _____________________________________________________________ 1. What these new bugs allow to do. * The First bug allows a user to access any file on the same partition where your wwwroot directory exists (assuming that IIS_user has permission to read this file). It also allows execution of any executable file on the same partition where your scripts directory exists (assuming that IIS_user has permission to execute this file). If cmd.exe file can be executed then it also allows you to execute any command and read any file on any partition (assuming that IIS_user has permission to read or execute this file). This bug is similar (but not the same) as the one discovered independently by James () superstation net. For more information and the ISAPI filter DLL that fixes the problem take a look at this page * The Second and Third bugs exploit passing of unchecked arguments to the cmd.exe in a way similar to the "BAT/CMD" bug . These bugs allow you to create new or to modify existing files on any partition under the following conditions: + BAT and (or) CMD files are mapped by IIS to the cmd.exe file + IIS_USER has a right to create a file in case of a new file creation + IIS_USER has a right to delete a file in case of a file modification Unfortunately Netscape Communication and Netscape Commerce servers have similar bugs. Similar things can be done with Netscape Server if it uses BAT or CMD files as CGI scripts. We did not test all Web servers available on the market. But some of them are vulnerable too. * The Forth bug is specific to the cmd.exe program. Once accessed (for example by exploiting the first bug) cmd.exe can be used to execute any internal command or any command on any partition, share, etc., or it can be used to create a new "custom made" file even if the mapping to the BAT, CMD files is disabled. _____________________________________________________________ 2. Alert * MWC, Inc. has sent detailed bugs report to Microsoft. People at Microsoft we talked to are very concerned about their customers and thus the fixes from Microsoft should be available soon. * MWC, Inc. has sent the report to Netscape as well. * MWC, Inc. will send the copy of the report immediately to Every Web Server Developer Company to let them test whether their Web Server is vulnerable to the second and third bugs. * MWC, Inc. will publish the detailed report about the bugs on July 3, 1996 at 10:00 pm EST at this URL. We believe that the delay between this alert and the actual bugs report publications will help Webmasters to reconfigure their websites before the information will be available to the general public. * MWC, Inc. will send the report about the bugs by e-mail to all registered users on July 3, 1996 at 10:00 pm EST. Register on-line to receive your copy of report by e-mail. _____________________________________________________________ 3. Conclusions and Workaround * Regardless of the Web server you are using, create separate partitions for your wwwroot directories and scripts directories to be on the safe side. * Disable BAT/CMD files' mapping and never use BAT and (or) CMD files as CGI scripts. _________________________________________________________________ [NT and Net Security Services] 1996 © MWC -- Powered by OMNA Digital
Current thread:
- BoS: http:--www.omna.com-msiis- Julian Assange (Jul 01)