[2868] in bugtraq
BoS: http:--www.omna.com-msiis-
daemon@ATHENA.MIT.EDU (Julian Assange)
Mon Jul 1 17:01:35 1996
X-Resent-From: best-of-security@suburbia.net
Date: Mon, 1 Jul 1996 11:03:21 -0500
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Julian Assange <proff@suburbia.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
New! If you are running Windows NT or Windows 95 you can
test whether your connection to the internet is safe
Right Now!
_________________________________________________________________
Microsoft Internet Information Server vv. 1.x, 2.0b
New Security Bugs Alert.
June 30, 1996
_________________________________________________________________
0. Abstract
MWC, Inc. has discovered a new series of bugs ("4bugs") in the MS
IIS in addition to the "BAT/CMD" bug Part I and Part II.
_____________________________________________________________
1. What these new bugs allow to do.
* The First bug allows a user to access any file on the same
partition where your wwwroot directory exists (assuming that
IIS_user has permission to read this file). It also allows
execution of any executable file on the same partition where your
scripts directory exists (assuming that IIS_user has permission
to execute this file). If cmd.exe file can be executed then it
also allows you to execute any command and read any file on any
partition (assuming that IIS_user has permission to read or
execute this file). This bug is similar (but not the same) as the
one discovered independently by James@superstation.net. For more
information and the ISAPI filter DLL that fixes the problem take a
look at this page
* The Second and Third bugs exploit passing of unchecked arguments
to the cmd.exe in a way similar to the "BAT/CMD" bug . These bugs
allow you to create new or to modify existing files on any
partition under the following conditions:
+ BAT and (or) CMD files are mapped by IIS to the cmd.exe file
+ IIS_USER has a right to create a file in case of a new file
creation
+ IIS_USER has a right to delete a file in case of a file
modification
Unfortunately Netscape Communication and Netscape Commerce servers
have similar bugs. Similar things can be done with Netscape
Server if it uses BAT or CMD files as CGI scripts. We did not
test all Web servers available on the market. But some of them
are vulnerable too.
* The Forth bug is specific to the cmd.exe program. Once accessed
(for example by exploiting the first bug) cmd.exe can be used to
execute any internal command or any command on any partition,
share, etc., or it can be used to create a new "custom made" file
even if the mapping to the BAT, CMD files is disabled.
_____________________________________________________________
2. Alert
* MWC, Inc. has sent detailed bugs report to Microsoft. People at
Microsoft we talked to are very concerned about their customers
and thus the fixes from Microsoft should be available soon.
* MWC, Inc. has sent the report to Netscape as well.
* MWC, Inc. will send the copy of the report immediately to Every
Web Server Developer Company to let them test whether their Web
Server is vulnerable to the second and third bugs.
* MWC, Inc. will publish the detailed report about the bugs on July
3, 1996 at 10:00 pm EST at this URL. We believe that the delay
between this alert and the actual bugs report publications will
help Webmasters to reconfigure their websites before the
information will be available to the general public.
* MWC, Inc. will send the report about the bugs by e-mail to all
registered users on July 3, 1996 at 10:00 pm EST. Register on-line
to receive your copy of report by e-mail.
_____________________________________________________________
3. Conclusions and Workaround
* Regardless of the Web server you are using, create separate
partitions for your wwwroot directories and scripts directories
to be on the safe side.
* Disable BAT/CMD files' mapping and never use BAT and (or) CMD
files as CGI scripts.
_________________________________________________________________
[NT and Net Security Services]
1996 © MWC -- Powered by OMNA Digital
