0. Abstract

.bat and .cmd BUG is well-known in Netscape server and described in WWW security FAQ Q59. Implementation of this bug (undocumented remote administration feature) in MicroSoft IIS Web server beats the all top scores.

1. Default Configuration

Let's consider fresh IIS Web server installation where all settings are default:

1) CGI directory is /scripts

2) There are no files abracadabra.bat or abracadabra.cmd in the /scripts directory.

3) IIS Web server maps .bat and .cmd extensions to cmd.exe. Therefore registry key

HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap

has the following string:

.bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s

2. Attack

In this case a hacker with a malicious intent can send either one of the two command lines to the server:

a) /scripts/abracadabra.bat?&dir+c:\+?&time

b) /scripts/abracadabra.cmd?&dir+c:\+?&time

1) Browser asks how you want to save a document. Notepad.exe or any other viewer would do for this "type" of application.

2) Browser starts the download session. The download window appears on the screen.

3) The hacker clicks the "cancel" button on the download window, because the "time" command on the server never terminates.

4) Nothing is logged on the server side by the IIS Web server, because the execution process was not successfully terminated!!! (Thanks to the "time" command.) The only way to see that something happened is to review all your NT security logs. But they do not contain information like REMOTE_IP. Thus the hacker's machine remains fully anonymous.

3. Resume

1) IIS Web server allows a hacker to execute his "batch file" by typing /scripts/abracadabra.bat?&COMMAND1+?&COMMAND2+?&...+?&COMMANDN
In a similar situation with the Netscape server, only single command can be executed.

2) There is no file abracadabra.bat in /scripts directory, but .bat extension is mapped to C:\WINNT35\System32\cmd.exe
In a similar situation with the Netscape server, actual .bat file must exist.

3) In case a hacker enters a command like "time" or "date" as COMMAND[N], nothing will be logged by IIS Web server.
In a similar situation with the Netscape server, the error log will have a record about remote IP and command you trying to execute.

4. Workaround

Disable .BAT and .CMD file extensions for external CGI scripts in file mapping feature of IIS Web server.

5. Reply from MicroSoft

We sent the description of this bug to MicroSoft. Here one can see their reply and acknowledgement.

We have studied MicroSoft bug "fix" and found out that the problem has not been fixed! If one uses a little bit more complicated command string, an arbitrary command on a server can be still effectively executed. And again, nothing will be logged by IIS. More information is available here .

• "BAT/CMD" Security Bug in IIS, Part I .
• "BAT/CMD" Security Bug in IIS, Part II .
• "4 - BUG" Alert: MS IIS, Netscape Alert .
• "4 - BUG" Report: MS IIS, Netscape Report .
• Windows NT Administrator's Password Recovery Program - PasswordNT ®
• Windows NT Password Cracker - ScanNT ®