COMMAND                                            SOURCE: 


  WinNT Systems running IIS v1.0


    .bat and  .cmd BUG  for Microsoft  Internet Information  Server is
    described here . "Microsoft claims to fix this problem. The  patch
    is  available  from  the  Microsoft's  site.  We have studied this
    patch and found out  that the problem has  not been fixed! If  one
    uses a little  bit more complicated  command string, an  arbitrary
    command on a server can be still effectively executed. And  again,
    nothing will be logged by IIS."

    We will consider the following settings:

    1)  IIS  Web  server  with  the  .bat/.cmd  patch  from  Microsoft
       installed.  (or IIS downloaded after March 5, 1996)

    2) CGI directory is /scripts

    3) Consider test.bat in the /scripts directory:
        @echo off
        echo Content-type: text/plain
        echo Hello World!

    4)  IIS  Web  server  maps  .bat  and  .cmd extensions to cmd.exe.
        Therefore registry key


        has the following string:

        .bat or .cmd=C:\WINNT35\System32\cmd.exe /c %s %s

    In  this  case  a  hacker  with  a  malicious intent can send this
    command line to the server:


    with the results described in details previously (see #1).

    The good news is that  now file test.bat must be  actually present
    in scripts directory.




    MS made patch available. You  can also disable .CMD and  .BAT file
    mapping (MIME  mapping) so  that the  NT Command  Interpreter will
    not act  on them.  Do this  manually by  using REGEDT32.EXE, which
    can be started from the Start Button | Run.  Under

ript Map

    delete  the  keys  which  start  with  '.BAT' and '.CMD', and then
    restart IIS.  You can get patch from: