HTTP: IIS .bat?& Arbitrary File Exec
This signature detects attempts to execute a command by specifying a .bat or .cmd extension to a Microsoft Windows Web server.
Extended Description
Some web servers that allow batch files to be executed via CGI are vulnerable to an attack whereby an intruder can execute commands on the target machine. This can be accomplished by submitting the command to be executed as a variable preceded by the ampersand (&) symbol, eg. http://targethost/cgi-bin/batfile.bat?&hostile_command. This apparently causes the server to call the function: system("batfile.bat &hostile_command") which the command interpreter interprets as separate commands. Microsoft IIS 1.0 is vulnerable to this attack whether or not the .BAT file requested even exists. Successfully exploiting this vulnerability allows an attacker to execute commands on the target machine with the privileges of the web server. This vulnerability may also be exploited via . CMD files.
Affected Products
Netscape commerce_server
Short Name
HTTP:IIS:BAT-AMP
Severity
Major
Recommended
False
Recommended Action
Drop
Category
HTTP
Keywords
.bat?& Arbitrary CVE-1999-0233 Exec File IIS bid:2023
Release Date
04/22/2003
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3375
False Positive
Unknown
Vendors
Netscape
Oreilly_software
Microsoft
CVSS Score
10.0