Juniper Networks
Solutions
Products & Services
Company
Partners
Support
Education

Signature Detail

Security Intelligence Center
Signatures
Print

Short Name

 HTTP:IIS:BAT-AMP

Severity

 High

Recommended

 No

Recommended Action

 Drop

Category

 HTTP

Keywords

 IIS .bat?& Arbitrary File Exec

Release Date

 2003/04/22

Update Number

 1213

Supported Platforms

 di-5.3+, idp-4.0+, isg-3.0+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: IIS .bat?& Arbitrary File Exec


This signature detects attempts to execute a command by specifying a .bat or .cmd extension to a Microsoft Windows Web server.

Extended Description

Some web servers that allow batch files to be executed via CGI are vulnerable to an attack whereby an intruder can execute commands on the target machine. This can be accomplished by submitting the command to be executed as a variable preceded by the ampersand (&) symbol, eg. http://targethost/cgi-bin/batfile.bat?&hostile_command. This apparently causes the server to call the function: system("batfile.bat &hostile_command") which the command interpreter interprets as separate commands. Microsoft IIS 1.0 is vulnerable to this attack whether or not the .BAT file requested even exists. Successfully exploiting this vulnerability allows an attacker to execute commands on the target machine with the privileges of the web server. This vulnerability may also be exploited via . CMD files.

Affected Products

  • Microsoft IIS 1.0
  • Netscape Commerce Server 1.0.0
  • Netscape Communications Server 1.12.0
  • OReilly Software WebSite Professional 1.1.0 b

References

  • BugTraq: 2023
  • CVE: CVE-1999-0233

Site Map
RSS Feeds
Careers
Accessibility
Feedback
Privacy Policy
Legal Notices
Copyright © 1999-2010 Juniper Networks, Inc. All rights reserved.
Help
|
My Account
|
Log Out