|
|
You're in the
iis security
group:Opening cmd.exe to IUSR_<machine>
iis security:
Hi, I'm developing a publicly accessible Perl CGI script that needs to run shell commands such as: my $suggestions = `echo misspelt | aspell.exe -a`; Perl requires use of cmd.exe in order to execute this command and on Windows 2003/IIS 6.0 this is not possible under the default security permissions since IUSR_<machine> doesn't have read/execute permission on cmd.exe. Since it would be a bad idea to grant IUSR_<machine> read/execute access on cmd.exe (please correct me if I'm wrong) I was thinking of making a copy of cmd.exe elsewhere in the file system and changing the permissions on the copy. If the copy was renamed then it seems unlikely that a malicious user could find it in order to exploit it. Any thoughts on this would be greatly appreciated. Cheers, Brad
The default ACLs on CMD.EXE (indeed, all of the command line EXE programs in
the System32 directory) make it inaccessible to any user identity logged on by IIS except for administrators. This is intentional. Your code does not actually need access to the command shell. It needs access to the CreateProcess Win32 API call. Simply renaming cmd.exe is not security. -- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // [quoted text, click to view] "Brad Watson" <anonymous@discussions.microsoft.com> wrote in message news:009e01c3e569$46940b60$3501280a@phx.gbl... Hi, I'm developing a publicly accessible Perl CGI script that needs to run shell commands such as: my $suggestions = `echo misspelt | aspell.exe -a`; Perl requires use of cmd.exe in order to execute this command and on Windows 2003/IIS 6.0 this is not possible under the default security permissions since IUSR_<machine> doesn't have read/execute permission on cmd.exe. Since it would be a bad idea to grant IUSR_<machine> read/execute access on cmd.exe (please correct me if I'm wrong) I was thinking of making a copy of cmd.exe elsewhere in the file system and changing the permissions on the copy. If the copy was renamed then it seems unlikely that a malicious user could find it in order to exploit it. Any thoughts on this would be greatly appreciated. Cheers, Brad
Thankyou very much for the input. However, adding read/execute permission does enable me to execute the shell command whereas without it, the command fails so I think the permission I need is related to cmd.exe. Also, I believe that I've already got access to CreateProcess because I'm able to launch new processes as long as they don't contain redirecting or piping commands such as > and |. If I wasn't to rename cmd.exe is there any other way I could use > and | from a public CGI script without causing security problems? I'm suprised this doesn't seem to have been an issue to anyone in the past. Brad [quoted text, click to view] >-----Original Message-----
>The default ACLs on CMD.EXE (indeed, all of the command line EXE programs in >the System32 directory) make it inaccessible to any user identity logged on >by IIS except for administrators. This is intentional. > >Your code does not actually need access to the command shell. It needs >access to the CreateProcess Win32 API call. > >Simply renaming cmd.exe is not security. > >-- >//David >IIS >This posting is provided "AS IS" with no warranties, and confers no rights. >// >"Brad Watson" <anonymous@discussions.microsoft.com> wrote in message >news:009e01c3e569$46940b60$3501280a@phx.gbl... > >Hi, > >I'm developing a publicly accessible Perl CGI >script that needs to run shell commands such as: > >my $suggestions = `echo misspelt | aspell.exe -a`; > >Perl requires use of cmd.exe in order to execute >this command and on Windows 2003/IIS 6.0 this is >not possible under the default security permissions >since IUSR_<machine> doesn't have read/execute >permission on cmd.exe. > >Since it would be a bad idea to grant >IUSR_<machine> read/execute access on cmd.exe >(please correct me if I'm wrong) I was thinking >of making a copy of cmd.exe elsewhere in the >file system and changing the permissions on >the copy. If the copy was renamed then it seems >unlikely that a malicious user could find it >in order to exploit it. > >Any thoughts on this would be greatly appreciated. > >Cheers, > >Brad > > >.
In article <009e01c3e569$46940b60$3501280a@phx.gbl>,
anonymous@discussions.microsoft.com says... [quoted text, click to view] > > Hi, > > I'm developing a publicly accessible Perl CGI > script that needs to run shell commands such as: > > my $suggestions = `echo misspelt | aspell.exe -a`; > > Perl requires use of cmd.exe in order to execute > this command and on Windows 2003/IIS 6.0 this is > not possible under the default security permissions > since IUSR_<machine> doesn't have read/execute > permission on cmd.exe. > > Since it would be a bad idea to grant > IUSR_<machine> read/execute access on cmd.exe > (please correct me if I'm wrong) I was thinking > of making a copy of cmd.exe elsewhere in the > file system and changing the permissions on > the copy. If the copy was renamed then it seems > unlikely that a malicious user could find it > in order to exploit it. > > Any thoughts on this would be greatly appreciated. If you manage to expose CMD to IIS you are going to get hacked, it's not IF, but when! Don't do it, there has got to be a better method - even if you have to create a ISAPI dll, but still don't use CMD. I never leave a web server setup so that anyone but a local account (not a group) can use it just in case it gets hacked. -- -- spamfree999@rrohio.com
Your are almost certain to get hacked
Host User At Proc Time Received Sent Status Operation Target Param 81.56.179.194 - 02/02/2004 06:22:45 0 80 4184 404 GET /<Rejected-By-UrlScan> ~/c/winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 06:22:35 0 70 4184 404 GET /<Rejected-By-UrlScan> ~/MSADC/root.exe 81.56.179.194 - 02/02/2004 06:22:26 0 72 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/root.exe 81.56.179.194 - 02/02/2004 05:53:29 0 70 4184 404 GET /<Rejected-By-UrlScan> ~/MSADC/root.exe 81.56.179.194 - 02/02/2004 05:53:19 0 72 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/root.exe 210.54.179.254 - 02/02/2004 05:33:53 94 59 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%255c%255c../winnt/system32/cmd.exe 218.72.20.40 - 02/02/2004 00:50:50 0 61 4203 404 GET /<Rejected-By-UrlScan> ~211.150.96.26:25 81.56.179.194 - 02/02/2004 00:30:20 0 96 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%252f../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:19 0 100 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%25%35%63../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:18 0 96 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%%35c../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:17 0 98 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%%35%63../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:16 0 97 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%c1%9c../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:15 0 97 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%c0%af../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:14 0 97 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%c0%2f../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:12 0 97 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%c1%1c../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:10 0 145 4184 404 GET /<Rejected-By-UrlScan> ~/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/s ystem32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:08 0 117 4184 404 GET /<Rejected-By-UrlScan> ~/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:06 15 117 4184 404 GET /<Rejected-By-UrlScan> ~/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:04 0 96 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/..%255c../winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:30:01 0 80 4184 404 GET /<Rejected-By-UrlScan> ~/d/winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:29:59 0 80 4184 404 GET /<Rejected-By-UrlScan> ~/c/winnt/system32/cmd.exe 81.56.179.194 - 02/02/2004 00:29:56 0 70 4184 404 GET /<Rejected-By-UrlScan> ~/MSADC/root.exe 81.56.179.194 - 02/02/2004 00:29:54 297 72 4184 404 GET /<Rejected-By-UrlScan> ~/scripts/root.exe Dave. [quoted text, click to view] "Leythos" <void@nowhere.com> wrote in message news:MPG.1a87974da357db6598a123@news-server.columbus.rr.com... > In article <009e01c3e569$46940b60$3501280a@phx.gbl>, > anonymous@discussions.microsoft.com says... > > > > Hi, > > > > I'm developing a publicly accessible Perl CGI > > script that needs to run shell commands such as: > > > > my $suggestions = `echo misspelt | aspell.exe -a`; > > > > Perl requires use of cmd.exe in order to execute > > this command and on Windows 2003/IIS 6.0 this is > > not possible under the default security permissions > > since IUSR_<machine> doesn't have read/execute > > permission on cmd.exe. > > > > Since it would be a bad idea to grant > > IUSR_<machine> read/execute access on cmd.exe > > (please correct me if I'm wrong) I was thinking > > of making a copy of cmd.exe elsewhere in the > > file system and changing the permissions on > > the copy. If the copy was renamed then it seems > > unlikely that a malicious user could find it > > in order to exploit it. > > > > Any thoughts on this would be greatly appreciated. > > If you manage to expose CMD to IIS you are going to get hacked, it's not > IF, but when! > > Don't do it, there has got to be a better method - even if you have to > create a ISAPI dll, but still don't use CMD. I never leave a web server > setup so that anyone but a local account (not a group) can use it just > in case it gets hacked. > > > -- > -- > spamfree999@rrohio.com > (Remove 999 to reply to me)
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |