# Why is it okay to allow IUSR_<server> to read&Exec CMD.EXE!!! I'd Get HACKED!

 Burnsl Joined: 2005-03-30 Posts: 6 Posted: Thu, 2005-12-08 23:53 I locked down my IIS boxes and can't for th elife of me figure out why its okay to allow the anonymous web user to execute CMD.EXE!!! I have copied the cmd.exe to the PHP dir and allowed THAT to be executed, but gallery still insists on calling it from the \system32\cmd.exe direcctory. I would even prefer to be able to RENAME the cmd.exe too! What do I have to do to retain the safety of the locks i have placed, while allowing Gallery2 to execute cmd when it needs to??! valiant Joined: 2003-01-04 Posts: 32509 Posted: Fri, 2005-12-09 11:35 i don't know why we have to use cmd.exe to execute a series of commands on windows. using the zip/image toolkit binaries directly as on linux would make more sense. there must be a reason... but: just don't give IUSR_ write permissions on any file/folder it doesn't need to have write permissions and don't give it read permissions where it doesn't need them. all cmd.exe processes started by IUSR_ are run as the IUSR_ process and are limited by the permissions this user has. so it can't do much harm. mdev Joined: 2005-12-08 Posts: 17 Posted: Fri, 2005-12-09 13:49 valiant wrote: i don't know why we have to use cmd.exe to execute a series of commands on windows. using the zip/image toolkit binaries directly as on linux would make more sense. there must be a reason... For the same reason you can't on *nix as well: cmd.exe is the shell used for fork(). Gallery doesn't call cmd.exe (or doesn't have to), php will do it when you call shell_exec. Try chmod 750 /bin/sh on your linux box and you'll see that any calls to zip/image toolkit binaries doesn't work. Burnsl Joined: 2005-03-30 Posts: 6 Posted: Fri, 2005-12-09 14:34 Well I have no intention of allowing CMD.EXE IUSR privledges. All it will take is some new zero day exploit and knowledge of the default location of CMD.EXE in the winnt\system32 dir and BOOM. Im a goner. I have placed a copy in the PHP folder and allowed THAT to have access, however PHP is not calling that one. Why? I dont know. What do I do to enable these features?! valiant Joined: 2003-01-04 Posts: 32509 Posted: Fri, 2005-12-09 16:17 gallery execution commands on windows look like this: why is the cmd.exe used and not the one that you specify? because G2's commands on windows look like this: cmd /c "c:\unzip\unzip.exe" "something" "foo" the important bit is the cmd /c in the beginning. it will use cmd.exe that is first found in your PATH environment variable, and this is usually the one from c:\Windows\ ... why do we use cmd.exe ? please add your notes at http://sourceforge.net/tracker/index.php?func=detail&aid=1163580&group_id=7130&atid=107130 but only if you are sure what you are talking about. general comments like "it's not needed, period." don't help. i don't have looked into this issue myself, so i can't comment on it right now. and again: if you properly secured your server by restricting the IUSR_ user permissions to the folders/files it needs access to, then there's no real security issue. Burnsl Joined: 2005-03-30 Posts: 6 Posted: Fri, 2005-12-09 22:07 I see what your saying, BUT..... I still will not allow IUSER to have access to cmd.exe in the system32 folder. It causes several security analyzers to fail my security checks. The MUST be a way to call the executable from another location. I have edited my path to call the cmd from the PHP dir first. My concern is a literal request to the KNOWN location of CMD. If i make that call of "HTTP:///../../../winnt/system32/cmd.exe" and that cmd.exe has IUSR rights, then I get a request to save or run it! Of course this does nothing if I choose either, however, that not to say that someone else will figure out how to use it. Besides, once CMD is executed, it has rights to the web folders, and it can execute things in there or other nefaruous things. The best bet is to allow users to SPECIFY what CMD.EXE file that they want to use in the Gallery2 code OR specifically tell users how to alter the cmd.exe preference to another location for PHP based apps. Whats that answer? If i can get one, then that goes a LONG WAY to securing my server bac to the way it was before gallery2 was loaded. mdev Joined: 2005-12-08 Posts: 17 Posted: Fri, 2005-12-09 22:52 So, disable archive upload, ImageMagick, netpbm and any command needing module. It breaks only a few features. Most can be done with gd2 library. However, security isn't obscurity. If an unpriveliged user can do major damage by having access to the system shell, you'd have to wonder if you're running the right software to begin with. Burnsl Joined: 2005-03-30 Posts: 6 Posted: Sat, 2005-12-10 02:25 Wow, The answer isn't turning off features. Nice try slamming windows there, you must be a *nix user, thats fine, but this realyl isnt the place. We're trying to SOLVE the problem, not disable things or make O.S. war comments. mdev Joined: 2005-12-08 Posts: 17 Posted: Sat, 2005-12-10 11:36 You fail to see the point. Security isn't increased by hiding the path to the shell. If the shell is a problem, security is increased by disallowing access to the shell. The trade-off in this case, is features, until php extensions are used that do the work, without the need for binaries. Too bad the ImageMagick extension died though. Burnsl Joined: 2005-03-30 Posts: 6 Posted: Sat, 2005-12-10 15:23 I fully see the point. I KNOW that Security isn't increased by hiding the path to the shell. I know that security is increased by disallowing access to the shell. This is precicely what Im trying to do. By MOVING my command shell to another location, that is the equivelent of what a password does. i.e. you dont get access to the resource until you enter the proper sequence of charachters. If the only copy of the shell that I have availablt to PHP is in a hidden directory path called: php\dhdye8374#jdhhdh\cmd.exe (or somehting like that) Then i'm willing to bet that noone will know how to find it. My question, specifically is..... How do you make cmd.exe come from a DIFFERENT location than the system32 folder? I'm betting this will sufficiently secure my server. mdev Joined: 2005-12-08 Posts: 17 Posted: Sat, 2005-12-10 19:26 change path order. And you know how I'd get your 'password'? Burnsl Joined: 2005-03-30 Posts: 6 Posted: Sat, 2005-12-10 21:36 Okay, well that probably will work to get that version of cmd, but nonetheles, there are nore IIS hackers out there than PHP hackers... It was only something I made up when i wrote that post, so perhaps it wont work. I'm more concerned about them finding the standard location. Why cant the IWAM account be used to execute this, after all it is a web application, why does it haev to be executed in the anonymous users' context? I'll look into changing the path. tomongous Joined: 2006-09-18 Posts: 1 Posted: Mon, 2006-09-18 14:53 Why would your Inetpub be on the main drive? I'd re-think the whole put all my eggs in the C:\ basket thing. I challenge you to try ../../-ing onto another drive ... my cmd.exe resides elsewhere -- good luck with that -- hopefully you have a couple HDDs on your system and can afford some down time. Xerom Joined: 2006-10-21 Posts: 1 Posted: Sat, 2006-10-21 05:10 gallery does not call cmd.exe, php calls it because its the processing program. ALL programs on windows run on DOS, if you 'could' disable DOS in windows your system would instantly lock up, lol. Try and disable IIS from calling cmd.exe and most likely IIS would not run either, seeing how it is a win32 DOS application. There is no security risk in this, its perfectly normal. And yes, I run and maintain both Linux and Windows servers in full production environments. As long as your file and folder permissions are setup correct, your web folders are in a secure location on the drive, and you have'nt made any strange modifications to your IIS settings you have nothing to worry about. I went through that exact same 'why is iis trying to execute cmd.exe, im getting hacked!' over half a decade ago when i was green, i know better now. ..:: Mike ::.. Alienistic Network Services Los Angeles, ca redclay Joined: 2006-12-12 Posts: 1 Posted: Tue, 2006-12-12 21:29 I'm not fimiliar with the product you are using but if you have access to the source code you can change it to do this. C:\\path\\to\\cmd.exe is the path to the "hidden" cmd with iusr permissions /c is a switch (not sure what it does but its needed) C:\\batchfile.cmd this is whatever you are trying to execute via a shell. Like said hidding something is not going to give you much security, however it will prevent script kiddies for explorting it. You really need to make sure the permissions overall are set right. One thing you can do is create a new user in windows and have a windows login on the site, then set the permissions on cmd and the executables you need for that login. This works fine if its an admin enviroment, not so good if the software in question is accessable to the general user.