Sid 1-976

Rule Documentation
References

Rule Category

SERVER-WEBAPP -- Snort has detected traffic exploiting vulnerabilities in web based applications on servers.

Alert Message

SERVER-WEBAPP .bat? access

Rule Explanation

IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files. Impact: CVSS base score 10.0 CVSS impact score 10.0 CVSS exploitability score 10.0 confidentialityImpact COMPLETE integrityImpact COMPLETE availabilityImpact COMPLETE Details: Ease of Attack:

What To Look For

This rule will alert then there's an attempt to execute a potentially malicious .bat or .cmd file in the targeted IIS server

Known Usage

No public information

False Positives

No known false positives

Contributors

Talos research team. This document was generated from data supplied by the national vulnerability database, a product of the national institute of standards and technology. For more information see [nvd].

MITRE ATT&CK Framework

Tactic: Execution

Technique: User Execution

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

CVE

CVE-1999-0233 CVE-2002-0061 CVE-2019-0232

Additional Links

support.microsoft.com/support/kb/articles/Q148/1/88.asp

support.microsoft.com/support/kb/articles/Q155/0/56.asp

Rule Vulnerability

Command Injection

Command Injection attacks target applications that allow unsafe user-supplied input. Attackers transmit this input via forms, cookies, HTTP headers, etc. and exploit the applications permissions to execute system commands without injecting code.

CVE Additional Information

CVE-1999-0233

IIS 1.0 allows users to execute arbitrary commands using .bat or .cmd files.

Details
Severity	HIGH	Base Score	10.0
Impact Score	10.0	Exploit Score	10.0
Confidentiality Impact	COMPLETE	Integrity Impact	COMPLETE
Availability Impact	COMPLETE	Access Vector
Authentication	NONE	Ease of Access

CVE-2002-0061

Apache for Win32 before 1.3.24, and 2.0.x before 2.0.34-beta, allows remote attackers to execute arbitrary commands via shell metacharacters (a | pipe character) provided as arguments to batch (.bat) or .cmd scripts, which are sent unfiltered to the shell interpreter, typically cmd.exe.

Details
Severity	HIGH	Base Score	7.5
Impact Score	6.4	Exploit Score	10.0
Confidentiality Impact	PARTIAL	Integrity Impact	PARTIAL
Availability Impact	PARTIAL	Access Vector
Authentication	NONE	Ease of Access

CVE-2019-0232

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Details
Severity		Base Score	8.1
Impact Score	5.9	Exploit Score	2.2
Confidentiality Impact	HIGH	Integrity Impact	HIGH
Availability Impact	HIGH	Attack Vector	NETWORK
Scope	UNCHANGED	User Interaction	NONE
Authentication		Ease of Access	HIGH
Privileges Required	NONE