Windows Command Injection Vulnerability for a Command Shell

An attacker can target file servers lying on intranet using this security vulnerability

With the help of this security impact, normal user can perform privilege escalation on windows file server systems by just creating some fancy (Not really) folders. In order to perform this vulnerability, user just need to create some special folders with regularly being used commands such as ping, cd, md etc…

Practical Approach:

Before digging into the vulnerability, let us understand what SET command does in windows environment.

SET

Display, set, or remove CMD environment variables. Changes made with SET will remain only for the duration of the current CMD session.

Syntax

      SET variable

      SET variable=string

      SET /A "variable=expression"

      SET "variable="

      SET /P variable=[promptString]

      SET "

Key

   variable      : A new or existing environment variable name e.g. _num

   string         : A text string to assign to the variable.

   expression  : Arithmetic expression

Two new switches have been added to the SET command:

    SET /A expression

    SET /P variable=[promptString]

The /A switch specifies that the string to the right of the equal sign is a numerical expression that is evaluated.  The expression evaluator is pretty simple and supports the following operations, in decreasing order of precedence:

 

    ()- grouping

    ! ~ -- unary operators

    * / %- arithmetic operators

    + - - arithmetic operators

    << >> - logical shift

    & - bitwise and

    ^ - bitwise exclusive or

    | - bitwise or

Building Base

Now let us create environment variable which contains & special character.

Now if we want to see the ANKIT’s environment value then below command can be given. 

 Now here comes the catch. Type the following command and see the result.

Now as we want check the value of ANKIT2 so we will give below command.

What actually happened here? As we gave & in ANKIT2’s value, it will take 2nd half of that value as command. So first half of the value got echoed back in response of our command echo %ANKIT2%, however 2nd part of the value got taken as command and windows command prompt is trying to execute the command since “Mittal” is just name, not any command so it won’t be able to execute.

Here first command shell will try to expand the value of ANKIT2 variable. Then it will intercept the whole line however & character is interpreted as command separator.

So for an example if the value of A is set as B1&B2 then it will be denoted as

A=B1&B2

Now if we echo A then it will give separate 2 command result as

Command 1: Echo B1  

Command 2: B2

Output 1: First command will echo back B1 in command shell.

Output 2: B2 will not be recognized as internal external command of command shell.

Taking step further

Now I am giving this command in command shell as shown below:

Now let’s see the result of this variable ANKIT2.

Now we will get the same result after giving below command:

Here I executed command in two ways:

 1.     By displaying environment variable value.

 2.     By assigning environment variable value to another variable. 

 Putting these together, It can be shown as below pic:

Technical Impact
With this vulnerability an attacker can modify and generate environment variable on target machine which might result into direct execution of malware too.

Problem 1
Attacker can only set environment variable for its environment only. Since he/she is not an administrator, he/she cannot set environment variable for another user, or on another computer.

Solution
An attacker can set environment variable for other users too using %CD% as well as directory names too.

%CD% is inbuilt environment variable whose task is to show current directory information.

Let’s refer below pic:

Here I am making directory with that fancy name which I set previously to ANKIT2 environment. Also I am running Dir command in order to make sure that directory is created. 

Now I am getting into that directory and giving %CD% in order to check the behavior of command shell.

As you can see current path showed as chintan and then ping command got executed in command shell.

Problem 2
How to make sure that other user browses our directory which we created and gives echo %CD% command at his/her end without any social engineering techniques?

Obviously you cannot call helpdesk and ask them that, “Hey can you please open the command shell and browse to this directory and run this command?”

Obviously not!!!

Try to think in different way!! In our technical enterprise what are those things which we can exploit using this vulnerability.  => File Servers

These days everyone is moving to share points and other document management systems so because of this, file servers are used as 2nd options for Small-Medium business these days. Also the scripts which are used to handle file servers are more than 10+ years old and rarely updated.

Consider, script is running on regular basis as a part of daily task, then all that hacker needs to do is to create a directory with suspicious/malicious code on that particular file server.

 

\\fileServer1\Share\ankit\chintan&malicious


Now one has to do is to create malicious.bat file with following script in it.

Net user administrator newpassword secretpass$%$

That is how file servers can be exploited.

Recommendation
It is so simple that look through the code and wherever the %CD% is used, just simple put double quotes(“) around that, and that’s how it won’t be executed. This is the simple patch for that.

References
1. http://ss64.com/nt/set.html