Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Help eliminate unquoted path vulnerabilities - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Help eliminate unquoted path vulnerabilities

Metasploit’s “Service Trusted Path Privilege Escalation” exploit takes advantage of unquoted service paths vulnerability outline in CVE-2005-1185, CVE=2005-2938 and CVE-2000-1128.    The vulnerability takes advantage of the way Windows parses directory paths to execute code.   Consider the following command line.

C:\windows\system32\notepad \temp\file.txt

This tells windows to launch notepad.exe from the c:\windows\system32\ directory and pass it the argument \temp\file.txt.    The result is notepad.exe will execute and begin editing file.txt from the temp directory.    How does Window’s differentiate between the program and the arguments?  The SPACE is used as a delimiter between the program to execute and the arguments.   Now consider this command line.

C:\program files\Microsoft Office\Winword.exe

If space is used as a delimiter, wouldn’t Windows think you are trying to execute the program  C:\PROGRAM.EXE and pass it the argument “files\Microsoft Office\Winword.exe”?    Or maybe you are trying to execute “C:\Program files\Microsoft.exe” and pass it the argument “Office\Winword.exe”?  So how does it know what you are trying to do?    If the software developer places quotation marks around the path then Windows knows the spaces are spaces and not delimiters.   If the software developer fails to put the path in quotes then Windows just doesn’t know.  If Windows doesn’t know then it tries to execute all the possible programs in the path.  First it tries “C:\Program.exe”,   Then, it tries “C:\Program files\Microsoft.exe” and finally the path we intended for it to execute.    

This programming error is very common because when a developer is addressing paths on the file system they are usually stored in strings.   Because they are in strings the developer has used quotes once already and they often fail to consider that they need two sets of quotes.  For example, the following line would incorrectly assign the path variable.

pathvariable = “C:\Program Files\Common Files\Java\Java Update\jusched.exe”

Really, the developer needs to double quote it because they need the path to contain quotes.  So they should have assigned their variable by doing something like this:

pathvariable = “\\”C:\Program Files\Common Files\Java\Java Update\jusched.exe\\””

In the first case, an attacker can strategically place a program in the path and his program will be executed instead of the intended program.   If the process runs under administrative privileges or some account other than the attacker it can be used to cause code to execute under a different set of privileges.  

We have known about these types of vulnerabilities for 12 years now.  So much so, that if you create a file called c:\program.exe Windows will generate this pop up when you reboot the machine.

With such an old vulnerability, surely very few programs suffer from this problem, right?  You might be surprised at how often this vulnerability occurs.     So let’s start fixing it!    This is an easy problem to identify.    Here are some steps you can follow to identify applications that fail to quote their file paths directly.    Then you can help fix this by contacting the vendor to have them fix these issues.

First you need to copy any existing executable and create a program named c:\program.exe.   For example, take a copy of calc.exe and name it c:\program.exe.   Then make a copy of calc.exe named c:\program files\common.exe.  Last, create a copy of calc.exe called c:\documents.exe.    Then go about your business and use your computer as you normally would.    Sometime while you are running normal applications they will accidently launch the renamed calc.exe.   System reboots, services and scheduled tasks may trigger calculator.    Whatever the cause, eventually you will likely run a vulnerable program and it will launch the application on your computer.   Several days may transpire between the time you create the files and the time they are executed.   Remember you did this when you have strange copies of calc.exe spontaneously launching on your computer.   Once one your copy of calculator executes, first find out which one of your calc.exe programs launched and who launched it.    Use WMIC to query which copy of your calculator is running like this.

Here you can see this query for “program.exe” returns the command line that was executed when our executable launched.   This program failed to properly quote the system paths and launched your renamed program.    Often times you may be able to identify the vendor responsible for the software from just the command line that launched your program.     But often times it is also useful to know the parent process that launched the command line that started your program.   To find out what program launched the unquoted path we use the following commands.



There you go bug hunter.  You found a 0-Day vulnerability!  Now notify the vendor so they can patch it and keep everyone safe.  While you are at it you can notify us if you would like.

Join me in San Antonio Texas November 27th for SANS 504 Hacker Techniques, Exploits and Incident Response!  Register Today!!

Follow me on Twitter @MarkBaggett
Mark Baggett

Update: Here are some additional references.  Thanks to altonius for the links and

http://blakhal0.blogspot.com/2012/08/hiding-files-by-exploiting-spaces-in.html

http://xato.net/hardening/the-programexe-problem/

http://www.commonexploits.com/?p=658

Mark

81 Posts
ISC Handler
but if "In the first case, an attacker can strategically place a program in the path and his program will be executed instead of the intended program." aren't all bets off anyway? As I see it, the attacker being able to place any program anywhere is the bigger vulnerability.
Greg

25 Posts Posts
This vulnerability is used to either persist malware on the remote host or for a privilege escalation exploit. Certainly, as you point out, you don't want the attackers to be able to put anything on your hard drive. But an attacker uses this vulnerability to do things like this. metasploit.com/modules/exploit/windows/local/…

Thanks.
Mark

81 Posts Posts
ISC Handler
This problem wouldn't exist if that flawed trial-and-error logic wasn't applied to begin with.Developers wouldn't be able to use unquoted paths since it just wouldn't work. With the current model unquoted paths works 99.99% of the times during development and QA.
Anonymous

Posts
Thanks for the useful suggestion. I tried it and had a calc window pop up almost immediately. I'll point the responsible vendor to your article.
John

13 Posts Posts
In my profile root folder I have a copy of notepad.exe renamed to rundll32.exe, and on my desktop I have a copy of calc.exe also renamed to rundll32.exe. This leads to surprising and interesting results.

For example, if I right-click on my (XP SP3) desktop an choose "New" then "Shortcut", notepad starts.

Note: in registry key "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\" I have the value "CWDIllegalInDllSearch" set to 0xFFFFFFFF, which helps to prevent some "path" related vulnerabilities, but may cause existing applications to fail.

@G: agreed, applications such as web browsers should not drop binaries in unexpected directories. However such vulnerabilities have existed and may still exist. For example, Apple had to be convinced that dropping binaries on the users desktop was not a good idea (Google: safari carpet bomb).
Erik van Straten

122 Posts Posts
Default NTFS permissions for a new volume allow new files and folders to be created by unelevated users at the root, such as your C:\Program.exe. We mitigate against this on our system images by removing those special permissions on the C: volume, which also prevents users from saving data outside their profile or installing software without administrative rights.
Anonymous

Posts
I am missing something. Doesn't this just tell you what was invoked, not what does the invoking? For instance, I got a hit on "C:\Program Files (x86)\Java\jre7\bin\java.exe -D__jvm_launched=<snip>". Ok great, but I don't know which process tried to start Java. Isn't that where the unquoted string lies, not in Java?
jbmartin6

20 Posts Posts
ha ha ignore that, I didn't make it all the way to the bottom of the diary
jbmartin6

20 Posts Posts
Also take a look over at http://www.commonexploits.com/?p=658 to see an article on how to quickly identify services that may be affected. Found a couple of common hardware manufacturers services that use unquoted paths for their services.
Anonymous

Posts
Altonious. Thanks for that link. That is an excellent post. There is another really good post on the internet as well that talks about using this technique for malware persistence. I saw it about a month or so ago and it inspired this blog post. I tried to find that blog to give them credit, but haven't been able to find it. I remember the blog author started out by lamenting over the fact that this was a new attack to him even though it had been around for a while. If anyone knows a link to that other blog please post it in the comments. I'd like to give them some credit.
Mark

81 Posts Posts
ISC Handler
is this the article?

http://xato.net/hardening/the-programexe-problem/
Anonymous

Posts
Altonius, Nope. Thanks. BUT I did stumble back upon it when I was looking at the links you sent me. Thanks so much for the links. I probably wouldn't have found this again without you. I saw the following blog back in September and it made me think about this again. Id like to give them some credit for inspiring the diary. (I'll update the blog)

blakhal0.blogspot.com/2012/08/…

Like I said this has been around for 12 years so there are probably lots of other great blogs about the same problem. We had dozens of people report vulnerable programs to the ISC. They included Anti-Malware products, Patch Management / Software Deployment products, Authentication Systems (all of which ran as SYSTEM). We had others report software from HP, Dell, Cisco, Microsoft, Synaptic and more. The good news is all of the ISC reader are repoting the issues to the vendors so HOPEFULLY we did a good thing and closed some holes. Keep up the good work!
Mark

81 Posts Posts
ISC Handler
When I lock my machine, Calc.exe is run, terminates after a second or two, and relaunches forever. Not sure if MS code is causing tyhis, or non-MS code is running when the screen is locked.
I do use a wacom tablet with an unquoted path in the service.
Povl H.

70 Posts Posts
Windows 7 Explorer keeps launching program.exe for me. Major bug in Windows.

Microsoft should prevent .exe files with the same name as a prefix of a directory name.

C:\Users\xxx>wmic process where name="program.exe" get processid
ProcessId
6644


C:\Users\xxx>wmic process where name="program.exe" get parentprocessid
ParentProcessId
4420


C:\Users\xxx>wmic process where name="program.exe" get processid
ProcessId
4720


C:\Users\xxx>wmic process where name="program.exe" get parentprocessid
ParentProcessId
4420


C:\Users\xxx>wmic process where processid=4420 get commandline
CommandLine
C:\Windows\Explorer.EXE

Povl H.

70 Posts Posts
Remember that you can use Process Explorer to visually see which program is running where and who launched it.
Anonymous

Posts
It would be really nice to have an executable that would run the two WMIC queries and log the results, rather than having to look for extraneous calc.exe instances. I may take this up if I have time.

Or, to make things easier... does this technique only run executables, or would C:\Program.bat also run?
Anonymous

Posts
Is this exploit present in other OSs?
Sassan

4 Posts Posts
> Is this exploit present in other OSs?

Short answer: YES (remember Carl Sagan saying "billions-and-billions")

Long answer: NO (but only after you've exhaustively proved there is no possible 'YES' answer).

It's an easy question to ask, but almost impossible to give a complete & correct answer, until you:

(1) list all operating systems (including those embedded in your parallel-parking-assisted Ford automobile);

(2) list all versions and releases of each operating system;

(3) obtain "administrator" access, to plant the equivalent of 'C:\PROGRAM.EXE';

(4) reboot the operating system;

(5) record/summarize and then "responsibly-report" each vulnerable operating system.

Danish King Canute thought that he was powerful-enough to stop the incoming tide, until he was proved to be wrong. :-)
Anonymous

Posts
A MS provided solution, https://gallery.technet.microsoft.com/scriptcenter/Windows-Unquoted-Service-190f0341
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!