Wednesday, 9 April 2014

Windows Vulnerability: binary hijacking via .cmd or .bat file


A remote code execution vulnerability exists in the way that Microsoft Windows processes .bat and .cmd files that are run from an external network.(MS14-019)

The vulnerability could allow remote code execution if a user runs specially crafted .bat and .cmd files from a trusted or semi-trusted network location. An attacker would have no way to force users to visit the network location or run the specially crafted files. Instead, an attacker would have to convince users to take such action.

For example, an attacker could trick users into clicking a link that takes them to the location of the attacker's specially crafted files and subsequently convince them to run them.

It is possible to hijack the cmd.exe with a copy present in the attacker controlled current working directory (CWD) of an affected application.

Command (.cmd) and batch (.bat) files can be directly provided as input to the CreateProcess as if it is an executable. CreateProcess uses the cmd.exe automatically to run the input .cmd or .bat.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Vulnerable Systems:

Microsoft Windows XP Service Pack 3 0
Microsoft Windows XP Professional x64 Edition SP2
Microsoft Windows Vista Service Pack 2 0
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2003 Itanium SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 7 for 32-bit Systems SP1
A remote code execution vulnerability exists in the way that Microsoft Windows processes .bat and .cmd files that are run from an external network.(MS14-019)
The vulnerability could allow remote code execution if a user runs specially crafted .bat and .cmd files from a trusted or semi-trusted network location. An attacker would have no way to force users to visit the network location or run the specially crafted files. Instead, an attacker would have to convince users to take such action.
For example, an attacker could trick users into clicking a link that takes them to the location of the attacker's specially crafted files and subsequently convince them to run them.
It is possible to hijack the cmd.exe with a copy present in the attacker controlled current working directory (CWD) of an affected application.
Command (.cmd) and batch (.bat) files can be directly provided as input to the CreateProcess as if it is an executable. CreateProcess uses the cmd.exe automatically to run the input .cmd or .bat.
An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerable Systems:
Microsoft Windows XP Service Pack 3 0
Microsoft Windows XP Professional x64 Edition SP2
Microsoft Windows Vista Service Pack 2 0
Microsoft Windows Server 2008 R2 for x64-based Systems SP1
Microsoft Windows Server 2008 for x64-based Systems SP2
Microsoft Windows Server 2008 for Itanium-based Systems SP2
Microsoft Windows Server 2008 for 32-bit Systems SP2
Microsoft Windows Server 2003 Itanium SP2
Microsoft Windows Server 2003 SP2
Microsoft Windows 7 for x64-based Systems SP1
Microsoft Windows 7 for 32-bit Systems SP1
- See more at: http://www.cyberwarzone.com/windows-vulnerability-binary-hijacking-cmd-or-bat-file#sthash.0hnSE5KV.dpuf

No comments:

Post a Comment