this post was submitted on 10 Apr 2024
26 points (96.4% liked)

Security

674 readers
5 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
top 15 comments
sorted by: hot top controversial new old
[–] onlinepersona 8 points 7 months ago (1 children)

CreateProcess spawns cmd.exe even when that isn't asked? I find that... a little insane.

Anti Commercial AI thingyCC BY-NC-SA 4.0

[–] Lmaydev 5 points 7 months ago (1 children)

Seems like an ancient hack to allow bat files to be run via that function.

I expect windows is full of stuff like that.

[–] onlinepersona 3 points 7 months ago (1 children)

Yeah, backwards compatibility is good when it isn't a security issue.

Anti Commercial AI thingyCC BY-NC-SA 4.0

Inserted with a keystroke running this script on linux with X11

#!/usr/bin/env nix-shell
#!nix-shell -i bash --packages xautomation xclip

sleep 0.2
(echo '
spoiler Anti Commercial AI thingy [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/) Inserted with a keystroke running this script on linux with X11 ```bash' cat "$0" echo '``` :::') | xclip -selection clipboard xte "keydown Control_L" "key V" "keyup Control_L"

:::

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago) (1 children)

I can barely live with that licence thingy, but don't paste that tutorial into your comment ffs.

[–] onlinepersona -3 points 7 months ago* (last edited 7 months ago) (1 children)

I've gotten the question often enough about why and how. You don't have to open it 🤷

Anti Commercial AI thingyCC BY-NC-SA 4.0

Inserted with a keystroke running this script on linux with X11

#!/usr/bin/env nix-shell
#!nix-shell -i bash --packages xautomation xclip

sleep 0.2
(echo '
spoiler Anti Commercial AI thingy [CC BY-NC-SA 4.0](https://creativecommons.org/licenses/by-nc-sa/4.0/) Inserted with a keystroke running this script on linux with X11 ```bash' cat "$0" echo '``` :::') | xclip -selection clipboard xte "keydown Control_L" "key V" "keyup Control_L"

:::

[–] [email protected] 3 points 7 months ago (1 children)

Seems like my client doesn't show it as a drop-down I thought it was like the reddit spoiler that where the same size but blacked out. Sorry.

[–] onlinepersona 1 points 7 months ago

Bad client! Bad! *wags finger*

[–] [email protected] 6 points 7 months ago

Not a fan of the name 🤷‍♀️

[–] [email protected] 2 points 7 months ago (2 children)

i’m not understanding how this is supposed to be so severe. if an attacker has the ability to change the arguments to a CreateProcess call, aren’t you hosed already? they could just change it to invoke any command or batch file they wanted.

[–] FizzyOrange 4 points 7 months ago (1 children)

You wouldn't be hosed on Linux for example. Note that this applies to the arguments to the program, not just the program itself.

In other words if I do run(["echo", untrusted_input]) it would be totally fine on Linux.

[–] [email protected] -2 points 7 months ago (1 children)

honestly i wouldn’t trust your linux example at all, what happens with run([“echo”, “&& rm -rf /“])

[–] arendjr 5 points 7 months ago

It would print “&& rm -rf /“ and nothing bad would happen.

[–] arendjr 3 points 7 months ago (1 children)

That’s entirely dependent on the application. In many cases the command would be hard-coded in the application, in which case you’re right. But some applications have good reasons to pass user-supplied arguments to scripts. Imagine a case where an application generates PDFs through a batch script, for instance. It might make sense to let users specify the filename, but then it does need proper escaping. In such a case it’s a huge risk if it turns out the escaping rules suddenly changed because Windows silently invoked cmd.exe under the hood.

[–] [email protected] -2 points 7 months ago (1 children)

even in your hypothetical of a file name passed in through the args, either the attacker has enough access to run said tool with whatever args they want, or, they have taken over that process and can inject whatever args they want.

either attack vector requires a prior breach of the system. you’re owned either way.

the only way this actually works as an exploit is if there are poorly written services out there that blindly call through to CreateProcess that take in user sourced input without any sanitization, which if you’re doing that then no duh you’re gonna have a bad time.

cmd.exe is always going to be invoked if you’re executing a batch script, it’s literally the interpreter for .bat files. the issue is, as usual, code that might be blindly taking user input and not even bothering to sanitize it before using it.

[–] arendjr 3 points 7 months ago

take in user sourced input without any sanitization

But that’s exactly the problem: these applications were sanitizing the input using the APIs provided by their language standard libraries. Except that sanitization proved insufficient because the requirements for sanitization differ greatly when the command is interpreted by cmd.exe as opposed to running regular executables. This is such a big footgun in the Windows API that it was overlooked by seemingly every major programming language implementation out there.