Command Injection/Elevation – Environment Variables Revisited
Windows environment variables can be used to run commands and can also be used to bypass UAC, allowing an attacker with limited privileges to take complete control of the system. This code leverages a rather unusual scenario within Windows OS.
This is a continuation of our research as described in a previous post: Elastic Boundaries – Elevating Privileges by Environment Variables Expansion. (enSilo does a great deal of research to continually improve our endpoint protection software.)
Background and Research Basis
In our last post on this topic, we have demonstrated that changing a location referred to by environment variables can divert file operations from a legitimate path to a possibly malicious one. Looking through the registry suggests different scenarios and possibilities that exist for environment variable expansion (ab)use. Let’s continue from where we left off last time.
Scenario 6: Command Injection
If a command contains an environment variable, it can be expanded into multiple executable commands.
An attacker can set up commands that will be executed when a different, unrelated file is opened or otherwise accessed.
A regular text file (.txt) opens with notepad.exe. The command to open such a file is:
Effectively running this command:
Now, by using this command:
setx SystemRoot “C:\Windows\System32\cmd.exe && C:\Windows”
The resulting line changes to:
C:\Windows\System32\cmd.exe && C:\Windows\System32\NOTEPAD.EXE <filename.txt>
Which means opening a command window before Notepad is called.
“&&” means Notepad will run after the command exits, if it succeeds.
There are other operators that could be used here instead.
A command string, containing environment variables
Scenario 7: Parameter Manipulation
The Windows registry contains commands that parse and expand a string that contains multiple percent signs (‘%’)
A parameter string, vulnerable to fake variable expansion
Anything between two percent signs is considered an environment variable and could be expanded as one.
An attacker can set an environment variable-like string to be expanded by Windows, manipulating command parameters.
Setting an environment variable named 1”, and pointing it to any dll file. Quote symbols must be escaped.
setx “1\”,” “C:\Temp\evil.dll\”,”
Running any .cpl file on the system will run evil.dll instead.
Scenario 8: Elevation using environment variables expansion. Again.
Right-clicking “My Computer” (or “This PC”, on Windows 10) and choosing “Manage” from the context menu causes the “Computer Management” console to open with elevated privileges and without showing the UAC prompt.
Behind the scenes, this behavior is defined by the verb “Manage” of the computer item’s class, as can be seen in the registry at this path:
The value for this key is:
CompMgmtLauncher.exe runs with elevated privileges.
An attacker can take control of this command by setting SystemRoot and gain elevated privileges.
Failure. Our assumption is incorrect at this point. Changing the path did cause a different executable to launch instead of CompMgmtLauncher.exe, but it was running with medium integrity (i.e, not elevated).
So, what does CompMgmtLauncher.exe do to achieve elevated status?
CompMgmtLauncher.exe actually runs another link in the chain – a .lnk file, found in the Start Menu’s Administrative Tools folder:
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Computer Management.lnk
This link file points to the already familiar mmc.exe in Windows\System32, giving it an argument in the form of a .msc file, specifically compmgmt.msc.
It appears that running mmc.exe by itself shows the UAC prompt, but running it with some specific .msc files does not.
CompMgmtLauncher.exe runs the file that the .lnk file points to with elevated privileges.
An attacker can control the target of the .lnk file and bypass UAC.
Failure. Not quite there yet. Writing to the directory and over the .lnk file requires high integrity to begin with.
The folder of interest is referenced by two environment variables:
CompMgmtLauncher.exe uses one of these variables to access the .lnk file.
An attacker can change one or both of the mentioned environment variables and gain control over the called .lnk file.
- Set ProgramData to point to a directory other than C:\ProgramData
- Create the correct directory tree:
Microsoft\Windows\Start Menu\Programs\Administrative Tools
- Create a link (.lnk) that points to a string containing a command
- Call “Manage” on “My Computer”/”This PC”.
or Run CompMgmtLauncher.exe
Elevated command window using CompMgmtLauncher
Conclusion and Thoughts
The methods described here are not surprising news given previous findings. They also rely on an attacker having some access to the machine and possessing some privileges to initiate an attack. Nevertheless, environment variables can aid attackers in compromising a system and they provide some meaningful additions to their toolset.
The images in the post are taken from a machine running Windows 7 32-bit. The methods have been tested on Windows 7 and Windows 10, both 32 and 64 bit versions and require no adjustments.
There is still a lot more research to be conducted on the matter, on Windows and other operating systems.
enSilo offers the endpoint protection that you need.