Cmd Hijack – a command/argument confusion with path traversal in cmd.exe

From hackingiscool.pl

This one is about an interesting behavior ðŸ¤­ I identified in cmd.exe in result of many weeks of intermittent (private time, every now and then) research in pursuit of some new OS Command Injection attack vectors.

So I was mostly trying to:

  • find an encoding missmatch between some command check/sanitization code and the rest of the program, allowing to smuggle the ASCII version of the existing command separators in the second byte of a wide char (for a moment I believed I had it in the StripQuotes function – I was wrong ¯\(ツ)/¯),
  • discover some hidden cmd.exe’s counterpart of the unix shells’ backtick operator,
  • find a command separator alternative to |, & and \n – which long ago resulted in the discovery of an interesting and still alive, but very rarely occurring vulnerability – https://vuldb.com/?id.93602.

Read more…