Subtle ways your innocent program can be Internet-facing


Last time, we left off with a promise to discuss ways your program can be Internet-facing without your even realizing it, and probably the most common place for this is the command line. Thanks to CIFS, files can be shared across the Internet and accessed via UNC notation. This means that anybody can set up a CIFS server and create files like \\server.example.com\some\file.ext, and they will look to the world like a file on a file server somewhere (because that is, in fact, what it is). When you double-click it, you're launching the document.

And that's where the command line attack comes from. Suppose your program is a handler for a file association. Say, your program is litware.exe and it is the registered handler for .LIT files. The attacker just has to create a file called \\server.example.com\some\path\target.lit and induce the user into double-clicking it. Once that's done, your program will be run with the command line you registered, which will probably be

"C:\Program Files\Litsoft\litware.exe" \\server.example.com\some\path\target.lit

Notice that the attacker controls the path. This means that if you have a bug in your command line parser, the attacker can exploit it.

Code injection via the command line is an elevation of privilege.

Note that this extends beyond merely extra-long file names. If you registered your verb incorrectly by forgetting to put quotation marks around the file name insertion %1, the attacker can hatch a file with an odd name like \\server.example.com\strange -uninstall path.lit. The resulting command line is therefore

"C:\Program Files\Litsoft\litware.exe" \\server.example.com\strange -uninstall path.lit

Your parser then breaks the command line up into words and interprets this command line as having three parts:

  • The file \\server.example.com\strange
  • The command line switch -uninstall
  • The file path.lit.

The program then tries to load the file \\server.example.com\strange and fails, possibly displaying an error message, then it uninstalls itself, and then tries (and fails) to load the file path.lit. End result: The user gets two strange error messages and the program is uninstalled.

Of course, the attacker also controls the contents of the file, so any vulnerabilities in your file parser can be exploited as well.

Code injection via file contents is an elevation of privilege.

If you write a shell extension, your extension will run if the user activates it on the remote file. For example, if you have a context menu extension, it will be instantiated and initialized with the remote file as the data object. Many context menu extensions contain buffer overflow bugs in the way they mishandle the names of the files that the user right-clicked on. (Notice that I said "names"—plural. The user might multi-select files and right-click on them.) For example, a certain shareware file archival program responds to the GCS_HELPTEXT request by taking the names of all the files and combining them into the message "Add the files A, B, C, D, and E to the archive." Unfortunately, when the names A, B, C, D, and E are very long, an exploitable buffer overrun occurs.

Code injection triggered by file name length is an elevation of privilege.

Just because your program doesn't contact the Internet explicitly doesn't mean it's safe from Internet-based attacks.

Comments (26)
  1. Raymond,

     How did the attacker (on a server over the internet) get the user to execute the verb.

     You examples seem like special cases of the "if you can run a program in the context of the user, it’s not an elevation of privilege".

     I see how this could be turned into an exploit by the right content (a .pif file downloaded from the internet) but there has to be user intervention involved somewhere.

  2. oldnewthing says:

    You can (1) use deception, or (2) rely on users’ belief that "Oh, I’m not running an untrusted program, I’m just opening a document."

  3. Alun Jones says:

    The ‘spaces in the file name’ trick is common in other operating systems, too, and surprisingly is better handled by most Windows developers than it is on other platforms!  OS X ran into considerable problems when it came out, because most Unix script authors were unused to dealing with spaces in file names, but most Mac users loved to put spaces there.

    One trick I use to increase my chance of catching these errors is to have a couple of directories called "Program" and "Documents" in the root of my C drive, and remove all my rights to them.  Then I get an error any time a "C:Program Files" or "C:Documents and Settings" path gets executed incorrectly.

    It’s not a 100% guarantee, but it does catch a few programs.

  4. MichaelGiagnocavo says:

    If you can use deception, what’s to say you can’t deceive a user into typing an arbitrary string into an arbitrary dialog causing a code injection? Like "To win many dollars, copy and paste this string into XYZ App’s options menu."

    Just like visiting a "malicious webpage" by getting them to click a URL, you’re tricking a user to perform an action that does something malicious, unexpectedly.

  5. Stu says:

    Since when are programs combined with their uninstallers!?

    Ok, I have seen malware do it, but I’m pretty sure I’ve NEVER seen an (legitimate) application that uninstalls on a command-line flag.

    And anyway, this is Windows we’re talking about, it should be "/uninstall" not "-uninstall".

    In fact "-uninstall" wouldn’t even be normal on a UNIX system, it’d be "-u" or "–unistall".

  6. Raymond Chen says:

    That was just a hypothetical "bad thing" you can do from the command line. I leave your imagination to come up with more likely "bad things". Fancy text editors for example are rich targets.

  7. Sjoerd Verweij says:

    Why do something as uninteresting as uninstalling?

    Why not pass the program the following file name:

    && del /q c:windowssystem32

  8. Sjoerd Verweij says:

    Forget what I said — && only works in the context of cmd.exe.

  9. Maurits says:

    people have been persuaded to delete an oddly named file with a funny looking icon, not realising that it’s an important system file.

    Ahhh!!! The Teddy Bear virus has infected my computer!!!

  10. Maurits says:

    For a nasty command line, how about xcopying a bunch of files together (cookies, SAM, *.doc) and tftp-ing the result to an internet server?

  11. ken lubar says:

    I’ve never understood why users have execute access to their own directories.  It seems to me that only specified directories (like programs) should have execute rights.  There is no reason why a user should be able to run a .exe in their own direcory.  However, the execute and transvers rights are overlayed so it’s difficult to remove execute rights without blocking access to the directory (oddly the same is true on unix/linux).

  12. Maurits says:

    why users have execute access to their own directories

    So that the computer science students can do their homework without being able to root the SSH server :)

  13. Norman Diamond says:

    Tuesday, May 09, 2006 10:33 AM by LarryOsterman

    > How did the attacker (on a server over the

    > internet) get the user to execute the verb.

    […]

    > there has to be user intervention involved

    > somewhere.

    Maybe there has to be user intervention involved in configuring Outlook Express to display its preview pane, but historically the preview pane was on by default.

    With Internet Explorer it still seems to be possible.  A user might visit a trusted site that they’ve been visiting for years, and neither the user nor the site’s owner knows that either:

    (1) the site was infected 5 minutes earlier or

    (2) one of the Google advertisements on the site delivers infection to the user via the contents that the advertisement brings in from a third site.

    Tuesday, May 09, 2006 12:14 PM by Stu

    > Since when are programs combined with their

    > uninstallers!?

    You might be right on that, maybe only DLLs are combined with their uninstallers.

    > And anyway, this is Windows we’re talking

    > about, it should be "/uninstall" not

    > "-uninstall".

    This is Windows we’re talking about, where a ton of programs recognize hyphens as option flags and some programs are even documented as doing so.

  14. Anony Moose says:

    The worst thing about geeks and nerds is their pedantry – some people are biologically incapable of recognising a hypothetical example if it slaps them in the face.

    Also, oddly enough, it’s not unheard of for multiple minor security holes to add up to one big hole. Even if "maybe" the hole is only accessable to people who have already broken in, there’s still a reasonable chance that one other little hole will give them just enough access to attack the second hole and then have full control.

    There’s nothing "special case" here. If I run a file server I can *not* run a program in the context of the user, but I can take advantage of flaws in the program that will allow me to inject code if they read data from my server. Therefoer I have had my priviledges elevated from "provide data" to "change the code that is being executed".

    Besides, "click here to see the dancing bunnies" is a lot easier than persuading people to format their own hard drive. Although, having said that, people have been persuaded to delete an oddly named file with a funny looking icon, not realising that it’s an important system file.   ;)    It’s strange, but people who can’t follow instructions to "click on the start menu" when talking to tech support are still capable of deleting system files, as long as they shouldn’t. People are weird.

  15. mikeb says:

    Tuesday, May 09, 2006 10:18 PM by Norman Diamond

    >> Tuesday, May 09, 2006 10:33 AM by LarryOsterman

    >> How did the attacker (on a server over the

    >> internet) get the user to execute the verb.

    […]

    >> there has to be user intervention involved

    >> somewhere.

    […]

    > (2) one of the Google advertisements on the site

    > delivers infection to the user via the contents

    > that the advertisement brings in from a third site.

    An excellent example, Norman. This is otherwise known as a Cross Site Scripting attack (CSS) which is quite common and very much exploited when discovered.

    > Tuesday, May 09, 2006 12:14 PM by Stu

    >> Since when are programs combined with their

    >> uninstallers!?

    As Raymond mentions, the -uninstall option is just a ‘proof of concept’ example.

    Surely, there are many things that can be imagined to be malicious that can be invoked from the command line of a number of programs.

    As an example, a number of Unix/Linux/GNU/whatever programs have a ‘special option’ (‘–‘) that tells the program that anything following should not be considered an option.  From that point, something that starts with a ‘-‘ is considered a filename, not an option. This helps prevent exactly the types of attacks that Raymond is discussing.

  16. Iain says:

    Raymond – your first comment is posted by ‘oldnewthing’, and your second by ‘Raymond Chen’.  Any reason?  Forgot you were logged into a that account, or is someone pretending to be you?  Or are there two of you? :)

  17. BryanK says:

    Iain — See the end of http://blogs.msdn.com/oldnewthing/archive/2006/04/13/575742.aspx

    Specifically:

    > When talking to the voicemail lady, be

    > careful to enunciate clearly, because there

    > are also a Raymond Cheng and a Ray Chen at

    > Microsoft.

    There are two of him…  ;-)

  18. Riva says:

    "However, the execute and transvers rights are overlayed so it’s difficult to remove execute rights without blocking access to the directory"

    You simply deny traverse/execute rights on *files* only for any directory which in turn will propagate to files in any subdirectory.

  19. Gabe says:

    ken lubar, you are confused. Having "execute" rights to a directory does not make it legal to execute files in that directory. Only that file’s execute rights determine if it can be executed. Of course the owner of a file may freely change those rights, so there’s no reason I can’t put any file in any directory and just add execute rights to it.

    Also, the "traverse" right on a directory usually doesn’t matter because by default everyone has the privilege that allows it to be ignored. This allows you to create a directory I don’t have access to with a child subdirectory that I can access.

  20. Stefan Kanthak says:

    @Stu:

    -uninstall is often used for service binaries to (un)install themselves.

    It is but just an example; maybe  litware.exe only accepts one operand and discards %2 and higher?

    @ken lubar:

    use Software Restriction Policies in XP and later and only allow execution in %SystemRoot% and below and %ProgramFiles% and below.

    Don’t forget to remove .lnk from the list of binaries, and add .swf and other notorious file extensions which may find their normal way into browser caches etc. and get "executed".

    @Raymond:

    when the executable is registed with it’s full path and detected as 32bit binary then Explorer quotes the %1 itself (you wrote once). SCNR.-)

  21. Hayden says:

    Somebody would actually expose Windows File Sharing to the internet?

    I can’t be the only person who snorted mightily when Microsoft renamed their hackable, wobbly, inefficient LAN file server protocol to be "Common *Internet* Filing System"

  22. Norman Diamond says:

    Wednesday, May 10, 2006 1:24 PM by Hayden

    > Somebody would actually expose Windows File

    > Sharing to the internet?

    Millions do.  I thought this infection vector was famous.

  23. xl says:

    "Fancy text editors for example are rich targets."

    Word!

  24. C$ says:

    Somebody would actually expose Windows File

    > Sharing to the internet?

    Somebody would actyally connect windows < xp to the internet?

  25. Anonymous refugee from Windows says:

    So you’re saying that all programs are exposed to the Internet, because people can download files from the Internet and then open them in programs.

    Why on earth would anyone open a random file from the Internet without first thinking about where they were getting it from?

    Oh, right, Windows’s special "Internet sites look just like local files" security-hole-by-design which they advertised so heavily.  :-P

  26. Mike Swaim says:

    Somebody would actually expose Windows File Sharing to the internet?

     A couple of years ago, when I had a cable modem, occasionally my router would light up as someone’s machine would try infecting my computer with some sort of crud.

     A couple of times I mounted C$ on the offending machine, to leave nastygrams in their autoexec.bat. At least once, my antivirus software reached out and cleaned execuatbles on their machines. (Which probably violated my license agreement.)

Comments are closed.