The WMI root node is just a node in the WMI namespace


A security vulnerability report arrived that went roughly like this:

There is a serious zero-day security vulnerability in the WMIC.EXE program. It does not check whether the user has administrative privileges before granting access. Simply sign in as a standard user and run the wmic program. Observe from the prompt that it gives you root access.

C:\> del config.sys
Access is denied

C:\> wmic
wmic:root\cli> cdrom get description, drive
Description   Drive
CD-ROM Drive  D:

The WMIC prompt looks like this:

wmic:root\cli>

This is telling you that your current location (which WMI calls a role for some reason) is the cli node in the root of the WMI namespace. You can change this by typing

wmic:root\cli> /ROLE:..\cimv2
wmic:root\cimv2>

We suspect that the finder saw the word root and assumed it had the same meaning here as it does in Unix. In Windows, the administrator account is called Administrator, not root.

Their screen shot shows that they don't have administrator privileges when they started (because they can't delete the file C:\config.sys). From inside the WMIC tool, they printed information about the CD-ROM drives, but that operation doesn't require administrator privileges, so that isn't proof that any elevation occurred.

Running the WMIC program doesn't change your security level. If you don't have administrator privileges, then you still cannot do things like, say, delete system files.

wmic:root\cli>datafile where name="C:\\config.sys" delete
Delete '\\PC\ROOT\CIMV2:CIM_DataFile.Name="c:\\config.sys"' (Y/N/?)? y
Deleting instance \\PC\ROOT\CIMV2:CIM_DataFile.Name="c:\\config.sys"
ERROR:
Description = Access denied
Comments (9)
  1. Alan says:

    I suspect that the phrase “zero-day” in a security vulnerability report to a vendor strongly correlates with “has no idea what they’re talking about.” I’m guessing it’s either being used to make it sound more impressive, or they’re just cargo culting the report.

    1. Ray Koopa says:

      It already starts at ‘serious’.

    2. Joshua says:

      I filed a zero day vulnerability before that the vendor (not MS) was one.

  2. Mike Caron says:

    It’s funny, a few years ago I had a root canal, and it stripped me of all my godlike powers. So, he’s right – root does mean the same thing everywhere

  3. This post is tagged as “Other”. But this post is one of the many whose subject is “security vulnerability false positives”. Would be great if they all could be tagged as such.

  4. Nik says:

    If I had somehow submitted that vulnerability report, I would probably die of shame.

  5. IanBoyd says:

    This is on the order of “Tracer T” level of hacking that Larry Osterman introduced to us 8 years ago.

  6. DWalker07 says:

    But but but … it says “Root”! That has to be a serious vulnerability.

  7. Anonymous says:
    (The content was deleted per user request)

Comments are closed.

Skip to main content