A security vulnerability report arrived that went roughly like this:
There is a serious zero-day security vulnerability in the
WMIC.EXEprogram. It does not check whether the user has administrative privileges before granting access. Simply sign in as a standard user and run the
wmicprogram. Observe from the prompt that it gives you root access.C:\> del config.sys Access is denied C:\> wmic wmic:root\cli> cdrom get description, drive Description Drive CD-ROM Drive D:
The WMIC prompt looks like this:
This is telling you that your current location
(which WMI calls a role for some reason)
node in the root of the WMI namespace.
You can change this by typing
wmic:root\cli> /ROLE:..\cimv2 wmic:root\cimv2>
We suspect that the finder saw the word root and assumed it had the same meaning here as it does in Unix. In Windows, the administrator account is called Administrator, not root.
Their screen shot shows that they don't have administrator privileges
when they started (because they can't delete the file
From inside the
WMIC tool, they printed information about
the CD-ROM drives, but that operation doesn't require administrator
so that isn't proof that any elevation occurred.
WMIC program doesn't change
your security level.
If you don't have administrator privileges,
then you still cannot do things like, say, delete
wmic:root\cli>datafile where name="C:\\config.sys" delete Delete '\\PC\ROOT\CIMV2:CIM_DataFile.Name="c:\\config.sys"' (Y/N/?)? y Deleting instance \\PC\ROOT\CIMV2:CIM_DataFile.Name="c:\\config.sys" ERROR: Description = Access denied