Exploiting a not properly escaped string in batch - windows

In Windows software X every link you formulate is automatically converted into a clickable object.
The interesting and security-relevant part here is, that a link like "http://%COMPUTERNAME%.com/" will open the standard browser calling e.g. "http://NR57005-PC.com/", which of course is an information disclosure vulnerability, as all environment variables are converted.
Now my question is, whether this behaviour could lead to more critical issues - e.g. code execution vulnerabilities, which would highly increase the importance of a quick fix.
Do you have any suggestions how to prove, that this this is not only a disclosure issue but a critical vulnerability? Could an attacker inject batch commands by any chance?
I already played around with pipes, ampersands and quotes but so far I didn't find anything interesting.
Thanks in advance,
Patrick
Edit:
To clarify, my approach was the following:
The system must be executing a command like firefox.exe "http://%COMPUTERNAME%.com/", otherwise the system variable would not be converted.
And now, for I know that there is some unfiltered batch call going on, I thought it could be possible to escape the parameter string. For instance, a link like http://google.com/"&notepad&" could have resulted in firefox.exe "http//google.com"&notepad&"", which would have opened the notepad - as a proof of concept that code execution works. Unfortunately this escaping attempt did not work. Therefore I wonder, if there are other tricks to gain shell access or similar.

Your attacker would have to register and control the server NR57005-PC.com. To do so, he would have to have prior information about the hostname(s).
The attack surface presented will depend on the User Agent used to retrieve the link, which will depend on your batch file processing and/or the default browser configured on the system.
Assuming Internet Explorer, your attack surface will be reduced from what you may expect thinking about it as a batch file, because the website will no longer be in the Local Computer zone, but the Internet Zone. Crafty tricks like you're considering won't work.
You're left with using a typical IE vulnerability to gain control. The batch file gains you the opportunity, without depending on a user to visit a malicious website.
I assume you're a pen-tester/auditor and are trying to qualify a finding. I'd recommend
1 - hacking together a demo, but depending on user error to run an executable or similar. You can make the claim a user isn't expecting the browser to give an exe, and thus will be more trusting, even though he should not be.
2 - Recognize the fact it's not a critical vulnerability and move on. An attacker can get the same access/trust more easily through a well-crafted social engineering email.

Related

Wayland detection from root user

I have a script that must be launched as root. I need to detect the graphics system and identify it (windows X system, Wayland).
I tried using some environment vars like ${XDG_SESSION_TYPE} or ${WAYLAND_DISPLAY} which are revealing if you are using x11 or wayland, or if you are in a headless system... but, the problem is that the vars are not working from root user. As you know, the graphics environment is usually launched by a normal user and as I said at the beginning of the question, for reasons that I'm not going to explain here, the script needs to be launched as root.
Next screenshot is showing only one common element between users, the XAUTHORITY var...
I could use that but I think that could be a very dirty way to do it. It must be a better way. Any suggestion? Thanks.
The only reliable method is for you to obtain the report, from the environment by a non-root user ID, of the XDG_SESSION_TYPE variable's value.
For X-Windows, XDG_SESSION_TYPE=x11
For Wayland, XDG_SESSION_TYPE=wayland
However, as datenwolf stated, since root is specifically hindered by hard-coded security precautions, even if you customized your root's .bashrc, you won't be able to get the GUI to respond reliably, if at all, depending on the tools and elements you use.
If, on the other hand, you are attempting to build a tool for specific use by high-level security specialists, then you will likely require a customized build of the OS (removing those hard-coded security blocks) to complement those tools. That ... is a huge task, which only those with deep pockets and unlimited resources ... can allow themselves to contemplate ... unless the developers were smart enough to anticipate such a need and have all those code segments "drop-out" during compilation with the appropriate compile-time flag turned on/off. :-)

My ps1 file do not work due to PowerShell Constrained Language. Can I replace it with a visual studio solution?

Firstly, I am not a professional coder. I am working for finance unit of an international firm, responsible of preparing financials etc. for regulatory bodies etc.
I have designed a PowerShell solution which looks for specific files in network drive and if it finds the files, sends them via outlook e-mail to my team members. But if it does not find the files, sends the e-mail with a warning text etc.
This was working fine until our IT admins applied a system-wide PowerShell Constrained Language mode. This mode prevents running of outlook-related e-mail automation commands in ps1 file and making my solution useless.
My 1st question is about bypassing this mode and the powershell itself. Can I design a similar solution in visual studio ? If so what kind of project should I work on, in which language?
My 2nd question is about insisting on my current solution. I can understand IT admins in my organization putting PowerShell Constrained Language mode into use, as there are risks of viruses and attacks with bad intentions. Is there any other way which eliminates these risks while keeping my solution still working.
p.s. I have excel vba codes of the same solution but I do not want to use it as it interrupts my work while I was doing something in excel (excel is nearly always open&busy in my PC).
As the comment thread contributors suggested, the way to solve this kind of issue is to talk to the management. Do not try to work around the technical safeguards, although it would be easy to do so. If you do, keep in mind that intentional violation of a security policy might be a fireable offence.
When dealing with your boss, a solution-oriented approach is often useful. Don't just complain about the policy, offer a solution. Write up max two pages memo explaining the issue. Include an estimate how much manual routine work you have to do, if they are error-prone, what are the effects of an human error and what more productive things you could do meanwhile. Even if it's five minutes a day, sum it up to yearly level.
The important thing is that you propose solutions. You could ask IT if they have any ideas. For example, IT could sign the script. They could take over the whole thing, so you wouldn't need to worry about running it anymore. Maybe an existing monitoring system could watch the files for you. Explore the options.
Don't overdo the memo, less your boss is going to wonder how many hours you've used to write a memo instead of, you know, doing your actual work. See The Workplace for further advice.

Creating a Single Container Virtual Data Folder

I have been searching everywhere for all the combinations of things that I want to accomplish hoping something would pop but I can't find anything. Additionally, I am not sure if I am "crafting" my query properly enough so I am hoping I can get some assistance on that here.
What I would like to accomplish is this (pseudo logic)
Create a single container file, for example: vdata.x which will contain everything in it as a single data file
Mount this file as an actual drive/folder in Windows so that you can write to, read from, delete/modify the content as if you were using Windows Explorer. Visible to FS, applications, system/commandline like any other "real" folder on the machine.
Prefer the ability to have this file reside on a thumbdrive and have it mounted either automatically or manually after plugged in and have it show up not as the thumbdrive but as the file inside it, or mount both doesn't matter.
Additionally the ability for that file to be locked, encrypted and accessible (despite auto mounting, if that's the case) after it have been authenticated with a password, random token or whatnot.
Finally a housekeeping element, such as being aware of its available "host" space (aka the thumbdrive) so that as it reaches a certain threshold of expansion, it says, hey move me to a larger device, make room or stop adding more, something akin to, running out of space warning.
I thought about putting this in software recommendation SE but that is not fully up and running yet (at last check) and plus the range of who access that sub-se might very limited, so I am asking here to get feedback and discussion to see if we can answer it better here or it needs to move to there.
Thank you in advance and hope to get some brilliant minds out there to help me accomplish this.
PS. I am not averse to building something like this myself but I am limited in time and health and plus if its already done, why reinvent the wheel right? But if anything could help launch the development of such a tool, I would take that input as well, thank you.

Alternatives to ShellAPI to get file list and icons

I need to build a file/folder tree with associated file icons and special locations like network computers.
Currently I'm using Shell API to achieve it: SHGetFileInfo, IShellFolder.EnumObjects and other functions.
It works fine most of the time, but occasionally, on customer's machines it causes various errors like random access violations deep in system libraries. Analyzing bug reports, some of those seem to be a result of 3rd party shell extensions which are loaded to my app's address space when the Shell API is used.
I'm thinking to somehow avoid using Shell API and do the job another way. What are the other good approaches to build a folder tree?
If the problem really is due to faulty shell extensions then the only sensible approach, in my view, is to remove those shell extensions. Trying to work with the shell, but avoid using the shell API won't lead anywhere useful. In fact I think that the likely outcome is that your alternative code will be less functional. All for the sake of one user that won't fix their broken machine. That's a terrible trade off.
If explorer is also crashing then that is a clear indication that the problem is indeed due to shell extensions.
Having said all of that, you post makes me suspect that you have had bug reports from multiple clients. That makes your diagnosis much less plausible. The shell API is a complex beast and it is very plausible that your code is defective in some way. I suspect that you may be guilty of a case of diagnosis by wishful thinking. It's very easy, when facing a fault that is hard to reproduce and diagnose, to believe that your code is not to blame. If multiple clients are reporting problems then my bet is that the defect can be found in your code.

How to read some data from a Windows application memory?

I have an application, which displays me some data. I need to attach to this app's process, find the data I need in memory (one single number, actually), and save it somewhere. This application doesn't seem to use standard windows controls, so things aren't going to be as simple as reading controls data using AutoIt or something similar.
Currently I'm a self-learner database guy and have quite shallow knowledge about windows apps debugging. Not even sure if I asked my question correctly enough.
So, can you give me some starter guidelines about, say, what should I read first, and general directions I should work on?
Thanks.
To read memory of other application you need to open the process with respect of OpenProcess with at least PROCESS_VM_READ access rights and then use ReadProcessMemory to read any memory address from the process. If you are an administrator or have debug privilege you will be able to open any process with maximal access rights, you need only to enable SeDebugPrivilege before (see for example http://support.microsoft.com/kb/131065).
If you don't know a much about the memory of the destination process you can just enumerate the memory blocks with respect of VirtualQueryEx (see How does one use VirtualAllocEx do make room for a code cave? as an example where I examine the program code. The program data you can examine in the same way).
The most practical problem which I see is that you ask your question in too general way. If you explain more what kind of the data you are looking for I could probably suggest you a better way. For example if you could see the data somewhere you could examine the corresponding windows and controls with respect of Spy++ (a part of Visual Studio Tools). The most important are the class of windows (or controls) and the messages which will be send at the moment when the most interesting window are displayed. You can also use Process Monitor to trace all file and registry access at the time when the windows with the interesting information will be displayed. At least at the beginning you should examine the memory of the process with ReadProcessMemory at the moment when the data which you are looking for are displayed on the window.
If you will have no success in your investigations I'd recommend you to insert in your question more information.
My primary advice is: try to find any other method of integration than this. Even if you succeed, you'll be hostage to any kinds of changes in the target process, and possibly in the Windows O/S. What you are describing is behaviour most virus scanners should flag and hinder: if not now, then in the future.
That said, you can take a look at DLL injection. However, it sounds as if you're going to have to debug the heck out of the target process at the disassembly level: otherwise, how are you going to know what memory address to read?
I used to know the windows debugging API but it's long lost memory. How about using ollydbg:
http://www.ollydbg.de/
And controlling that with both ollydbg script and autoit?
Sounds interesting... but very difficult. Since you say this is a 'one-off', what about something like this instead?
Take a screenshot of this application.
Run the screenshot through an OCR program
If you are able to read the text you are looking for in a predictable way, you're halfway there!
So now if you can read a OCR'd screenshot of your application, it is a simple matter of writing a program that does the following:
Scripts the steps to get the data on the screen
Creates a screenshot of the data in question
Runs it through an OCR program like Microsoft Office Document Imaging
Extracts the relevant text and does 'whatever' with it.
I have done something like this before with pretty good results, but I would say it is a fragile solution. If the application changes, it stops working. If the OCR can't read the text, it stops working. If the OCR reads the wrong text, it might do worse things than stop working...
As the other posters have said, reaching into memory and pulling out data is a pretty advanced topic... kudos to you if you can figure out a way to do that!
I know this may not be a popular answer, due to the nature of what this software is used for, but programs like CheatEngine and ArtMoney allow you to search through all the memory reserved by a process for a given value, then refine the results till you find the address of the value you're looking for.
I learned this initially while trying to learn how to better protect my games after coming across a trainer for one of them, but have found the technique occasionally useful when debugging.
Here is an example of the technique described above in use: https://www.youtube.com/watch?v=Nv04gYx2jMw&t=265

Resources