Executive Summary:
When using the search path to resolve a command name, Windows attempts to match the command name to file-based commands in the folders in the path. If you don't specify a file extension for the command, Windows Explorer automatically searches for files with the extensions .com, .exe, .bat, or .cmd. This search process is useful but has some quirks. Applications—particularly older ones—might add their own directories to the search path, possibly ahead of Windows' intended first search folders. Malicious coders might also use pathext to make Windows identify common command names such as regedit with their application files. Tools such as Windows Vista's User Access Control (UAC) don't solve the search problem. If you're performing an administrative task and have already elevated your privileges in a subshell, invasive code will run with no special prompting. However, on systems that don't need significant command-search customization, you can do some tweaking to make it very difficult for an attacker to use command search to escalate privileges. The tweaking simply involves locking down the search path wherever possible, modifying and locking down the pathext variable, and maintaining security for the folders used in the search process. |
The Windows search path represents a significant potential vulnerability on many systems. I'll explain why, then show you how you can minimize the vulnerability by identifying machines that don't need modified command search and locking them down. . . .
Register
