CreateProcess(),
CreateProcessAsUser(),
CreateProcessWithLogonW(),
CreateProcessWithTokenW()
and
WinExec(),
introduced with the support of longfilenames with Win32 in Windows NT 3.1 (and of course Windows 95 too) more than 20 years ago:
[…] the module name must be the first white space-delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:These Win32 functions play try & error where they should but fail and return an error to their caller!
- c:\program.exe files\sub dir\program name
- c:\program files\sub.exe dir\program name
- c:\program files\sub dir\program.exe name
- c:\program files\sub dir\program name.exe
extended supportuntil April 2019) the Win32 function calls
CreateProcess*(NULL, "C:\\Program Files\\Internet Explorer\\IExplore.exe", …)
CreateProcess*(NULL, "C:\\Program Files (x86)\\Internet Explorer\\IExplore.exe", …)ERROR_ACCESS_DENIED
if the directories C:\Program\ and/or
C:\Program.exe\ exist.
On Windows NT 6.x the directories
C:\Program\ and C:\Program.exe\ are but
ignored/skipped and the (unquoted) command line executed
successfully.
On both Windows NT 5.x and Windows NT 6.x the Win32 function calls
CreateProcess*(NULL, "C:\\Program Files\\Internet Explorer\\IExplore.exe", …)
CreateProcess*(NULL, "C:\\Program Files (x86)\\Internet Explorer\\IExplore.exe", …)ERROR_ACCESS_DENIED if the directories
"C:\Program Files\Internet\",
"C:\Program Files\Internet.exe\",
"C:\Program Files (x86)\Internet\"
and/or
"C:\Program Files (x86)\Internet.exe\"
respectively exist (yes, you need administrative rights to create
them, but that’s not the point here).
Do you like the inconsistent behaviour or the special treatment of
the directories C:\Program\ and
C:\Program.exe\ under Windows NT 6.x?
Now remove the directories
"C:\Program Files (x86)\Internet.exe\",
"C:\Program Files (x86)\Internet\",
"C:\Program Files\Internet.exe\",
"C:\Program Files\Internet\",
C:\Program.exe\ and C:\Program\ and
create the files
"C:\Program Files\Internet.exe" and
"C:\Program Files (x86)\Internet.exe"
(yes, you need administrative rights to create them too, but
that’s still not the point here):
"%ComSpec%" /C COPY "%ComSpec%" "C:\Program Files\Internet.exe" "%ComSpec%" /C COPY "%ComSpec%" "C:\Program Files (x86)\Internet.exe"On both Windows NT 5.x and Windows NT 6.x the Win32 function calls
CreateProcess*(NULL, "C:\\Program Files\\Internet Explorer\\IExplore.exe", …)
CreateProcess*(NULL, "C:\\Program Files (x86)\\Internet Explorer\\IExplore.exe", …)"C:\Program Files\Internet.exe" or
"C:\Program Files (x86)\Internet.exe"
respectively.
Create the directories
"C:\Program Files\Internet\" and
"C:\Program Files (x86)\Internet\" and retry:
the Win32 function calls
CreateProcess*(NULL, "C:\\Program Files\\Internet Explorer\\IExplore.exe", …)
CreateProcess*(NULL, "C:\\Program Files (x86)\\Internet Explorer\\IExplore.exe", …)"C:\Program Files\Internet.exe" or
"C:\Program Files (x86)\Internet.exe" but
"C:\Program Files\Internet Explorer\IExplore.exe"
or
"C:\Program Files (x86)\Internet Explorer\IExplore.exe"
instead, i.e. the presence of a directory
"C:\Program Files\Internet\" or
"C:\Program Files (x86)\Internet\" lets
Windows NT skip/ignore a file
"C:\Program Files\Internet.exe" or
"C:\Program Files (x86)\Internet.exe"!
Does this work for the file C:\Program.exe too?
After execution of the command line
"%ComSpec%" /C COPY "%ComSpec%" C:\Program.exethe Win32 function calls
CreateProcess*(NULL, "C:\\Program Files\\Internet Explorer\\IExplore.exe", …)
CreateProcess*(NULL, "C:\\Program Files (x86)\\Internet Explorer\\IExplore.exe", …)C:\Program.exe on all versions
of Windows NT!
Finally create the directory C:\Program\ and retry: the
Win32 function calls
CreateProcess*(NULL, "C:\\Program Files\\Internet Explorer\\IExplore.exe", …)
CreateProcess*(NULL, "C:\\Program Files (x86)\\Internet Explorer\\IExplore.exe", …)ERROR_ACCESS_DENIED on
Windows NT 5.x, but execute their (unquoted) command
line on Windows NT 6.x!
Caveat: the documentation of the behaviour of the
Win32 functions CreateProcess*() for
unquoted command lines is incomplete:
[…] the module name must be the first white space-delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:Neither the 4 other possibilities
- c:\program.exe files\sub dir\program name
- c:\program files\sub.exe dir\program name
- c:\program files\sub dir\program.exe name
- c:\program files\sub dir\program name.exe
.exe is appended only if there
is no direct match!), nor the skipping of files
"…\‹name›.exe" in the
presence of directories
"…\‹name›\", nor the
behaviour for
"c:\program files (x86)\sub dir\program name"
are documented!
Note: the Win32 functions
LoadLibrary*("") search for a file
.dll in the
DLL
search path and load it: executables also don’t need to have
a file name at all!
For further investigations peeking and poking
see the documentation for
NTFS
Reparse Points:
A file or directory can contain a reparse point, which is a collection of user-defined data. The format of this data is understood by the application which stores the data, and a file system filter, which you install to interpret the data and process the file. When an application sets a reparse point, it stores this data, plus a reparse tag, which uniquely identifies the data it is storing. When the file system opens a fileor a directory
with a reparse point, it attempts to find the file system filter associated with the data format identified by the reparse tag. If a file system filter is found, the filter processes the file as directed by the reparse data. If a file system filter is not found, the file open operation fails.Then create a directory
%SystemDrive%\Program\ and add
a
collection of user-defined data
to it:
SeCreateSymbolicLinkPrivilege and
SeRestorePrivilege can create
symbolic links;
The file system filter driver for junctions (and mount points) only handles reparse points from directory to directory or from directory to drive; it fails on reparse points with all other combinations.
Note: the builtin
MkLink
command of the Command Processor of
Windows Vista® and newer versions of
Windows™ NT
but creates reparse points with such invalid
combinations the existing file system filter drivers can’t
handle:
"%ComSpec%" /C MKLINK "%SystemDrive%\Program" "%PUBLIC%" "%ComSpec%" /C MKLINK /D "%SystemDrive%\Program" "%ComSpec%" "%ComSpec%" /C MKLINK /J "%SystemDrive%\Program" "%ComSpec%"
CWE-428.CAB
is
digitally signed
using an
X.509
certificate
issued by
WEB.DE TrustCenter E-Mail Certification Authority.
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAwoDvctTIkyz5KyHlms35ue9lm7I2yPVqZbRjGL26OKxei/R9APYKA47yoJQu
QZvr0husZPI/XQEGDicmBH1Gw/T821Y/E3pwUrumhw2dRI83Vn3wqO1OaAfkcOxjtNthr04r
YT+8f1SJtZabDP0Fv7dF4ltrUSwvy+lxV4jLLU2y7qtJ6XawLHEIBZAurozEGUVlgF93nsIZ
ydcHLxQzUEbSSsegkeY+aaaC/pGFE9Q3P3c4Nn5kOwK8ElwPwbHFMiK4t8RT3DSPXX0XQl2M
yoB3XAhZj6VOC9JyHC4COVSTnbFz3mmDkxYL/qyKFkDH/V5JWZhEv+T0Rl2Bebh91wIDAQAB
-----END RSA PUBLIC KEY-----Note: unfortunately WEB.DE abandoned their trust center in 2018 and removed all pages and download links in 2019; fortunately the Wayback Machine archived the TrustCenter page, the CA and the root certificate.
Note: due to its counter signature alias timestamp the digital signature remains valid past the X.509 certificates expiration date!
CWE-428.CAB
and verify its digital signature, then open it in
Windows Explorer, extract its
contents and call the extracted batch script
CWE-428.CMD
to run the installation.
In standard installations of
Windows™ NT
users are but per default on the wrong side of this (not so)
airtight hatchway
: the (initial) user account created during
Windows Setup is member of the
BUILTIN\Administrators group, and
the security theatre
known as
User Account Control is not a security
boundary!
According to numbers published by Microsoft in their Security Intelligence Reports, about ½ to ¾ of all (some 100 million) Windows NT installations engaged in their malware telemetry reported only a single active user account.
Standard installations of Windows 7 (and earlier versions of Windows NT too) include services (and other components) which use unquoted command lines!
A proof of concept (working in standard installations of
Windows 7, Windows Server 2008 R2,
Windows 8, Windows Server 2012,
Windows 8.1 and Windows Server 2012 R2)
which uses UACs
auto-elevation
(mis)feature to copy an arbitrary file to
%SystemRoot%\Program.exe is available as
PROGRAM.CMD.
Disabling User Account Control (UAC) on Windows Server:
One of the common misconceptions about UAC and about Same-desktop Elevation in particular is that it prevents malware from being installed or from gaining administrative rights. First, malware can be written not to require administrative rights, and malware can be written to write just to areas in the user’s profile. More important, Same-desktop Elevation in UAC is not a security boundary and can be hijacked by unprivileged software that runs on the same desktop. Same-desktop Elevation should be considered a convenience feature, and from a security perspective, "Protected Administrator" should be considered the equivalent of "Administrator." By contrast, using Fast User Switching to log on to a different session by using an administrator account involves a security boundary between the administrator account and the standard user session.Update on UAC:
One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, […]Inside Windows 7 User Account Control:
The most effective way to secure a system against malware is to run with standard user privileges.
[…] the primary purpose of elevation is not security, though, it’s convenience: […]The Long-Term Impact of User Account Control:
[…] this is also where we run into some of the limitations of UAC. Remember, there is no effective isolation; there is no security boundary that isolates processes on the same desktop.Inside Windows Vista User Account Control:
It’s important to be aware that UAC elevations are conveniences and not security boundaries. A security boundary requires that security policy dictates what can pass through the boundary. User accounts are an example of a security boundary in Windows because one user can’t access the data belonging to another user without having that user’s permission.
Despite this, unprivileged users can create the directories
%SystemDrive%\Program\ and
%SystemDrive%\Program.exe\ on all
versions of Windows NT.
Note: finding the appropriate directory name for
non-english versions of Windows NT 3.x,
Windows NT 4 and Windows NT 5.x (where
unprivileged users can create the files
%SystemDrive%\Program and
%SystemDrive%\Program.exe which will be executed) is
left as an exercise to the reader.
Note: if 8.3 alias short
file name creation
is enabled, a user with privilege SeRestorePrivilege
might just create short
file names, either using the
Win32 function
SetFileShortName()
or the command
FSUtil.exe:
PROGRAM or PROGRAM.EXE for the directory
"C:\Program Files\",
PROGRAM or PROGRAM.EXE for any file
"C:\‹arbitrary executable›",
COMMON or COMMON.EXE for the directory
"C:\Program Files\Common Files\",
INTERNET or INTERNET.EXE for the directory
"C:\Program Files\Internet Explorer\",
INTERNET or INTERNET.EXE for any file
"C:\Program Files\‹arbitrary executable›",
Event ID 7000 and "%1 Is Not a Valid Win32 Application" Error Message When You Start a Service:
This issue may occur if the path of the executable file for the service contains spaces.When Windows starts a service, it parses the path of the service from left to right. If both of the following conditions are true, Windows may locate and try to run the file or folder before it locates and runs the executable file for the service:
For example, if the path of the executable file for a service is C:\Program Files\MyProgram\MyService.exe, and if a folder that is named C:\Program also exists on your hard disk, Windows locates the C:\Program folder on your hard disk before the C:\Program Files\MyProgram\MyService.exe file, and then tries to run it.
- The path of a service’s executable file contains spaces.
- There is a file or folder on your computer’s hard disk that has the same name as a file or folder in the path to the service’s executable file.
Use the X.509 certificate to send S/MIME encrypted mail.
Note: email in weird format and without a proper sender name is likely to be discarded!
I dislike
HTML (and even
weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your
nickname.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.
cookiesin the web browser.
The web service is operated and provided by
Telekom Deutschland GmbH The web service provider stores a session cookie
in the web
browser and records every visit of this web site with the following
data in an access log on their server(s):