program.exe trick

Posted by joy


There was a thread today and yesterday on the Full Disclosure mailing list about the MS Spyware beta and how it unfortunately has an inadvertent security hole. I’m posting the explanation here because I think it’s pretty interesting.

From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of pretty vacant

Sent: Tuesday, May 10, 2005 9:53 AM

To: James Tucker

Cc: full-disclosure@lists.grok.org.uk

Subject: Re: [Full-disclosure] Useless tidbit

You may or may not know that Windows applications often use the registry to store information about where to find applications within their file system. Due to the way in which Windows handles filenames, situations where this information is stored in an unquoted fashion, can leave the application open to an attack commonly referred to as the “Program.exe trick”.

As you know, it’s quite common to have files and/or directories with spaces in the name (e.g. C:Program Files). Windows is unique in that it essentially doesn’t exactly know what it’s doing if the command isn’t quoted and contains spaces. For example look at the following command:

c:program fileswindows media playerwmplayer

If unquoted, Windows tries the following:

1st try

Execute: c:program.exe

Arg1: fileswindows

Arg2: media

Arg3: playerwmplayer

2nd try

Execute: “c:program fileswindows.exe”

Arg1: media

Arg2: playerwmplayer

3rd try

Execute: “c:program fileswindows media”

Arg1: playerwmplayer

4th try

Execute: “c:program fileswindows media playermwplayer.exe”

Well in the case of MS AntiSpyware (and hundreds of other applications), AntiSpyware, it starts up by executing “AntiSpywareMain.exe” which in turn displays a nice splash screen, performs some other misc activities before calling the gsasDtServ.exe. The problem is that the execution of gsasDtServ.exe is unquoted, while the app tries to execute c:program filesmicrosoft antispywaregsasDtServ.exe, if c:program.exe exists, it will be executed instead and MS Antispyware never actually gets loaded.

With XPSP2, the OS will actually warn you about files like c:Program.bat, or c:Program.exe, but not of c:program filesinternet.exe.

Sadly, this isn’t uncommon and when I tested this on my system the first time, 7 applications were executed over a 48 hour period. Try it for yourself. My Program.exe logs the executing user and command args to c:program.log.


Comments are closed.