Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search
Red Hot Cyber Academy

The dark side of the Windows Command Prompt: how malicious commands can replace legitimate ones

Carlo Di Dato : 25 July 2024 14:43

If you choose to read this article, please note that it will not discuss a vulnerability or a bug, but rather an intended behavior of Windows Command Prompt which, in my opinion, poses a security risk.
I decided to publish it because I was not aware of this behavior, and most of the people I asked about it were not aware of it either.

I would like to thank Microsoft’s MSRC for their prompt response to my report and the additional information they provided.

If you were already aware of the behavior shown in the following video, you can save yourself the trouble of reading this article

The Windows Command Prompt (cmd.exe) is the primary command-line shell used on Windows operating systems. This program is designed to interpret and execute a series of commands, passed as strings, both internal (e.g., “ping”, “ftp”, “notepad”, “calc”, etc.) and external (e.g., “blahblah”). The interpretation of the entered command follows the logic described at this link https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/start and can be summarized as follows:

  1. The user types a command, for example, “blahblah.”
  2. The Windows command prompt checks whether the typed command has an extension.
  3. The Windows command prompt uses the standard search order (https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order).
  4. This means that if a file with the name of the typed command exists in the directory from which the command prompt is executed, Windows will run it.

Vorresti toccare con mano la Cybersecurity e la tecnologia? Iscriviti GRATIS ai WorkShop Hands-On della RHC Conference 2025 (Giovedì 8 maggio 2025)

Se sei un ragazzo delle scuole medie, superiori o frequenti l'università, oppure banalmente un curioso di qualsiasi età, il giorno giovedì 8 maggio 2025 presso il teatro Italia di Roma (a due passi dalla stazione termini e dalla metro B di Piazza Bologna), si terranno i workshop "hands-on", creati per far avvicinare i ragazzi alla sicurezza informatica e alla tecnologia. Questo anno i workshop saranno:

  • Creare Un Sistema Ai Di Visual Object Tracking (Hands on)
  • Social Engineering 2.0: Alla Scoperta Delle Minacce DeepFake
  • Doxing Con Langflow: Stiamo Costruendo La Fine Della Privacy?
  • Come Hackerare Un Sito WordPress (Hands on)
  • Il Cyberbullismo Tra Virtuale E Reale
  • Come Entrare Nel Dark Web In Sicurezza (Hands on)

  • Potete iscrivervi gratuitamente all'evento, che è stato creato per poter ispirare i ragazzi verso la sicurezza informatica e la tecnologia.
    Per ulteriori informazioni, scrivi a [email protected] oppure su Whatsapp al 379 163 8765


    Supporta RHC attraverso:


    Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo.

    For example:

    1. The user opens the command prompt from the folder “C:\test.”
    2. The user types the command ftp.
    3. The folder contains the file ftp.exe (e.g., C:\test\ftp.exe).
    4. The command prompt will launch the executable “C:\test\ftp.exe.” instead of the legitimate one.

    Is this a problem? In my opinion, yes and this is because of the way file extensions are managed.

    If the typed command does not have an extension, the command prompt will use the %PATHEXT% variable to get the list of extensions and check them one by one, according to Windows standard search order. In our example, the command prompt will look for “C:\test\ftp.vbs”, “C:\test\ftp.dll”, “C:\test\ftp.exe”, and so on until it finds a file with an extension to execute in the same path. This significantly increases the chances of executing risky files disguised as legitimate commands.
    Keep in mind that this behavior will apply to all typed commands, included those saved in the “PATH” environment variable (e.g., “java”, “python”, “php”, “node”, etc.…)

    A second risk is the possibility of executing commands from shared network folders:

    1. The attacker places a malicious file “ping.exe” in a network drive, e.g., “Z:\test\ping.exe.”
    2. The attacker convinces the victim to open the command prompt from the network drive “Z:\test” and type the command “ping.”
    3. The command prompt will execute the program “Z:\test\ping.exe.”

    Another attack scenario could involve creating a compressed file containing “ping.vbs”, convincing a user to decompress it and run the ping command from the folder where the archive that was decompressed.

    An additional “remote” scenario might be:

    1. The attacker creates a project or sample package containing a malicious file “node.vbs”
    2. The attacker creates a repository on GitHub.
    3. The attacker convinces the victim to download the package.
    4. The victim runs the “node” command.
    5. The Windows command prompt executes the malicious “node.vbs” file.

    If you want to try it by yourself, just follow these steps:

    1. Open the command prompt
    2. Run “node” (without double quotes and extension)
    3. Run “git clone https://github.com/carloddt-oss/test-project.git” (without double quotes)
    4. cd test-project
    5. Run “node” (without double quotes and extension)

    Last but not lease, I tested some Windows internal commands and most of them can be (ab)used to replicate the behavior and this is the list of the tested commands with their respective status:

    CommandAffected
    cdNo
    clsNo
    copyNo
    delNo
    dirNo
    mdNo
    mkdirNo
    moveNo
    rdNo
    renNo
    renameNo
    typeNo
    clsNo
    setNo
    echoYes
    rmdirYes
    attribYes
    chkdskYes
    fcYes
    formatYes
    modeYes
    moreYes
    treeYes
    ftpYes
    ipconfigYes
    netYes
    pingYes
    tracertYes
    pathpingYes
    tasklistYes
    taskkillYes
    scYes
    sfcYes
    diskpartYes
    shutdownYes
    compactYes
    expandYes
    nbtstatYes
    xcopyYes

    Carlo Di Dato