Subscribe

Quotes save lives —

Poor punctuation leads to Windows shell vulnerability

An attack on Windows scripts shows that quotation marks aren't just for writers.

-

A class of coding vulnerabilities could allow attackers to fool Windows system administrators into running malicious code because of a simple omission: quotation marks.

The attack relies on scripts or batch files that use the command-line interface, or "shell," on a Windows system but contain a simple coding error—allowing untrusted input to be run as a command. In the current incarnation of the exploit, an attacker appends a valid command onto the end of the name of a directory using the ampersand character. A script with the coding error then reads the input and executes the command with administrator rights.

"The scenario... requires a ‘standard’ user with access rights to create a directory to a fileserver and an administrator executing a vulnerable script," Frank Lycops and Raf Cox, security researchers with The Security Factory, said in an e-mail interview. "This allows the attacker to gain the privileges of the user running the script, thus becoming an administrator."

While the attack falls short of the severity of the Shellshock family of Linux shell vulnerabilities, the two researchers stressed that it's a good example of how untrusted input can be used to execute commands on a system. The researchers identified at least one popular script with the vulnerability. When the script attempts to set the starting directory for system administration work, it inadvertently runs the command appended to the malicious directory's name as well.

Another scenario posited by the researchers involves companies that use scripts to copy data from a public network to an internal system. "The attacker might be a potential customer or a supplier," they note, not just a corporate user.

The solution is to use proper coding practices—in this case, the judicious use of quotation marks. Quotation marks are used in the shell environment to make sure that the data inside the quotes is not interpreted by the program as a command.

Allowing untrusted input to run as a command is one of the "top 25 most dangerous software errors," as determined by the SANS Institute.

"In the end, it comes down to input validation, as (it does) quite often, but it doesn’t hurt to stress the importance of it," the researchers said.

Robert Lemos Robert Lemos is an award-winning freelance journalist, on assignment as IT security correspondent for Ars Technica. A former research engineer, he covers malware, hacking, cybercrime and enterprise security technology for a number of publications, including Ars Technica, eWEEK, TechTarget and MIT Technology Review.

Channel Ars Technica

Related Stories

    Today on Ars