CMD.EXE and its shellshock-like qualities

“So did you know there’s a Windows version of Shellshock?” a coworker asked the other day.

“What, Cygwin’s bash?” I asked.

“No, in CMD.EXE.”

I thought for a second, back to some really nasty batch files I’ve seen that do goofy stuff with variables and parenthesis and other reserved characters. Suddenly it made sense. Those cryptic batch files are exploiting the command interpreter to do things that shouldn’t be done. Then I smiled.

 You see, hipsters like me have been doing stuff like this for years. The most blatant examples date to my Commodore days, when clever programmers would inject machine code into Basic programs using a combination of the little-known DEF FN statement and the little-used USR function. This was a clever bit of coding wizardry in 1988, but looking back at it now, it worked because they were exploiting a security vulnerability in Commodore Basic. Read the writeup in the August 1988 Compute’s Gazette on page 58 if you’re curious. It’s classic, even including a NOP sled.

Commodore users weren’t the only people who abused their operating system to get it to do things the designers didn’t think of. A lot of clever batch files do similar trickery. Rob Vander Woude’s page is full of clever batch files, some of which clearly are confusing the command interpreter or built-in utilities to make them do things they don’t normally do.

Is it clever coding, or an exploit?

Both.

Batch is a very simple, crude scripting language that doesn’t have nearly the functionality of something like Perl. But on some Windows servers, it’s all you’ve got, so sometimes you have to break rules to get it to do what you need it to do. If that means exploiting vulnerabilities in the code, so be it. That means there may very well be a lot of production code using these weaknesses–stuff Microsoft doesn’t especially want to break.

As a sysadmin who never had the proper tools to do his job, I know that kind of stuff is out there. I also know there are very few webservers out there running on Windows and using batch files running in CGI mode to glue stuff together, because batch has a small fraction of bash’s capabilities. Gluing stuff together with CGI scripts is something Unix always did much better, and more easily, than Windows.

Given the small risk of someone using this to remotely execute code on Windows servers versus the number of people who are likely to be using the flaw for legitimate purposes, I don’t think Microsoft will ever fix this. I’m sure we’ll soon find out how many exploitable CGI-mode Windows web servers are out there, and I’m equally sure we’ll find the number to be awfully small.

If you found this post informative or helpful, please share it!