In the early hours of the Shellshock vulnerability in Bash, the running joke was that Windows administrators could sit back with a box of popcorn and a beverage and watch the Linux and UNIX admins scramble about for once.
Looks like those same Windows admins may soon be dragged into the fray.
As more people dig into the severity and depth of Bash vulnerabilities, it appears that similar Shellshock-like remote code execution is possible on Windows systems, with Windows servers in particular at risk for RCE attacks.
The Security Factory, a Belgian security company, reported discovering a command injection vulnerability for Windows command-line shells that takes advantage of environment variables in a similar fashion to Bash exploits.
“What if we told you that a normal user in your network could take over the control of your Windows file-servers by just creating a special (but [not] so complex) directory-name in one of the directories he has access to?” the company wrote on its website. “In order to succeed, all the user has to do is create a folder with a special name and that you regularly run command-shell scripts for management purposes that have a (pretty common) coding vulnerability.”
Aviv Raff, CTO at Seculert, said there are similarities to Shellshock with this issue and that it extends even into the Windows 10 preview.
“If you set up an environment variable, and once this variable is used, it executes whatever is within the variable name,” Raff said in analyzing the report. “It’s not as major as the Linux or UNIX version, but it could be that Windows Server deployments might be affected by this because those deployments that are used with batchfile and scripts that include environment variables.”
Ross Barrett, senior manager of security engineering at Rapid7, said Windows and Windows scripting are not in the line of fire, but the same cannot be said about some scripts written for Windows.
“The key point is that setting an environment variable on Windows like that is already a privileged operation, so if you can do that, you’ve pretty much owned the system already,” Barrett clarified. “People should audit their scripts for insecure access to %CD% and potentially other environment variables, but Microsoft will not likely patch this. We also know that bash installed on Cygwin or coLinux can be vulnerable, but the likelihood of exploit is minimal.”
Windows clients aren’t likely vulnerable to remote exploitation in this case, Raff said. With Shellshock, Bash was vulnerable to remote exploitation because of the way Apache or DHCP servers were using the command line.
“I couldn’t find a way to do that remotely with Windows,” Raff said. “The way I look at it, you can only exploit it locally, or specifically on Windows Server deployments.”
Microsoft would not comment on the record for this article. Microsoft, however, does not consider this a security vulnerability and told the Security Factory that it would not issue a bulletin. In 2006, it published a blog on environment variables describing how environment variable expansion occurs when commands are read; that is in essence Shellshock.
Raff said organizations writing environment variables need to audit their code and ensure it’s done properly.
“You should use quotes when referring to environment variables. If you don’t use quotes, this is when actual code is executed,” Raff said. “Microsoft may not consider the operating system vulnerable because they provide a way to avoid it. If they can make sure that using it without quotes would not trigger it, then that would be even better. But that might break stuff elsewhere and that may be why they don’t want to touch it.”