Environment Variable interception

The PATH environment variable contains a list of directories which programs rely on to determine the locations of a certain program if the full path to the program is not given.

If any directory is listed before the Windows Directory %SystemRoot%\System32, a program may be placed in the directory to hijack execution flow as that folder will be checked first before System32.

For example, if c:\path precedes %SystemRoot%\System32, the c:\path folder will be checked for the certain program before it checks system32. If we placed a program in c:\path called powershell.exe, the "powershell.exe" in the c:\path folder will be called instead of the powershell.exe in system32.

We need 2 requirements to exploit this:

1. PATH contains a writable folder to the attacker

2. The writable folder is before the folder that contains the legit binary

Let's first look at the system wide variables with reg:

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"

As we can see in the above, the document folder precedes the system32 folder.

Let's try copying calc renamed to notepad to our documents folder copy c:\windows\system32\calc.exe c:\Users\front\Documents\notepad.exe

now lets open up cmd and try to open notepad.

As you can see, calc will popup instead.

We can modify this to run our malware which will run our shellcode and start notepad.exe at the same time

Because this is a system wide variable, any admin user who tries to run notepad will run calc.exe with elevated privileges which can lead to privilege escalation if we the admin user to run our malware.