Vulnerabilities > CVE-2014-0315 - Untrusted Search Path vulnerability in Microsoft products

047910
CVSS 6.9 - MEDIUM
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
microsoft
CWE-426
nessus
NVD
Published: 2014-04-08
Updated: 2019-05-13

Summary

Untrusted search path vulnerability in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse cmd.exe file in the current working directory, as demonstrated by a directory that contains a .bat or .cmd file, aka "Windows File Handling Vulnerability." Per: http://cwe.mitre.org/data/definitions/426.html "CWE-426: Untrusted Search Path"

Vulnerable Configurations

Part Description Count
OS
Microsoft
14

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging/Manipulating Configuration File Search Paths
    This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Msbulletin

bulletin_idMS14-019
bulletin_url
date2014-04-08T00:00:00
impactRemote Code Execution
knowledgebase_id2922229
knowledgebase_url
severityImportant
titleVulnerability in Windows File Handling Component Could Allow Remote Code Execution

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS14-019.NASL
descriptionThe remote Windows host is potentially affected by a vulnerability in the way that Windows processes .bat and .cmd files that could allow remote code execution if a user is convinced to run a specially crafted .bat or .cmd file. When exploiting this vulnerability, an attacker could gain the same user permissions as the current user.
last seen2020-06-01
modified2020-06-02
plugin id73416
published2014-04-08
reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/73416
titleMS14-019: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(73416);
  script_version("1.10");
  script_cvs_date("Date: 2019/11/26");

  script_cve_id("CVE-2014-0315");
  script_bugtraq_id(66619);
  script_xref(name:"MSFT", value:"MS14-019");
  script_xref(name:"MSKB", value:"2922229");

  script_name(english:"MS14-019: Vulnerability in Windows File Handling Component Could Allow Remote Code Execution (2922229)");
  script_summary(english:"Checks version of kernel32.dll");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is potentially affected by a remote code
execution vulnerability.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is potentially affected by a vulnerability in
the way that Windows processes .bat and .cmd files that could allow
remote code execution if a user is convinced to run a specially
crafted .bat or .cmd file. When exploiting this vulnerability, an
attacker could gain the same user permissions as the current user.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2014/ms14-019");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 
7, 2008 R2, 8, 2012, 8.1, and 2012 R2.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-0315");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2014/04/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2014/04/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS14-019';
kb = '2922229';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0', win81:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

########## KB2922229 ###########
#  Windows XP SP3,             #
#  Windows XP SP2 x64,         #
#  Windows 2003 SP2,           #
#  Windows Vista SP2,          #
#  Windows 7,                  #
#  Windows Server 2008 SP2,    #
#  Windows Server 2008 R2      #
#  Windows Server 8            #
#  Windows Server 2012         #
#  Windows Server 8.1          #
#  Windows Server 2012 R2      #
################################
if (
  # Windows 8.1 / Windows Server 2012 R2
  hotfix_is_vulnerable(os:"6.3", sp:0, file:"kernel32.dll", version:"6.3.9600.16656", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 8 / Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"kernel32.dll", version:"6.2.9200.20935", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"kernel32.dll", version:"6.2.9200.16815", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"kernel32.dll", version:"6.1.7601.22616", min_version:"6.1.7601.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"kernel32.dll", version:"6.1.7601.18409", min_version:"6.1.7600.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Vista / Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"kernel32.dll", version:"6.0.6002.23323", min_version:"6.0.6002.23000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"kernel32.dll", version:"6.0.6002.19034", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 2003 / XP x64
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"kernel32.dll", version:"5.2.3790.5295", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows XP x86
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"kernel32.dll", version:"5.1.2600.6532", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/137966/eclipse-dllhijack.txt
idPACKETSTORM:137966
last seen2016-12-05
published2016-07-19
reporterStefan Kanthak
sourcehttps://packetstormsecurity.com/files/137966/Eclipse-DLL-Hijacking.html
titleEclipse DLL Hijacking

Seebug

bulletinFamilyexploit
descriptionBugtraq ID:66619 CVE ID:CVE-2014-0315 Windows是一款由美国微软公司开发的窗口化操作系统。 由于当操作系统处理关于&quot;CreateProcess()&quot;方法的.bat和.cmd文件时没有正确限制文件路径,攻击者可以利用漏洞执行特制的可执行文件,例如由诱使用户打开位于远程WebDAV或SMB共享的应用程序。 0 Microsoft Windows 7 Microsoft Windows 8 Microsoft Windows 8.1 Microsoft Windows RT Microsoft Windows RT 8.1 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2008 Microsoft Windows Server 2012 Microsoft Windows Storage Server 2003 Microsoft Windows Vista Microsoft Windows XP Embedded Microsoft Windows XP Home Edition Microsoft Windows XP Professional 目前厂商已经发布了升级补丁以修复漏洞,请下载使用: https://technet.microsoft.com/en-us/security/bulletin/ms14-019
idSSV:62093
last seen2017-11-19
modified2014-04-09
published2014-04-09
reporterRoot
titleMicrosoft Windows &quot;CreateProcess()&quot; .cmd和.bat安全绕过漏洞

References