Environment Variable $Path Interception

It's possible to abuse $PATH environment variable to elevate privileges if the variable:
  • contains a folder that a malicious user can write to
  • that folder precedes c:\windows\system32\
Below is an example, showing how c:\temp precedes c:\windows\system32:
Let's make sure c:\temp is (M)odifiable by low privileged users:
Let's now drop our malicious file (calc.exe in this case) into c:\temp and call it cmd.exe:
Now, the next time a high privileged user invokes cmd.exe, our malicious cmd.exe will be invoked from the c:\temp:
This can be very easily abused in environments where software deployment packages call powershell, cmd, cscript and other similar system binaries with NT SYSTEM privileges to carry out their tasks.