Script bug

Belgian IT firm The Security Factory have unveiled a more than 20 years old Windows security issue. The bug makes it possible to hack file servers and thereby possibly introducing a new category of vulnerabilities.

The security problem is noteworthy because it requires no advanced hacking skills.
Simply create a new folder on a file server with a specific structure in the name is enough to install and take over that server through complete control over by malicious programs.

"The only requirement is that system administrators use scripts (eg for maintenance) which contain an up until now unknown but common vulnerability," explains Raf Cox of The Security Factory: "The vulnerability resembles the well known SQL injection' bug, but can be exploited on file servers, where the injection of malicious code wouldn't be epxected."


The Factory Security claims to have talked to Microsoft about the problem and the communication around it. Microsoft CEO Satya Nadella's Troopers allegedly identified the bug, but assume no action towards a security update release.

"Microsoft suggests that the security bug is related to the way the script is written, and thus is not a problem in the operating system itself," said Cox.

"At the same time Microsoft neglects to issue a warning towards users, resulting in many scripts remaining vulnerable and thus endangering all file servers running this type of script. Even an antivirus program will not provide a solution, because it has no script error detection."


The vulnerability is related to the way the Windows Command Shell (also known as the DOS prompt) the '&' (Ampersand) interprets scripts in which you are working with environment variables.

The '&' character serves as a separator between two consecutive commands on one line. If an environment variable contains this sign and displays or assigns it to another variable, the portion of the value after the '&' character will be interpreted as a new Windows command (or program) and then immediately executed.

Frank Lycops gives an example: "Suppose an environment variable A has the value T & Calc and you populate this variable ('echo% A%') or assign it to another variable (SET B =% A% '), then the command-shell (dos prompt) will launch " calc "(calculator )."

"So far there is no harm done. But the problem is more severe in case an environment variable in this way refers to a malicious program that is installed by a user on a computer."

"If a user creates a folder on a file server with a name 'T & Program' and copies a file 'program.exe' in thar folder (or even simpler through a script like program.cmd), then this program is launched with oftenen full access rights to all files on the system itself. "

Source: DataNews