EoP - $PATH Interception

PATH Hijacking: Exploitation and Mitigation Guide

Key Concepts

  • Writable Directory: A directory in the PATH variable that allows file creation/modification.

  • Order of Directories: Windows executes the first matching executable found in the PATH.

  • Target Executable: The malicious file is named identically to a legitimate binary.

Example Exploitation Scenario

Step 1: List the Contents of the PATH Environment Variable

Identify directories in the PATH to locate potential writable folders.

Command:

powershellCopy code$env:Path

Example Output:

plaintextCopy codeC:\Program Files\nodejs\;C:\WINDOWS\system32;

Step 2: Check Permissions of the Target Folder

Verify the permissions of a folder to ensure it allows writing.

Command:

cmdCopy codeicacls.exe "C:\Program Files\nodejs\"

Example Output:

plaintextCopy codeBUILTIN\Users: (I)(M)
BUILTIN\Users: (I)(R)

Legend:

  • GR: Read

  • GW: Write

  • M: Modify (includes writing)

Step 3: Place the Malicious File in the Writable Directory

Copy your malicious file (e.g., evil-file.exe) and rename it to match the target executable (cmd.exe).

Command:

cmdCopy codecopy evil-file.exe "C:\Program Files\nodejs\cmd.exe"

How It Works

  1. PATH Resolution: Windows searches directories in the PATH for the first matching cmd.exe.

  2. Execution of Malicious Code: Since C:\Program Files\nodejs\ appears before C:\WINDOWS\system32\, the malicious cmd.exe is executed.

Example of Execution

When cmd.exe is called:

cmdCopy codecmd.exe

Sequence:

  1. Windows checks PATH and finds C:\Program Files\nodejs\cmd.exe.

  2. The malicious cmd.exe runs with the same privileges as the calling process.

Security Implications

  1. Privilege Escalation Malicious code runs with elevated privileges.

  2. Remote Code Execution (RCE) Arbitrary code execution within the user’s context.

  3. Data Exfiltration Unauthorized access and extraction of sensitive data.

Mitigation Strategies

1. Restrict Writable Directories

Ensure writable directories are not included in the PATH:

Commands:

  • View writable PATH directories:

    powershellCopy code$env:Path.Split(';') | ForEach-Object { icacls $_ }

  • Remove risky directories:

    powershellCopy code[System.Environment]::SetEnvironmentVariable('Path', 'C:\WINDOWS\system32;', 'User')

2. Validate Executables

Use security tools to verify executables before execution.

  • Windows Defender Application Control (WDAC) can block untrusted binaries.

3. Use Application Control Policies

Implement whitelisting with tools like:

  • AppLocker

  • Microsoft Defender for Endpoint

4. Conduct Regular Audits

Perform periodic audits of:

  1. PATH Environment Variable: Ensure no unauthorized or risky directories are included.

  2. File Permissions: Regularly inspect permissions on directories.

Command:

powershellCopy codeicacls.exe "C:\path\to\directory"

Additional Resources

This guide offers a comprehensive understanding of PATH Hijacking, its exploitation, and strategies to mitigate its risks. Ensure all actions comply with legal and ethical guidelines.

PreviousEoP - Unquoted Service PathsNextEoP - Named Pipes

Last updated