Hi @ll,

the batch script WINRM.CMD, which contains just the single line

@cscript //nologo "%~dpn0.vbs" %*

allows a binary planting or squatting attack: WINRM.CMD executes a
rogue CSCRIPT.COM, CSCRIPT.EXE, CSCRIPT.BAT, CSCRIPT.CMD etc. (see
environment variable PATHEXT) from the current working directory.

Proof of concept:

1. Start CMD.EXE

2. CHDIR /D "<arbitrary writable directory>"
(for example "%USERPROFILE%\Desktop", "%USERPROFILE%\Downloads",
"%HOMEDRIVE%%HOMEPATH%" or "%TEMP%")

3. COPY "<arbitrary executable>" .\CSCRIPT.COM

4. WINRM /?

-> .\CSCRIPT.COM is run!


WIMRM.CMD is installed as part of the (optional) "Windows Remote
Management" (see <http://msdn.microsoft.com/library/aa384291.aspx>),
available for Windows XP and 2003 with the hotfixes KB936059 and
KB968929, and included in all later versions of Windows.

"Windows Remote Management" implements the DMTF's Web Services for
Management alias WS-Management alias WS-MAN.


Trivial fix: change "@cscript " in %SystemRoot%\System32\WINRM.CMD
to "@%SystemRoot%\System32\CSCript.exe "


JFTR: <http://blogs.technet.com/b/srd/archive/2014/05/13/load-library-safely.aspx>
aint enough!

ALL executables fed to interfaces which evaluate PATH, i.e.
CreateProcess(), ShellExecute(), CMD.EXE, ... MUST be specified
with their fully qualified pathname.


regards
Stefan Kanthak