0

Given cmd.exe, I observed a special case which I do not understand, and which does not seemed to be explained by https://stackoverflow.com/a/4095133/16545605:

This simple command is executed as one would expect:

> type ..\..\..\..\..\..\windows\win.ini
; for 16-bit app support
[fonts]
[extensions]
[mci extensions]
[files]
[Mail]
MAPI=1

But what happens when done this way? Well, it opens Notepad with the given file and the shell is blocked until Notepad is closed again:

> cmd.exe /c "type ..\..\..\..\..\..\windows\win.ini"

On the other hand, those three variants behave as someone would expect (as the first example):

> cmd.exe /c type ..\..\..\..\..\..\windows\win.ini
...
> cmd.exe /c "type" "..\..\..\..\..\..\windows\win.ini"
...
> cmd.exe /c "type C:\windows\win.ini"
...

To open Notepad, it is also possible to just give the file name. It seems cmd.exe opens the file with the default program if only the path is given:

> ..\..\..\..\..\..\windows\win.ini
> C:\windows\win.ini

So, it seems that cmd.exe is interpreting the given command as two commands, and only "executes" the second one (opening the file, everything before is ignored). Furthermore, it seems the path has to be relative. My question now is, why, and under which circumstances this behavior happens. Please note, that type is just an example. It also works with echo, ping, ipconfig,...

If you already liked this behavior, lets add another one:

> cmd.exe /c "echo a > output.txt ..\..\..\..\..\..\windows\win.ini"
> type output.txt
a  ..\..\..\..\..\..\windows\win.ini

If you do this without cmd.exe \c, additionally a newline is introduced:

> echo a > output2.txt ..\..\..\..\..\..\windows\win.ini
> type output2.txt
a
..\..\..\..\..\..\windows\win.ini

As Linux user, I'm just baffled how unintuitive a shell can be. Is there some documentation why it is as it is, and how to prevent this behavior (without removing the cmd.exe /c part)?

Thomas Pointhuber
  • 1
  • 2
  • Open a [command prompt](https://www.howtogeek.com/235101/), run `cmd /?` and read the output help. There is explained beginning already on first help page how the argument(s) after option `/C` or `/K` are interpreted by `cmd.exe` depending on various conditions. The usage of `cmd.exe /c "type ..\..\..\..\..\..\windows\win.ini"` results in interpreting the entire argument string as the name of a file with file extension `.ini` and uses now the ShellExecuteEx function to find out which application is associated with file extension `.ini` and starts this executable with the file name as argument. – Mofi Jul 28 '21 at 17:59
  • See also: [Where is “START” searching for executables?](https://stackoverflow.com/a/27386403/3074564) There can be used the free Sysinternals (Microsoft) tool [Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon) to capture all file system and registry accesses made by the Windows command processor using the filter `Process Name is cmd.exe` to see how `cmd.exe` tries to find out what to do with the command specified with wrong syntax. – Mofi Jul 28 '21 at 18:05
  • Correct would be `cmd.exe /c type ..\..\..\..\..\..\windows\win.ini` or `cmd.exe /c type "..\..\..\..\..\..\windows\win.ini"` or `cmd.exe /s /c "type ..\..\..\..\..\..\windows\win.ini"` which should result in execution of `cmd` internal command `type` with `win.ini`. BTW: It would be also possible to use `cmd.exe /C type \Windows\win.ini` and best `cmd.exe /D /C type %SystemRoot%\win.ini`. I suggest to read the Microsoft documentation about [Naming Files, Paths, and Namespaces](https://docs.microsoft.com/en-us/windows/win32/fileio/naming-a-file) how `\Windows\win.ini` is interpreted by Windows – Mofi Jul 28 '21 at 18:10

1 Answers1

0

I stumbled over a blog-post analyzing the behavior in the first part of my question in detail: https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/

Basically, given the following command:

> cmd.exe /c "type ..\..\..\..\..\Windows\System32\ipconfig.exe"

Windows interprets type .. as "directory" and then enters the parent directories multiple times as ..\ does until the drive root is reached. Using this exact location we can point to arbitrary known files or executables. Given an path, cmd.exe detects that there is a file at this location and thus executes the found executable instead of interpreting the command as originally intended.

Thomas Pointhuber
  • 1
  • 2