{"id":44493,"date":"2015-03-11T07:00:00","date_gmt":"2015-03-11T21:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2015\/03\/11\/dubious-security-vulnerability-copying-a-program-and-running-the-copy\/"},"modified":"2019-03-13T12:13:40","modified_gmt":"2019-03-13T19:13:40","slug":"20150311-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20150311-00\/?p=44493","title":{"rendered":"Dubious security vulnerability: Copying a program and running the copy"},"content":{"rendered":"<p>This wasn&#8217;t an actual security vulnerability report, but it was inspired by one. &#8220;If you take the program <code>XYZ.EXE<\/code> and you rename it or copy it to a new name that contains the letters <code>XYX<\/code>, then you can trigger a buffer overflow in the renamed\/copied version of <code>XYZ.EXE<\/code> due to a bug in the way it parses its own file name in order to generate the names of its auxiliary files.&#8221; <\/p>\n<p>While that&#8217;s a bug, and thanks for pointing it out, it is not a security issue because there is no elevation of privilege. Sure, you could rename or copy the program and run it, but if you have permission to do that, you may as well do it the easy way: Instead of copying <code>XYZ.EXE<\/code> and running it, just copy <code>pwnz0rd.exe<\/code> and run it! Either way, it&#8217;s just a case of you attacking yourself. You did not gain any privileges. <\/p>\n<p>Renaming or copying a file requires <code>FILE_ADD_FILE<\/code> permission in the destination directory, and if you have permission to add files to a directory, why stop at just adding files that are copies of existing files? You can add entirely new files! <\/p>\n<p>In other words, instead of <code>copy XYZ.EXE XYX.EXE<\/code>, just do <code>copy pwnz0rd.exe XYX.EXE<\/code>. <\/p>\n<p>This is a variation of the dubious vulnerability known as <a HREF=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2007\/08\/07\/4268706.aspx#4282521\"><i>Code execution results in code execution<\/i><\/a>. <\/p>\n<p>Now, this would be an actual vulnerability if you could somehow redirect attempts by other people to run <code>XYZ.EXE<\/code> from the original to your alternate <code>XYX.EXE<\/code> instead. But that would be attacking the redirection code, not attacking <code>XYZ.EXE<\/code> itself. Because if you can fool somebody into running <code>XYX.EXE<\/code> instead of <code>XYZ.EXE<\/code>, then you may as well fool them into running <code>pwnz0rd.exe<\/code>. It&#8217;s not like the <code>Create&shy;Process<\/code> function performs a hard drive scan looking for a program whose name is similar to the one you requested and running that other program instead. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Code execution results in code execution.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-44493","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>Code execution results in code execution.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/44493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=44493"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/44493\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=44493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=44493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=44493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}