I love revisiting the ‘there is nothing else to be found there anymore’ cases and I described this process here.
Recently, I’ve been thinking of the WINDIR environment variable. I have already covered a few cases where WoW executables could be forced to execute any executable of our choice after the WINDIR environment variable modification, but it crossed my mind that we may try something new…
If you google what the environment variable maximum length is you will discover it is (allegedly) 32,767 characters. Luckily, Raymond Chan wrote this post that gives us a bit more (reliable) insight.
So, my thinking was … if I can force the WINDIR environment variable to fill-in the whole space used by the environment variables…. then in cases where it is used to expand a path (f.ex. for the 64-bit executable from the WoW 32-bit executable level as in cases I linked to above), there may be some path truncation happening that will render the ‘expanded’ version of the path in some unpredictable way… That is, I was hoping that if the WINDIR is long enough f.ex. close to the alleged maximum length of 32K characters, then the rest of the path would be truncated, potentially giving us an opportunity to literally run any executable on the system this way…
That didn’t happen 🙁
After playing around with it I eventually gave up. No truncation occurred, and while results were dependent on the WoW executable I tested (msra.exe, w32tm.exe, launchtm.exe), I have not identified a way to exploit this in any way.
However…
I do want to showcase one interesting observation from this attempt.
The msra.exe was a very interesting study.
I generated a batch file that was nearly 65K in size. It’s just a rather lengthy SET WINDIR=<~64K spaces>..\..\windows\notepad.exe.
So, I ran it from cmd.exe terminal, and then executed c:\WINDOWS\SysWOW64\msra.exe.
To my surprise, the program ran! Despite the fact that the WINDIR environment variable was far bigger than the alleged maximum environment block size!
Secondly, while it took a few seconds for the msra.exe to load, it did eventually show an interesting message box as an indication of an error:
The lessons learned is that the environment block can be far larger than 32K!
Using System Informer/Process Hacker we can look at the msra.exe process environment block, and here it is — a WINDIR variable taking ~64K:
(you can select all, copy it to clipboard, then paste it in Notepad, save file and check file size).
What this example teaches is that you should trust, but verify.
And it’s still possible I missed something and WINDIR or many other environment variables can be abused to do things no one ever considered…