Insecure PATH

The “standard search order” is a list of directories that an operating system iterates through to locate supporting files. An attacker that possess write privileges to any directory within the standard search order can potentially execute arbitrary code. This vulnerability is often utilized to escalate privilege or gain persistent access.

The PATH environment variable is the most integral component of a standard search order; containing a prioritized list of default locations to be searched by the OS.

Exploitation

DLL hijacking is a technique that exploits insecure an insecure PATH. An attacker initially scours system directories in search of write access to a relevant folder. Upon discover, a maliciously crafted DLL will be uploaded to usurp a trusted DLL.

The DLL hijacking process is exponentially simplified when DLLs are missing on the target system; as the OS will scour each directory in the PATH. This scenario predictably unfolds in older version of Microsoft Windows (Vista, 7, and 8) with the wlbsctrl.dll. Newer versions of Windows have a similarly predictable issue with the “schedule” service WptsExtensions.dll.

Remediation

Write-access should be heavily restricted to all directories in the standard search order; the application’s startup folder and all folders itemized in the PATH variable. Application source code should also depict the full path for supporting files whenever technically feasible.