canariesto indicate the execution of bogus or rogue DLLs and programs from unintended or unwanted locations, typically in order to detect and demonstrate programming errors which lead to weaknesses and vulnerabilities, or to catch and detect (malicious) code which exploits such weaknesses and vulnerabilities.
search path, before untrusted locations like the CWD, they additionally act as
sentinelsand prevent the execution of bogus or rogue DLLs and programs.
search pathhandling, resulting in well-known weaknesses like CWE-426: Untrusted Search Path, CWE-427: Uncontrolled Search Path Element and CWE-428: Unquoted Search Path or Element documented in the CWE™, and allowing well-known attacks like CAPEC-471: DLL Search Order Hijacking documented in the CAPEC™.
SENTINEL.EXEis typically placed as
root directoryof the
%SystemDrive%; if creation of 8.3 filenames is enabled
SENTINEL.EXEcan be copied as is and a
"%SystemRoot%\System32\FSUtil.Exe" File SetShortName "%SystemDrive%\SENTINEL.EXE" PROGRAM.EXETo list other locations (i.e. directories with a space in their name) where
SENTINEL.EXEmay be placed, start a Command Prompt and run the following command lines:
For /D /R "%SystemRoot%" %! In ("* *") Do @Echo %! For /D /R "%ProgramFiles%" %! In ("* *") Do @Echo %! If Defined ProgramFiles(x86) For /D /R "%ProgramFiles(x86)%" %! In ("* *") Do @Echo %! For /D /R "%USERPROFILE%" %! In ("* *") Do @Echo %!
SENTINEL.DLLis placed in the CWD and/or the
application directoryof programs which load DLLs during load-time and/or runtime, using the filename of one or more DLLs loaded by the respective program or any (other) DLL loaded by it.
SENTINEL.DLLis loaded only if its execution environment matches that of the calling process!
SENTINEL.EXE write a message similar to that shown
above to Windows' Event Log using the
Vulnerability and Exploit Detector.
To retrieve these messages from the Event Log, start a Command Prompt and run the following command line:
"%SystemRoot%\System32\WBEM\WMIC.Exe" NTEvent Where "SourceName='Vulnerability and Exploit Detector'" Get /ValueFor a typical output of this command line see
SENTINEL.EXE runs in an interactive user session
it also displays the message box shown above.
Note: the calling process can only be determined if it still exists and
SENTINEL.EXE runs in the same
(unprivileged) security context as the calling process, on systems
with AMD64 alias x64 processor
architecture also in the same (32- or 64-bit) execution environment
as the calling process!
SENTINEL.EXE, execute it per double-click from
Windows Explorer or call it from a
SENTINEL.DLL runs in an interactive user session
it also displays one or more message boxes similar to the one shown
Note: the message box displayed during the initial call of
offers the choice to return
failure to the
calling process. The Win32 functions
failure, while Windows' module loader
SENTINEL.DLL, open a
Command Prompt and run one of the following command
"%SystemRoot%\System32\RegSvr32.Exe" /I /N /S "‹path›\SENTINEL.DLL" "%SystemRoot%\System32\RegSvr32.Exe" /S "‹path›\SENTINEL.DLL" "%SystemRoot%\System32\RegSvr32.Exe" /S /U "‹path›\SENTINEL.DLL" "%SystemRoot%\System32\RunDLL32.Exe" "‹path›\SENTINEL.DLL",RunDLL
SENTINEL.DLLis (renamed and) used as static (load-time) dependency of an arbitrary executable (a program or another DLL), loading of this executable typically fails due to unresolved external symbols, and
SENTINEL.DLLis not run:
SENTINEL.DLLdoes not export the symbols of the
This limitation can be overcome by forwarding the missing
DLL using a
Note: forwarding works to
LIBRARY ‹module› EXPORTS ‹symbol›=[C:\Windows\]System32\‹filename›.‹symbol› @‹ordinal› PRIVATE … @‹ordinal›=[C:\Windows\]System32\‹filename›.#‹ordinal› @‹ordinal› NONAME PRIVATE …
originalDLLs with extension
originalDLLs located in Windows'
system directorycan be referenced with their relative path
A complete set of
DLLs for all 32-bit
of Windows XP and Windows 7 is available
%SystemDrive%\Program.Exeor (for example)
"%ProgramFiles%\Internet.Exe"instead of the intended execution of (again for example)
"%SystemDrive%\Program Files\Internet Explorer\IExplore.Exe"alias
"%ProgramFiles%\Internet Explorer\IExplore.Exe"due to missing quotes around the
longfilename or pathname of the executable file that contains spaces when used in a command line like
%SystemDrive%\Program Files\Internet Explorer\IExplore.Exe -nohomealias
%ProgramFiles%\Internet Explorer\IExplore.Exe -nohome.
The resulting weakness is listed as CWE-428: Unquoted Search Path or Element in the CWE™.
This (unfortunately way too) common
error is documented in the
articles for the Win32 functions
under the heading
for the Win32 function
and (for example) in the
The (to say the very least)
weird behaviour of these
Win32 functions which lets this beginner's error go
undetected (without a properly named
sentinel placed aside
all executable files and all directories containing executable
files with a space in their name) is documented in the
articles referenced above under the heading
exists since the introduction of
long filenames with
Win32 in Windows NT 3.1 (and of course
Windows 95 too) more than 20 years ago:
[…] the module name must be the first white space-delimited token in the lpCommandLine string. If you are using a long file name that contains a space, use quoted strings to indicate where the file name ends and the arguments begin; otherwise, the file name is ambiguous. For example, consider the string "c:\program files\sub dir\program name". This string can be interpreted in a number of ways. The system tries to interpret the possibilities in the following order:These Win32 functions play try & error where they should but fail and return an error to their caller!
- c:\program.exe files\sub dir\program name
- c:\program files\sub.exe dir\program name
- c:\program files\sub dir\program.exe name
- c:\program files\sub dir\program name.exe
Note: the following rules of interpretation are missing in the documentation:
.Exefirst (executable files don't need to have an extension at all);
.Exeand a matching directory without extension exist are discarded;
To perform a quick (but non-exhaustive) check whether your Windows installation is affected start a Command Prompt, run the following command lines, and inspect their output:
FType | "%SystemRoot%\System32\Find.Exe" /I "=%ProgramFiles%\" FType | "%SystemRoot%\System32\Find.Exe" /I "=%ProgramFiles" FType | "%SystemRoot%\System32\Find.Exe" /I "=%CommonProgramFiles" FType | "%SystemRoot%\System32\Find.Exe" /I "=!USERPROFILE:\%USERNAME%=\!" FType | "%SystemRoot%\System32\Find.Exe" /I " %ProgramFiles%\" FType | "%SystemRoot%\System32\Find.Exe" /I " %ProgramFiles" FType | "%SystemRoot%\System32\Find.Exe" /I " %CommonProgramFiles" FType | "%SystemRoot%\System32\Find.Exe" /I " !USERPROFILE:\%USERNAME%=\!" "%SystemRoot%\System32\WBEM\WMIC.Exe" Service Get PathName /Value | "%SystemRoot%\System32\Find.Exe" /I "\Windows " "%SystemRoot%\System32\WBEM\WMIC.Exe" Service Get PathName /Value | "%SystemRoot%\System32\Find.Exe" /I "=%ProgramFiles%\" "%SystemRoot%\System32\WBEM\WMIC.Exe" Service Get PathName /Value | "%SystemRoot%\System32\Find.Exe" /I "=!USERPROFILE:\%USERNAME%=\!"For a more thorough check download, read and use the batch scripts
If you detect an unquoted
long filename or pathname
containing spaces in a command line then direct the author(s) of
the defective software (for example) to the
Extending Shortcut Menus,
Verbs and File Associations,
Best Practices for File Associations,
Registering Programs with Client Types
How to Register an Internet Browser or Email Client With the Windows Start Menu,
Using Long File Names
and request a fix for this vulnerability!
If any element of the command string contains or might contain spaces, it must be enclosed in quotation marks. Otherwise, if the element contains a space, it will not parse correctly. For instance, "My Program.exe" starts the application properly. If you use My Program.exe without quotation marks, then the system attempts to launch My with Program.exe as its first command line argument. You should always use quotation marks with arguments such as %1 that are expanded to strings by the Shell, because you cannot be certain that the string will not contain a space.
The command line must specify a fully qualified absolute path to the file, followed by optional command-line options. Use quotation marks appropriately to ensure that spaces in the command line are not misinterpreted.
- lpBinaryPathName [in, optional]
- The fully qualified path to the service binary file. If the path contains a space, it must be quoted so that it is correctly interpreted. For example, "d:\\my share\\myservice.exe" should be specified as "\"d:\\my share\\myservice.exe\"".
To perform a quick (but non-exhaustive) check whether your Windows installation is affected by the other two aforementioned bugs start a Command Prompt, run the following command lines and inspect their output:
FType | "%SystemRoot%\System32\Find.Exe" /V "." FType | "%SystemRoot%\System32\Find.Exe" /V "\" FType | "%SystemRoot%\System32\Find.Exe" /I " %L" FType | "%SystemRoot%\System32\Find.Exe" " %1"For a more thorough check download, read and use the batch scripts
If you detect a simple filename or a partial (relative) pathname
instead of a full (absolute) pathname or an unquoted argument
(anywhere, not only) in the command lines printed
FType then direct the author(s) of the vulnerable
software (for example) to the
articles referenced above and request a fix for this vulnerability!
Also ask the author(s) of the defective software why they don't use Application Verifier to test their software!
Calls to the CreateProcess API function are subject to attack if parameters are not specified correctly. AppVerifier generates an error if CreateProcess (or other related API functions) are called with a NULL lpApplicationName parameter and an lpCommandLine parameter that contains spaces. For example, it does not allow the following as the command line parameter:c:\program files\sample.exe -t -g c:\program files\sample\testUsing this command line, an application can inadvertently execute unwanted code if a malicious user installs his program to C:\Program.
application directoryinstead of Windows'
system directorydue to insecure search path handling and the use of a simple filename or a relative (partial) pathname instead of an absolute (full) pathname, known as
The resulting weaknesses are listed as CWE-426: Untrusted Search Path and CWE-427: Uncontrolled Search Path Element in the CWE™.
The posts MS09-014: Addressing the Safari Carpet Bomb vulnerability, More information about the DLL Preloading remote attack vector and An update on the DLL-preloading remote attack vector on Microsoft's Security Research and Defense Blog give additional information.
For loading of DLLs the proper and secure search path handling is documented in the MSDN articles Dynamic-Link Library Security and Dynamic-Link Library Search Order, the Security Advisory 2269637, the MSKB articles 2389418 and 2533623, plus the post Load Library Safely:
Applications can control the location from which a DLL is loaded by specifying a full path or using another mechanism such as a manifest.
Wherever possible, specify a fully qualified path when using the LoadLibrary, LoadLibraryEx, CreateProcess, or ShellExecute functions.
Use fully qualified paths for all calls to LoadLibrary, CreateProcess, and ShellExecute where you can.
This exploit may occur when applications do not directly specify the fully qualified path to a library it intends to load.
Always specify the fully qualified path when the library location is constant.
Additionally see the
as well as
The server must register the full path to the installation location of the DLL or EXE module for their respective InprocServer32, InprocHandler32, and LocalServer32 keys in the registry.
This is a REG_SZ value that specifies the full path to the executable name […]
Specifies the full path to a 16-bit local server application.
Specifies the full path to a 32-bit local server application.
The ServerExecutable value, which is of type REG_SZ and is supported starting with Windows Server 2003, works in conjunction with the LocalServer32 subkey to prevent any ambiguity when using the CreateProcess function. LocalServer32 specifies the location of the COM server application to launch, and this information is passed as the first parameter lpApplicationName for CreateProcess. Depending on the implementation of CreateProcess, this information might be ambiguous. For this reason, if ServerExecutable is specified, COM passes the ServerExecutable named value to the lpApplicationName parameter of CreateProcess. If ServerExecutable is not specified, COM passes NULL as the value for the first parameter of CreateProcess.
To help provide system security, use quoted strings in the path to indicate where the executable filename ends and the arguments begin.
fail to specify the use of full (absolute) pathnames and need to be
Again: if you detect a simple filename or a
partial (relative) pathname instead of a full (absolute) pathname
in a call to a function that loads an executable file, in a command
line, in the
DESKTOP.INI file etc. as well as an unquoted
argument in a command line then direct the author(s) of the
vulnerable software (for example) to the
articles referenced above as well as
Guidelines For Developers
and request a fix for this vulnerability!
The vulnerability fixed by
is listed as
whenever an application used Win32 functions involving
Encrypting File System,
FEClient.Dll was loaded using its simple filename
instead of its fully qualified (absolute) pathname
Please notice the entries for January 2016 on Acknowledgments – 2016.
A variant of this programming error is documented in the
articles for the Win32 functions
under the heading
For the execution of programs some, but not all (now fixed) individual vulnerabilities due to insecure search path handling only in Microsoft products are documented in the MSKB articles 264061, 269049, 2781197, 2823482 and 2847927, plus the Security Bulletins MS00-052, MS13-034 and MS13-058.
but proposes to replace an absolute (full) pathname with a
simple filename which introduces this vulnerability!
Note: a registry entry of type
REG_EXPAND_SZ with value
%SystemRoot%\System32\UserInit.Exe would but avoid
For the Win32 functions
another (now fixed) individual vulnerability where the command
processor was called using the simple filename
instead of its fully qualified (absolute) pathname
%SystemRoot%\System32\CMD.Exe is documented in the
and the Security Bulletin
Please notice its
section, or see the entries for April on
Acknowledgments – 2014.
The post MS14-019 - Fixing a binary hijacking via .cmd or .bat file on Microsoft's Security Research and Defense Blog gives additional information.
This vulnerability is listed as CVE-2014-0315 in the CVE®.
Many setup script for device drivers of many vendors (including many WHQL certified device drivers available from Windows Update and the Microsoft Update Catalog) suffer from both beginner's errors too!
See the screenshot on the right for some examples of command lines
long pathnames and a simple filename.
Please notice the entries for
Security Researcher Acknowledgments Microsoft Online Services - Prior Months.
Programs that are run from the
%USERPROFILE%\Downloads\ or the
typically and especially (self-extracting or self-unpacking)
installers, almost always load some
DLLs from these
directories (which are their
application directory), and
typically also execute their
payload from there.
CAPICOM-KB931906-v2102.exe, a security
(sic!) update documented in the
and the Security Bulletin
LangPack.Exe for the
versions 1.0, 1.1 and 2.0, and many more are
well-known examples for arbitrary code execution, and
since Windows Vista due to
privilege escalation vulnerabilities too!
%SystemRoot%\System32\(see Raymond Chen's TechNet magazine article Windows Confidential: History—the Long Way Through for some hindsight) that is statically linked against DLLs which are neither installed in the programs
application directorynor listed as
known DLLs(see but Windows Confidential: The Known DLLs Balancing Act) or that (delay-)loads DLLs which are not installed in the programs
application directorywithout using their full (absolute) pathname is susceptible to
This attack is listed as CAPEC-471: DLL Search Order Hijacking in the CAPEC™.
Well-known examples of such programs are
%SystemRoot%\System32\SysPrep\SysPrep.Exewhich silently gain full administrative privileges per UACs
protected administratoraccounts and request administrative privileges in standard user accounts, or
%SystemRoot%\RegEdit.Exewhich request full administrative privileges in
protected administratoraccounts, execute these bogus or rogue DLLs with full administrative privileges too.
Note: since creation (or replacement) of files in
%SystemRoot%\System32\SysPrep\ needs administrative
privileges this weakness alone does not allow
privilege escalation; together with
auto-elevation (mis)feature for
which can be (ab)used to create (or replace) arbitrary files in
%SystemRoot%\ and below using the command line
"%SystemRoot%\System32\WUSA.Exe" ‹cabinet file› /Extract:‹target directory›it but becomes an exploitable vulnerability!
SENTINEL.EXEare pure Win32 binaries, written in ANSI C without the use of the MSVCRT libraries, built with the platform SDK for Windows Server 2003 R2 for use on Windows 2000 and newer versions of Windows.
for calls from
for calls from
RunDllW for calls from
available for the I386 alias x86,
AMD64 alias x64 and IA64
processor architectures of
SENTINEL.EXEare digitally signed using an X.509 certificate issued by WEB.DE.
SENTINEL.EXEplus the setup script
SENTINEL.INFare packaged in the digitally signed (compressed) cabinet file
X:\> EXTRACT.EXE /D SENTINEL.CAB Microsoft (R) Cabinet Extraction Tool - Version 5.1.2600.5512 Copyright (c) Microsoft Corporation. All rights reserved.. Cabinet SENTINEL.CAB 03-16-2016 8:47:44p A--- 32,065 SENTINEL.INF 03-16-2016 6:40:30p A--- 28,312 AMD64\SENTINEL.DLL 03-16-2016 6:40:30p A--- 28,824 AMD64\SENTINEL.EXE 03-16-2016 6:39:36p A--- 27,288 I386\SENTINEL.DLL 03-16-2016 6:39:36p A--- 27,288 I386\SENTINEL.EXE 03-16-2016 6:41:20p A--- 39,064 IA64\SENTINEL.DLL 03-16-2016 6:41:20p A--- 42,648 IA64\SENTINEL.EXE 7 Files 225,489 bytes X:\>Use the command line
"%SystemRoot%\System32\Expand.Exe" /R SENTINEL.CAB /F:* ‹directory›on Windows Vista and newer versions to extract all files into the specified directory, preserving their paths.
Expand.Exefrom prior versions of Windows NT ignore the paths and junk them!
Extract.Exefrom the Support Tools on Windows XP and Windows Server 2003 instead.
SENTINEL.EXEfor both processor architectures!
The setup script
with various filenames into the user's
"%USERPROFILE%\Downloads\" and the system's
Software Restriction Policies
hash rules to allow execution of
SENTINEL.EXE from any path, defines the message source
for the Event Log in the registry, creates an entry
Vulnerability and Exploit Detector under
Installed Updates, and finally executes both
SENTINEL.EXE from the
installation directory to demonstrate and verify their correct
SENTINEL.CABand verify its digital signature, then open it in Windows Explorer, extract its contents preserving the directory structure, right-click the extracted setup script
SENTINEL.INFto display its context menu and click
Installto run the installation.
SENTINEL.EXEis run during installation for every processor architecture and displays the dialog box shown on top!
Notes: I dislike
even weirder formats too) in email, I prefer to receive plain text.
I also expect to see a full (real) name as sender, not a nickname!
Emails in weird formats and without a proper sender name are likely to be discarded.
I abhor top posts and expect inline quotes in replies.
as iswithout any warranty, neither express nor implied.