cmd.exe executing PE files with non-executable extension #629

Open
opened 2026-01-30 21:57:30 +00:00 by claunia · 0 comments
Owner

Originally created by @mitjakolsek on GitHub (Apr 23, 2019).

  • Your Windows build number: (Type ver at a Windows Command Prompt)
  • Microsoft Windows [Version 6.1.7601]
  • Microsoft Windows [Version 10.0.17134.706]
  • (likely all other Windows versions)
  • What you're doing and what's happening: (Copy & paste specific commands and their output, or include screen shots)
  1. Copy any PE .EXE file (e.g., net.exe from System32 folder) to any folder (e.g. c:\temp)
  2. Change the copied file's extension to "txt", i.e., rename net.exe to net.txt.
  3. Launch the Console (cmd.exe) and cd to c:\temp
  4. In the Console, type net.txt and press Enter
  5. Notice that net.txt was executed as the original net.exe executable
  • What's wrong / what should be happening instead:

Not claiming this is wrong as there are probably many historical reasons for the Console to behave this way but this could lead to security problems. According to Adam's analysis the Console first attempts to launch CreateProcess with the supplied arguments, and failing that, also tries ShellExecute, which understands file associations and, e.g., launches abc.txt in Notepad.

This execution logic allows a malicious PE file with a "non-executable" extension to be launched by cmd.exe as described in this blog post by Cylera where a PE/DCM polyglot file can be parsed as a DCM image, but at the same time launched as an executable by someone attempting to view the image from the Console (cd-ing to a folder with DCM files and "launching" image01.dcm). Such scenario doesn't seem too far-fetched as double-clicking the same DCM file in Explorer would actually open the image viewer.

As to what should be happening instead: again, there's surely a reason for the Console to first try CreateProcess (which also attempts to try different 10+ extensions such as .com, .exe, .bat, ... in trying very hard to find some matching executable). How about not calling CreateProcess on files without one of these known executable extensions? Perhaps combining that with a Registry flag for such omitting of the CreateProcess call and having the omitting enabled by default so that those whose apps would break could re-enable the CreateProcess call ? (I'm fully expecting this idea to be shot down by numerous sensible arguments :)

Thanks,
Mitja Kolsek

Originally created by @mitjakolsek on GitHub (Apr 23, 2019). * Your Windows build number: (Type `ver` at a Windows Command Prompt) - Microsoft Windows [Version 6.1.7601] - Microsoft Windows [Version 10.0.17134.706] - (likely all other Windows versions) * What you're doing and what's happening: (Copy & paste specific commands and their output, or include screen shots) 1) Copy any PE .EXE file (e.g., net.exe from System32 folder) to any folder (e.g. c:\temp) 2) Change the copied file's extension to "txt", i.e., rename net.exe to net.txt. 3) Launch the Console (cmd.exe) and cd to c:\temp 4) In the Console, type net.txt and press Enter 5) Notice that net.txt was executed as the original net.exe executable * What's wrong / what should be happening instead: Not claiming this is wrong as there are probably many historical reasons for the Console to behave this way but this could lead to security problems. According to [Adam's analysis](http://www.hexacorn.com/blog/2019/04/21/cmd-exe-running-any-file-no-matter-what-extension/) the Console first attempts to launch CreateProcess with the supplied arguments, and failing that, also tries ShellExecute, which understands file associations and, e.g., launches abc.txt in Notepad. This execution logic allows a malicious PE file with a "non-executable" extension to be launched by cmd.exe as described in [this blog post by Cylera](https://labs.cylera.com/2019/04/16/pe-dicom-medical-malware/) where a PE/DCM polyglot file can be parsed as a DCM image, but at the same time launched as an executable by someone attempting to view the image from the Console (cd-ing to a folder with DCM files and "launching" image01.dcm). Such scenario doesn't seem too far-fetched as double-clicking the same DCM file in Explorer would actually open the image viewer. As to what should be happening instead: again, there's surely a reason for the Console to first try CreateProcess (which also attempts to try different 10+ extensions such as .com, .exe, .bat, ... in trying very hard to find some matching executable). How about *not* calling CreateProcess on files *without* one of these known executable extensions? Perhaps combining that with a Registry flag for such omitting of the CreateProcess call and having the omitting enabled by default so that those whose apps would break could re-enable the CreateProcess call ? (I'm fully expecting this idea to be shot down by numerous sensible arguments :) Thanks, Mitja Kolsek
claunia added the Issue-FeatureResolution-By-DesignArea-InteropProduct-Cmd.exe labels 2026-01-30 21:57:30 +00:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/terminal#629