In our last post on this topic, we have demonstrated that changing a location referred to by environment variables can divert file operations from a legitimate path to a possibly malicious one.
This is a continuation of our research as described in a previous post: Elastic Boundaries – Elevating Privileges by Environment Variables Expansion. This code leverages a rather unusual scenario within Windows OS. They and can also be used to bypass UAC, allowing an attacker with limited privileges to take complete control of the a system.
Windows environment variables can be used to run commands. A FortiGuard Labs Threat Analysis Report : This blog originally appeared on the enSilo website on November 24, 2016, and is republished here for threat research purposes. enSilo was acquired by Fortinet in October 2019.