[German]It is almost unbelievable what can be hidden behind Windows functions and commands. The format command for formatting disks, which has been available in the command prompt for ages, has a side effect. With a parameter the call of an arbitrary DLL can be forced, which is then loaded from the search path. I could hardly believe this when it was brought to my attention.
Advertising
The facts came to my attention from Grzegorz Tworek on Twitter in a short post. The statement in the following tweet is: If you specify the name of any DLLs with a preceding letter U at the parameter /FS in the command line, the DLL is loaded from the search path.
The DOS format command allows various parameters which are described in this Microsoft document. With the switch /FS:filesystem the desired file system can be specified. According to Microsoft, the following file systems can be specified for formatting via the switch: FAT, FAT32, NTFS, exFAT, ReFS, or UDF.
Grzegorz Tworek has now noticed that there is an undocumented possibility, over which theoretically arbitrary file systems can be used when formatting. Only an appropriate DLL must be present, which takes over the formatting. As parameter for /FS then the name of this DLL with a prefix U is to be indicated. A command line of the type:
format I: /fs:MyDll.dll
Advertising
would then load the library file UMyDll.dll and cause it to be listed. This DLL is then executed in the search path, i.e. the program folder and other folders. Grzegorz Tworek has demonstrated this on his own DLL called Pwning.dll, which then displays a message box with the word Pwned! There are certainly a few ways in which this can be abused.
Advertising
Pending a fix, temporarily change the name of 'format.com' to something else?