Popping shell in a hospital

…ok, it’s almost popping shell.

A few months ago, a family member was in the hospital for surgery. The hospital, New York Presbyterian, had courteously set up a computer for family members to use. However, it was running Windows XP, which is a no-longer-supported security nightmare.

Curious, I decided to investigate.

They’d disabled nearly everything. No “run” box, no explorer, nothing except an outdated copy of IE, and Office 2003. In the “Open” dialog, nearly every folder was empty. All modifications are dumped at logoff.

So, all the easiest ways to pop shell on this security nightmare are blocked off. They at least made some effort to secure things. It’s time to look into the wonderful rabbit hole that is Excel.

The wonderful thing about Excel is that it’s extremely flexible: Even an ancient version of Office (2003, which is what they had) can embed ActiveX controls, it can run Visual Basic, it can attach any of the Windows common controls as inputs to individual cells, and many other things.

The dangerous thing about Excel is (also) that it’s extremely flexible: Every single feature increases the attack surface, and exponentially complicates security.

In this case, the ability to embed a hyperlink is the most useful feature for me. Because of the way Windows Explorer/Windows Shell works, we can point a hyperlink at a local file, and the shell will execute the action associated with that file. If the file is an html file, Windows will open it in IE; if it’s a txt file, Windows will open it in Notepad; if it’s an exe file, Windows will execute it. I think you can see where I’m going with this.

When I attempted to “customize” the link, excel popped a version of the Common File Dialog… but all accessible folders were empty!


Empty My Documents folder, with path to CMD.exe manually entered.

The “My Documents” folder, like every other browsable location, is devoid of clickable items.

So they’ve clearly tried to shrink the attack surface by hiding every clickable file, which has some value.

But again, Windows Shell link/path handling features are here to help me sneak past their security.

If you type the full path to a file in the “Address” field (or, more generally, the “Name” field), and then click OK (or, “Open”/”Save”), Windows accepts the (valid) path, and closes the dialog.

Opening the link then executes cmd.exe:

"The command prompt has been disabled by your administrator."

Tada! Command prompt opened… kinda

They (thankfully) have “disabled” the command prompt, which means I can’t easily use it to do any harm. There’s probably a way around it, but I was satisfied with getting CMD.exe to execute at all, and so I went on my way.

~ by Alexander Riccio on March 22, 2016.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Shelly L. Miller

I am an environmental engineer. I teach and research urban air pollution.

Lucky's Notes

Notes on math, coding, and other stuff


Abandoned places and history in the five boroughs

Open Mind

KIDS' LIVES MATTER so let's stop climate change

I learned it. I share it.

A software engineering blog by György Balássy

Kitware Inc

Delivering Innovation

The Electric Chronicles: Power in Flux

If someone ever tells you that you don't need more power, walk away. You don't need that kind of negativity in your life.

Ted's Energy Tips

Practical tips for making your home more comfortable, efficient and safe

love n grace

feel happy, be happy

Recognition, Evaluation, Control

News and views from Diamond Environmental Ltd.

greg tinkers

Sharing the successes and disasters.

Sam Thursfield

Software and technology from Galicia, Spain

Cranraspberry Blog

Sharing the things I love


Advances in biological systems.

The Embedded Code

Designing From Scratch

Sean Heelan's Blog

Verification, Program Analysis and Security


Connecting Research, Policy, and Practice in Education


A Group Complaint about Law, Liberty, and Leisure


Home & Kitchen Appliance Blog

Bad Science Debunked

Debunking dangerous junk science found on the Internet. Non-scientist friendly!

4 gravitons

The trials and tribulations of four gravitons and a physicist

Strange Quark In London

A blog about physics, citylive and much procastination

The Lumber Room

"Consign them to dust and damp by way of preserving them"

In the Dark

A blog about the Universe, and all that surrounds it

andrea elizabeth

passionate - vibrant - ambitious

Probably Dance

I can program and like games

a totally unnecessary blog

paolo severini's waste of bandwidth

Musing Mortoray

Programming and Life

PJ Naughter's space

Musings on Native mode development on Windows using C++

  Bartosz Milewski's Programming Cafe

Category Theory, Haskell, Concurrency, C++

Brandon's Thoughts

Thoughts on programming

David Crocker's Verification Blog

Formal verification of C/C++ code for critical systems

10 Minute Astronomy

Stargazing for people who think they don't have time for stargazing.

One Dev Job

notes of an interactive developer

Chief Cloud Architect & DevSecOps SME, Enterprise Architect, Agile Coach, Digital Transformation Leader, Presales & Tech Evangelist, Development Manager, Agilist, Mentor, Speaker and Author

TOGAF Certified Enterprise Architect • AWS Cloud Certified Solutions Architect • Azure Cloud Certified Solutions Architect • Scrum Alliance: Certified Scrum Professional (CSP), Certified Agile Leadership I (CAL 1), CSM, ACSM • Kanban Management Professional (KMP I & KMP II), Certified Enterprise Agility Coach (CEAC) • SAFe: Certified SAFe Architect, SAFe DevOps, Release Train Engineer (RTE), SAFe Consultant (SPC) • Certified Less Practitioner (CLP), Six Sigma (Greenbelt), Training from the Back of the Room (TBR) Trainer • Certified Agile Coach & Facilitator: ICP-ACF & ICP-ACC

The Angry Technician

No, the Internet is not broken.

Kenny Kerr

Creator of C++/WinRT and the Windows crate for Rust • Engineer on the Windows team at Microsoft • Romans 1:16

IT affinity!

The Ultimate Question of Life, the Universe, and Everything is answered somewhere else. This is just about IT.


The ramblings of a crazed mind

Molecular Musings

Development blog of the Molecule Engine

%d bloggers like this: