Non-debugging uses of CDB

Posted on by

Catching up with another tweet from 3 months ago.

VMWare Workstation installs cdb.exe debugger for you – you can play around with its features if you happen to find it during engagement. Other than the obvious “I can run and manipulate other processes with it”, here are 2 other ideas:

AeDebug setup

Using -iae -iaec options you can use cdb.exe to install itself as a AeDebug debugger. So, if you do so, cdb.exe will be the signed Microsoft binary doing the dirty deed for you, and you can then swap it with your malicious cdb.exe.

-iae install as AeDebug debugger
-iaec install as AeDebug debugger with given command tail

Launch programs via COMSPEC abuse

Cdb allows us to switch to shell temporarily, a bit like ftp.exe, and lo-and-behold, it relies on COMSPEC environment variable too. Hence we can launch a program via it e.g. like this:

The obvious question is – why – after all, cdb.exe is a debugger and we can launch programs anyway. Apart from the obvious “why not” – this way we can launch a program w/o debugging flags (e.g. DEBUG_ONLY_THIS_PROCESS).

Debug Environment Variable are \o/

Posted on by

Looking at the list of debug environment variables one can immediately spot a lot of room for abuse.

One can hypothesize that setting e.g. _NT_SYMBOL_PATH, _NT_ALT_SYMBOL_PATH, _NT_SYMBOL_PROXY, SRCSRV_INI_FILE to point to a malicious server will ensure that next time OS or any application tries to reach out to Symbol server, it will actually ping the malicious server first. It could be a nice semi-covert channel to communicate with C2. Moreso, if executed via proxy e.g. via existing software (ideally OS or some coding components) e.g. Windows Error Reporting (WEFault.exe), debuggers (windbg, cdb), sysinternals tools (ProcMon), and other reversing tools (IDA), etc – the fact it’s the good guys calling out may help to hide the activity from prying eyes of EDR/AV.

Other ideas can circle around abusing paths e.g. _NT_DEBUGGER_EXTENSION_PATH and WINDBG_INVOKE_EDITOR to use them both as a persistence method and/or for LOLBIN purposes.

In my tests, not all tools obey these environment variables so YMMV.