Hi @ll, on their "Security Research & Defense" blog, members of Microsoft's Security Response Center recently posted <https://blogs.technet.microsoft.com/srd/2018/04/04/triaging-a-dll-planting-vulnerability/>
This blog post but clearly shows that the MSRC doesn't know how Windows handles the PATH! Error #1 ~~~~~~~~ | The directories that are in the PATH environment variable are always | admin ACLed and a normal user can't modify contents of these directories. ... | What Microsoft won't address (not a vulnerability) | PATH directory scenarios - Since there can't be a non-admin directory in | the PATH this can't be exploited. OUCH! The user can modify the PATH environment variable as s/he likes and add arbitrary directories! 1) Start a command prompt, then run the following commands: MKDIR "%SystemDrive%\fubar" PATH %SystemDrive%\fubar;%PATH% START %ComSpec% /K PATH 2) The PATH environment variable is built during user logon from the system's PATH, stored in the registry entry [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment] "PATH"=expand:"%SystemRoot%\\System32;%SystemRoot%;%SystemRoot%\\System32\\WBEM;..." plus the user's PATH, stored in the registry entry [HKEY_CURRENT_USER\Environment] "PATH"=expand:"<arbitrary directory>;..." To add one or more arbitrary user-controlled directories to this persistent PATH, set the latter registry entry, for example via control panel. When a user does this, control panel broadcasts a WM_SETTINGCHANGE to all applications. Especially Windows' File Explorer (the "shell") rebuilds the PATH environment variable upon receiving this broadcast! 3) To add one or more arbitrary user-controlled directories to an applications <filename.exe> PATH, create the registry entry [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths\<filename.exe>] "PATH"="<arbitrary directory>;..." See <https://msdn.microsoft.com/en-us/library/ee872121.aspx> Error #2 ~~~~~~~~ | 6. The directories that are listed in the PATH environment variable. | Note that this does not include the per-application path specified | by the App Paths registry key. The App Paths key is not used when | computing the DLL search path. OUCH! The per-application path stored beneath the "App Paths" registry key is prepended (NT 5.x and below) or appended (NT 6.x and above) to the PATH environment variable when an application is started via one of the ShellExecute*() functions. Error #3 ~~~~~~~~ | DLL planting issues that fall into the category of PATH directories | DLL planting are treated as won't fix. OUCH! The MSRC also ignores the fact that CHDIR "<arbitrary directory>" START <application> is equivalent to adding "<arbitrary directory>" in front of the PATH! JFTR: loading of DLLs from the CWD can be disabled via [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager] "CWDIllegalInDllSearch"=dword:ffffffff (see <https://support.microsoft.com/en-us/help/2264107>) stay tuned Stefan Kanthak