{ "id": "24e2fe96-5c86-407a-a7da-224691338666", "created_at": "2026-04-06T00:09:11.317249Z", "updated_at": "2026-04-10T03:20:16.583662Z", "deleted_at": null, "sha1_hash": "f96e280c00547b31192822cbf9ab05fcf96a64be", "title": "MS14-019 – Fixing a binary hijacking via .cmd or .bat file", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 34149, "plain_text": "MS14-019 – Fixing a binary hijacking via .cmd or .bat file\r\nBy swiat\r\nPublished: 2014-04-08 · Archived: 2026-04-06 00:03:08 UTC\r\n/ By / April 8, 2014\r\nCommand (.cmd) and batch (.bat) files can be directly provided as input to the CreateProcess as if it is an\r\nexecutable. CreateProcess uses the cmd.exe automatically to run the input .cmd or .bat.\r\nToday, with the bulletin MS14-019 we are fixing a vulnerability, where in particular scenario it is possible to\r\nhijack the cmd.exe with a copy present in the attacker controlled current working directory (CWD) of an affected\r\napplication.\r\nThe typical attack vector for this vulnerability is same as the DLL hijacking, i.e., via opening an application\r\nspecific file in a WebDav/SMB share invoking the targeted application automatically because of file association.\r\nThe targeted application will be vulnerable only if they ever do CreateProcess on .cmd or .bat file irrespective of\r\nwhere the file is located. That means attacker need not control the .cmd or .bat file. Another important thing for\r\nexploiting this vulnerability, is that the application should set the directory from where the associated file was\r\nopened as its CWD.\r\nAs such we are not aware of any application that is affected by this vulnerability. But we understand the security\r\nissue this vulnerability can pose to some of the applications, so we are addressing this as an important severity\r\nbulletin.\r\nThe way we are fixing this issue is to always invoke the system version of the cmd.exe for the input .cmd or .bat\r\nfile during process creation. This fix could affect applications which does CreateProcess on .bat or .cmd file\r\ndirectly and depend on a different version of the cmd.exe other than the one present in Sytem directory by copying\r\nthem in either application directory or CWD. Such applications should pass fully qualified path to the version of\r\ncmd.exe as input while performing CreateProcess, and pass .cmd or .bat as input parameters.\r\nApplications passing just cmd.exe to the CreateProcess to run the .cmd or .bat as input could also be vulnerable\r\nfor similar binary hijacking. This bulletin is not to address such vulnerable usage since it is application specific\r\nproblem as they are not passing fully qualified system path to cmd.exe. Such application should fixed to pass fully\r\nqualified cmd.exe path or just passing .cmd or .bat file as input.\r\n- Swamy Shivaganga Nagaraju, MSRC engineering team\r\nMS14-019 CMD BAT CreateProcess\r\nSource: https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/\r\nhttps://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/" ], "report_names": [ "ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file" ], "threat_actors": [], "ts_created_at": 1775434151, "ts_updated_at": 1775791216, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f96e280c00547b31192822cbf9ab05fcf96a64be.pdf", "text": "https://archive.orkl.eu/f96e280c00547b31192822cbf9ab05fcf96a64be.txt", "img": "https://archive.orkl.eu/f96e280c00547b31192822cbf9ab05fcf96a64be.jpg" } }