GMS-2023-1381: Under-validated ComSpec and cmd.exe resolution in Mutagen projects

Impact

Mutagen projects offer shell-based execution functionality. On Windows, the shell is resolved using the standard %ComSpec% mechanism, with a fallback to a %PATH%-based search for cmd.exe. While this is the standard practice on Windows systems, it presents somewhat risky behavior.

Firstly, %ComSpec% could, in theory, be set maliciously. Unfortunately, there’s not much that can be done to prevent this attack surface, because %ComSpec% is the official mechanism for shell specification on Windows. We can, however, validate that it points to an absolute path, which one would expect for a properly set value.

Secondly, a fallback to a relative cmd.exe path, resolved via %PATH%, could be risky. The risk is largely mitigated by changes in Go 1.19 and later, but prior to that a malicious cmd.exe could been resolved in the current working directory. To mitigate this issue, Mutagen now uses the %SystemRoot% environment variable (also validated to be an absolute path) to resolve cmd.exe in the event that %ComSpec% is not set correctly.

Patches

The problem has been patched in Mutagen v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions of Mutagen after v0.18.0 will also have the patch merged.

Workarounds

Maintain control of the environment variable settings on your system, in particular the ComSpec environment variable.

References

More information on %ComSpec% can be found online.

More information on Go’s PATH-based lookup changes can be found here, here, and here.

A similar issue that was addressed within the Python subprocess module also provides additional discussion.