8

I stumbled on a Windows bug leading to code execution. I believe it should be categorized as a vulnerability but Microsoft does not recognize it as such. I would like to read other opinions.

Functionality

The bug affects the context menu "Open PowerShell here" which is activated when a user SHIFT-right clicks on a folder in Windows Explorer.

Windows Explorer context menu "Open PowerShell window here

Normal behaviour

Normally that command is supposed to open a PowerShell terminal with the working directory set on the specified folder.

PowerShell terminal with the working directory set to the specified folder

The Bug (Vulnerability?)

The bug is triggered when a folder contains a single quote (apostrophe). In that case the PowerShell terminal executes what follows the apostrophe as if it were a series of PowerShell commands.

For example when opened in this manner, a folder name of Folder Name';calc;echo pwned;' would open the calculator and write pwned on the terminal, as follows:

PowerShell terminal having executed commands listed in the folder name

Possible Implications

This bug could be abused leading to unauthorized code execution in those contexts where victims are likely to use PowerShell on folders names crafted by attackers (USB keys, ZIP files, network shares). It requires user interaction which for certain classes of users is part of the normal daily workflow. It is not easily discovered as malicious folder names can be hidden by preceding them with long strings and following them by clearing the console.

What I did so far

I submitted the bug to the Microsoft Security Response Center, who replied that it "does not meet the definition of a security vulnerability". The CVE-ID submission form instructs to contact Microsoft directly. Sans and the my national CERT did not reply.

Questions

  • Would you consider this as a security vulnerability?
  • If so, how would you classify it? (injection, local/remote code execution etc.)
  • Should it be covered by the Microsoft Bug Bounty program?
  • How would you report it given the reactions?
Enos D'Andrea
  • 1,047
  • 5
  • 12

1 Answers1

4

Interesting bug you found... Apparently the directory parameter passed to PowerShell isn't properly escaped.

  • Is this a security vulnerability?

IMHO it is one, but not very dangerous per se. If somebody was to open PowerShell in your crafted folder, there are simpler methods to achieve code execution (e.g. as Windows by default includes the current directory in the PATH). One danger of your bug is that the malicious code hides in the folder name instead of any script file, so it is less likely to be caught by an antivirus solution.

  • If so, how would it be best classified? (injection, local/remote code execution etc.)

Lack of proper input handling

  • Is it covered by the Microsoft Bug Bounty program?

Based on the response from the Microsoft Security Response Center you posted, apparently not.

  • How should one report it given the reactions?

Report it as a "regular" bug with the Windows feedback app.

vidarlo
  • 12,850
  • 2
  • 35
  • 47
andaris
  • 81
  • 2
  • 1
    In PowerShell the current working directory is not part of the Windows PATH. Even if it were, it would be after OS paths so OS commands would be executed instead. What other methods of achieving unauthorized code execution are you referring to? – Enos D'Andrea Feb 23 '21 at 13:32
  • Thanks for your answer, apparently Microsoft changed the PATH behaviour in a later version of PowerShell. The command `commandname` was not found, but does exist in the current location. Windows PowerShell does not load commands from the current location by default. – andaris Feb 23 '21 at 14:10