injection – Page 11 – WindowsTechs.com

Is this Windows local code execution bug also a security vulnerability?

Posted on February 23, 2021 by Enos D'Andrea

I stumbled on a Windows bug leading to code execution. I believe it should be categorized as a vulnerability but Microsoft does not recognize it as such. I would like to read other opinions.

Functionality

The bug affects the context menu “Open PowerShell here” which is activated when a user SHIFT-right clicks on a folder in Windows Explorer.

Normal behaviour

Normally that command is supposed to open a PowerShell terminal with the working directory set on the specified folder.

The Bug (Vulnerability?)

The bug is triggered when a folder contains a single quote (apostrophe). In that case the PowerShell terminal executes what follows the apostrophe as if it were a series of PowerShell commands.

For example when opened in this manner, a folder name of Folder Name';calc;echo pwned;' would open the calculator and write pwned on the terminal, as follows:

Possible Implications

This bug could be abused leading to unauthorized code execution in those contexts where victims are likely to use PowerShell on folders names crafted by attackers (USB keys, ZIP files, network shares). It requires user interaction which for certain classes of users is part of the normal daily workflow. It is not easily discovered as malicious folder names can be hidden by preceding them with long strings and following them by clearing the console.

What I did so far

I submitted the bug to the Microsoft Security Response Center, who replied that it “does not meet the definition of a security vulnerability”. The CVE-ID submission form instructs to contact Microsoft directly. Sans and the my national CERT did not reply.

Questions

Would you consider this as a security vulnerability?
If so, how would you classify it? (injection, local/remote code execution etc.)
Should it be covered by the Microsoft Bug Bounty program?
How would you report it given the reactions?

Continue reading Is this Windows local code execution bug also a security vulnerability?→

CLI application running user defined command periodically

Posted on February 22, 2021 by roperzh

For a toy CLI application I’m writing, I’d like to store a string with an user defined command that will be executed periodically (like shell -c <command_string>).
I have seen other applications do this, for example in fzf you can se… Continue reading CLI application running user defined command periodically→

Purpose of SeDebugPrivilege for DLL injection

Posted on February 13, 2021 by Giacomo Casoni

I have been recently working on a little DLL injection program in Go.
While the program works and I am able to successfully inject into a remote process, Windows permissions system still seems to elude me.
Namely, I cannot quite understand… Continue reading Purpose of SeDebugPrivilege for DLL injection→

Why does msfvenom payload dll create the run32dll subprocess after it is injected into the explorer process memory?

Posted on February 13, 2021 by dmitry

I am researching payloads that msfvenom (metasploit framework) can be generated and existing methods of injection them into processes for manual incident investigation.
Initial data

Target: Windows 10 x64 (19041.804)
Client: Kali Linux 2… Continue reading Why does msfvenom payload dll create the run32dll subprocess after it is injected into the explorer process memory?→

How does malware avoid AV’s when using a simple DLL injection technique?

Posted on February 12, 2021 by Gege GMF

As far as I understand it, a simple approach for a malware DLL injection would require 2 DLLs. The first for the DLL side loading, while the malicious DLL remains encrypted. And then this ‘loader’ would decrypt the DLL and inject the paylo… Continue reading How does malware avoid AV’s when using a simple DLL injection technique?→

WebApp Windows Command Injection without "||"

Posted on February 4, 2021 by John Doe

I’ve found an application that allows arbitrary file upload (client side validation on file extensions), however those files are not stored in a folder which is accessible by the webserver, so a web shell is not possible.
However, due to … Continue reading WebApp Windows Command Injection without "||"→

How can I execute a base64 encoded exe stored as a variable, inside a powershell script without writing any files?

Posted on January 26, 2021 by 404

Basically if I have exe1 encoded with base64 and I copy that encoded source into a powershell script as a variable. I want to be able to decode it and execute the source exe without writing the exe to disk. is this possible? if so how can … Continue reading How can I execute a base64 encoded exe stored as a variable, inside a powershell script without writing any files?→

Import Address Table in Process Hollowing

Posted on January 5, 2021 by shon

I know that the PE loader is the one that is responsible for assigning addresses in a PE Import Address Table, so why when we inject code using process hollowing we don’t build the IAT? We just copy all the sections and headers but we don’… Continue reading Import Address Table in Process Hollowing→

Can you do a code injection in asp.net with Eval()?

Posted on January 5, 2021 by striker00

I am trying to understand code injection via eval in the context of different technologies.
In the case of asp.net, is it possible to be vulnerable to code injection if i am using eval?
E.g.-
<asp:Label ID="lbldtgCIDStatus" ru… Continue reading Can you do a code injection in asp.net with Eval()?→

JavaScript injection minimal example using node/express not working: <script> not executed [duplicate]

Posted on January 1, 2021 by Tom

I want to create a minimal example where JavaScript injection/XSS is working. This is my example server:

const express = require("express");
const path = require("path");

const app = express();
const port = 3000;

app… Continue reading JavaScript injection minimal example using node/express not working: <script> not executed [duplicate]→