Thursday, July 16, 2009

Executing arbitrary powershell script from the command line

504462739_04be0d5daf_oAfter playing around with PowerShell, I quickly found that there seem to have been given a considerable amount of thought to the security aspect of it. Two security features which I found were:

  • The default action for powershell scripts (.ps1) is “Edit”, not “Run”. This means that plain powershell scripts can’t create the same amount of havoc as VBS scripts did (by enticing users to double-click them)
  • Again, by default, scripts must be signed to be run! Otherwise you get a nice error message: “File X cannot be loaded because the execution of scripts is disabled on this system. Please see "get-help about_signing" for more details.” It is great that the default config is secure (even though it is probable that many admins will change the default policy, at least the all the home users will be protected)

So, how can you invoke powershell from the command line and make it execute an arbitrary script? Very easily:

powershell "get-content -path runme.ps1|invoke-expression"

How this works: powershell evaluates the expression given at the command line. This expression in turn loads the content of the target file and then passes it on to PS’s version of eval. How can this be used for malicious purposes: including the command line inside of a .lnk file and sending that to the victim (a behavior which has been used in the past).

Conclusion: it is good to see that Microsoft is considering security, but then again it is very hard (if not impossible) to make something secure such that it is still usable.

Picture taken from fontplaydotcom's photostream with permission.

No comments:

Post a Comment