Ironman Software Forums
Continue the conversion on the Ironman Software forums. Chat with over 1000 users about PowerShell, PowerShell Universal, and PowerShell Pro Tools.
Discuss this Article
This blog post details the vulnerability CVE-2022-29590 in PowerShell Universal.
Table of Contents
- Description
- CVSS - High 8.6
- Affected Versions
- Affected Configurations
- Remediation
- Root Case
- Timeline
- Vulnerability Response Policy
Description
Directory traversal in Published Folders in Ironman Software’s PowerShell Universal version 1.0.0 through 3.0.0-beta3 can allow a remote attacker to access arbitrary files on the remote system by using an HTTP web request.
CVSS - High 8.6
We have determined that this vulnerability scores high (8.6) on the Common Vulnerability Scoring System.
Vector String:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Affected Versions
Affects versions 1.0.0 through 3.0.0-beta3 (all previously published versions).
Affected Configurations
Customers without Published Folders configured are not exposed to this vulnerability. Customers with unauthenticated Published Folders risk unauthenticated remote attackers accessing any file on the system. Customers with authenticated Published Folders risk authenticated remote attackers accessing any file on the system.
Remediation
We encourage users to disable published folders or upgrade to a patched version. All downloads can be found on our downloads page.
The following version numbers contain the fix for this issue.
- 1.5.22
- 2.9.4
- 2.10.2
- 3.0.0-beta4
Root Cause
The root cause is due to invalid path handling in the Published Folder component. Due to the way that paths were combined, it is possible to pass an absolute path to the published folder endpoint to access any file on the system that the PowerShell Universal server account has access to.
For example, you could configure a Published Folder like this.
New-PSUPublishedFolder -Path C:\test -RequestPath "/test"
An attacker could then craft a request with an absolute path to download files outside of the published folder. This example downloads taskmgr.exe from the System32 directry.
Invoke-WebRequest http://localhost:5000/test/C:/Windows/System32/taskmgr.exe -OutFile taskmgr.exe
Timeline
- 4-21-2022 - 8 AM - Customer reports security concern regarding Published Folders
- 4-21-2022 - 9 AM - Ironman Software reproduces and acknowledges issue with Customer
- 4-21-2022 - 11 AM - Ironman Software applies for CVE ID
- 4-21-2022 - 12 PM - Ironman Software releases patched versions and discloses vulnerability
- 4-22-2022 - 12 PM - CVE-2022-29590 Assigned
Vulnerability Response Policy
We encourage all customers and security researchers to work with us when vulnerabilities are identified or suspected. You can find more information about our policy here.