Ironman Software Forums
Continue the conversion on the Ironman Software forums. Chat with over 1000 users about PowerShell, PowerShell Universal, and PowerShell Pro Tools.
This blog post details the vulnerability CVE-2022-29590 in PowerShell Universal.
Directory traversal in Published Folders in Ironman Software’s PowerShell Universal version 1.0.0 through 3.0.0-beta3 can allow a remote attacker to access arbitrary files on the remote system by using an HTTP web request.
We have determined that this vulnerability scores high (8.6) on the Common Vulnerability Scoring System.
Affects versions 1.0.0 through 3.0.0-beta3 (all previously published versions).
Customers without Published Folders configured are not exposed to this vulnerability. Customers with unauthenticated Published Folders risk unauthenticated remote attackers accessing any file on the system. Customers with authenticated Published Folders risk authenticated remote attackers accessing any file on the system.
We encourage users to disable published folders or upgrade to a patched version. All downloads can be found on our downloads page.
The following version numbers contain the fix for this issue.
The root cause is due to invalid path handling in the Published Folder component. Due to the way that paths were combined, it is possible to pass an absolute path to the published folder endpoint to access any file on the system that the PowerShell Universal server account has access to.
For example, you could configure a Published Folder like this.
New-PSUPublishedFolder -Path C:\test -RequestPath "/test"
An attacker could then craft a request with an absolute path to download files outside of the published folder. This example downloads
taskmgr.exe from the
Invoke-WebRequest http://localhost:5000/test/C:/Windows/System32/taskmgr.exe -OutFile taskmgr.exe
We encourage all customers and security researchers to work with us when vulnerabilities are identified or suspected. You can find more information about our policy here.