Ironman Software Forums
Continue the conversion on the Ironman Software forums. Chat with over 1000 users about PowerShell, PowerShell Universal, and PowerShell Pro Tools.
Discuss this Article
Overview
All supported versions of PowerShell Universal are affected by CVE-2023-49213. This vulnerability allows remote attackers to execute arbitrary commands over HTTP by exploiting the PowerShell Universal API endpoints with specially crafted requests. Please update immediately. Patched versions include:
- 4.2.1
- 4.1.10
- 3.10.2
About CVE-2023-49213
CVE-2023-49213 is a remote code execution vulnerability that affects all supported versions of PowerShell Universal. Due to improper sanitization of input strings, an attacker can provide specially crafted input to the PowerShell Universal API endpoints to execute arbitrary commands on the server. Endpoints that require authentication will require that the attacker has valid credentials. See below for technical information about the vulnerability.
Affected Versions
All supported versions of PowerShell Universal 3.0.0 through 4.2.0.
Remediation
Upgrade to PowerShell Universal to one of the following versions:
- 4.2.1
- 4.1.10
- 3.10.2
It is also possible to avoid this issue by adjusting endpoints to avoid using a param block. For example, if you have an endpoint that is implemented like this:
param(
[string]$Name
)
$Name
You would remove the param and use the $Name variable directly. The script would become the following.
$Name
Technical Details
Due to invalid processing of parameter values, certain strings would execute commands on the server when applying them to a parameter. For example, the following request would execute Start-Process on the server and open Notepad.
import requests
url = "http://localhost:5000/exploit"
payload = {'exploit': '\'(Start-Process Notepad)\''}
files=[]
headers = {}
response = requests.request("PUT", url, headers=headers, data=payload, files=files)
Any endpoint that contains parameters, like below, is susceptible to this vulnerability.
param(
[string]$exploit
)
$exploit
Acknowledgement
Ironman Software would like to thank Héctor Cavalcanti Saavedra from Autosécurité SA for reporting this vulnerability. We encourage all users and security researchers to review our security policy and responsibly disclose any vulnerabilities to Ironman Software.
Timeline
- November 16th, 2023 - 5:28 AM - Héctor Cavalcanti Saavedra (Autosécurité SA) reached out to Ironman Software to report the vulnerability.
- November 16th, 2023 - 6:09 AM - Ironman Software acknowledged the vulnerability and began working on a fix.
- November 16th, 2023 - 7:44 AM - Ironman Software requests a CVE number from MITRE.
- November 16th, 2023 - 9:30 AM - Ironman Software released PowerShell Universal 4.2.1, 4.1.10 and 3.10.2 to address the vulnerability and published this disclosure.
- November 23th, 2023 - 3:30 PM - MITRE assigned CVE-2023-49213 to this vulnerability.
Questions
Please contact Ironman Software support.