|
Saturday, May 13, 2006
Potential Security Problem of PSSnapin Installation and Execution
Supposed you have a PSSnapin:
using System;You built it by yourself or simply downloaded it from internet. You (An Administrator) copied it to a folder and ran installutil.exe to install it. Then you tried to use it in PowerShell:
using System.ComponentModel;
using System.Management.Automation;
namespace TestSnapin
{
[RunInstaller(true)]
public class MySnapin : PSSnapIn
{
public override string Name
{
get { return "Test"; }
}
public override string Vendor
{
get { return "http://MSHForFun.blogspot.com/"; }
}
public override string Description
{
get { return "Test"; }
}
}
public class Class2
{
public string Who
{
get { return "Good Guy!"; }
}
}
}
>get-pssnapin -regLooks perfect, right? But
Name : Test
PSVersion : 1.0
Description : Test
> add-pssnapin test
> $a = new-object TestSnapin.Class2
> $a.Who
Good Guy!
- The folder where you save your PSSnapin is writeable by any user, so anyone can change your PSSnapin.
- Your PSSnapin assembly is not signed, so PowerShell will load it without checking its integrity. See the registry key about your PSSnapin
Windows Registry Editor Version 5.00Suppose there were a malicious user wrote a PSSnapin like yours PSSnapin except Class2:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\Test]
"PowerShellVersion"="1.0"
"Vendor"="http://MSHForFun.blogspot.com/"
"Description"="Test"
"Version"="1.0.0.0"
"ApplicationBase"="D:\\ps1"
"AssemblyName"="Snapin1, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
"ModuleName"="D:\\ps1\\snapin1.dll"
public class Class2He just overwrote your PSSnapin with his DLL. What happened next?
{
public string Who
{
get { return "Bad Guy!"; }
}
}
> add-pssnapin testThat is to say user can run any code he wanted. In a worst condition, when you (An Administrator) tried to use this PSSnapin, you were actually tricked into running malicious code as Administrator!
> $a = new-object TestSnapin.Class2
> $a.Who
Bad Guy!
So Lessons:
- Keep an eye on your PSSnapin. Never put them in a directory which is writeable by unprivileged user Edit: 2006-05-16 08:36
- Always use a Signed PSSnapin. If a signed PSSnapin were altered, PowerShell will not load it.
"Since snapins are programs that you install, it is wise to apply the tenets and best practices of software installation to them...The potential security problems don't come from PSSnapins -- they come from executing code that you don't trust. " --Lee
Edit: 2006-05-16 08:36
> add-pssnapin test
Add-PSSnapin : Cannot load PSSnapIn test. Encountered following error: PSSnapin
module D:\ps1\snapin1.dll doesn't have required PSSnapin strong name Snapin1,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=3daf9f8a713aaa33.
At line:1 char:13
+ add-pssnapin <<<< test
Tags: msh monad PowerShell
Comments:
<< Home
Thanks for pointing this out, Tony. Since snapins are programs that you install, it is wise to apply the tenets and best practices of software installation to them.
However, the guidance for applying a restricted Code Access Security (CAS) policy is slightly off-base. CAS protects you from code that you don't fully trust. You fully trust code that you write, so CAS restrictions have little benefit.
Also, your title is a little misleading :( The potential security problems don't come from PSSnapins -- they come from executing code that you don't trust.
However, the guidance for applying a restricted Code Access Security (CAS) policy is slightly off-base. CAS protects you from code that you don't fully trust. You fully trust code that you write, so CAS restrictions have little benefit.
Also, your title is a little misleading :( The potential security problems don't come from PSSnapins -- they come from executing code that you don't trust.
<< Home
Post a Comment