PowerShell Remoting Project Home

Saturday, May 13, 2006

Potential Security Problem of PSSnapin Installation and Execution

Windows PowerShell is powerful (hehe, sounds like a bad salesman). To make it even better, user can extent it by PSSnapin. PSSnapin can contain PSProviders, Cmdlets and other class library. But there is a catch. PSSnapin is arbitrary code which could be bad designed, bugs loaded and somewhat out of your control. If you are not careful when install and execute, PSSnapin can cause serious security problems. Let's look following example:

Supposed you have a PSSnapin:
using System;
using System.ComponentModel;
using System.Management.Automation;
namespace TestSnapin
{
    [RunInstaller(true)]
    public class MySnapin : PSSnapIn
    {
         public override string Name
         {
            get { return "Test"; }
         }
        public override string Vendor
        {
             get { return "http://MSHForFun.blogspot.com/"; }
        }
        public override string Description
        {
            get { return "Test"; }
        }
    }

   public class Class2
   {
        public string Who
        {
              get { return "Good Guy!"; }
        }
   }
}
You built it by yourself or simply downloaded it from internet. You (An Administrator) copied it to a folder and ran installutil.exe to install it. Then you tried to use it in PowerShell:
>get-pssnapin -reg

Name : Test
PSVersion : 1.0
Description : Test

> add-pssnapin test
> $a = new-object TestSnapin.Class2
> $a.Who
Good Guy!
Looks perfect, right? But
  1. The folder where you save your PSSnapin is writeable by any user, so anyone can change your PSSnapin.
  2. Your PSSnapin assembly is not signed, so PowerShell will load it without checking its integrity. See the registry key about your PSSnapin
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\Test]
"PowerShellVersion"="1.0"
"Vendor"="http://MSHForFun.blogspot.com/"
"Description"="Test"
"Version"="1.0.0.0"
"ApplicationBase"="D:\\ps1"
"AssemblyName"="Snapin1, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
"ModuleName"="D:\\ps1\\snapin1.dll"
Suppose there were a malicious user wrote a PSSnapin like yours PSSnapin except Class2:
public class Class2
{
    public string Who
    {
        get { return "Bad Guy!"; }
    }
}
He just overwrote your PSSnapin with his DLL. What happened next?
> add-pssnapin test
> $a = new-object TestSnapin.Class2
> $a.Who
Bad Guy!
That is to say user can run any code he wanted. In a worst condition, when you (An Administrator) tried to use this PSSnapin, you were actually tricked into running malicious code as Administrator!

So Lessons:
  1. Keep an eye on your PSSnapin. Never put them in a directory which is writeable by unprivileged user
  2. Edit: 2006-05-16 08:36
    "Since snapins are programs that you install, it is wise to apply the tenets and best practices of software installation to them...The potential security problems don't come from PSSnapins -- they come from executing code that you don't trust. " --Lee
    Edit: 2006-05-16 08:36
  3. Always use a Signed PSSnapin. If a signed PSSnapin were altered, PowerShell will not load it.
  4. > add-pssnapin test
    Add-PSSnapin : Cannot load PSSnapIn test. Encountered following error: PSSnapin
    module D:\ps1\snapin1.dll doesn't have required PSSnapin strong name Snapin1,
    Version=1.0.0.0, Culture=neutral, PublicKeyToken=3daf9f8a713aaa33.
    At line:1 char:13
    + add-pssnapin <<<< test

Tags:       


Comments:
Thanks for pointing this out, Tony. Since snapins are programs that you install, it is wise to apply the tenets and best practices of software installation to them.

However, the guidance for applying a restricted Code Access Security (CAS) policy is slightly off-base. CAS protects you from code that you don't fully trust. You fully trust code that you write, so CAS restrictions have little benefit.

Also, your title is a little misleading :( The potential security problems don't come from PSSnapins -- they come from executing code that you don't trust.
 
It make sense to me. I will change title and correct errors
 

Post a Comment





<< Home