6/1/2023 0 Comments Res workspace manager![]() If application whitelisting is enabled, an attacker first needs to find a way to run arbitrary code (eg, through a macro). Composer uses this DLL, however these methods can also be leveraged by the attacker to exploit this issue.įigure 3: Composer uses the methods exported in ResMpc.dll for communicating with the Named PipeĪ local attacker can use this issue to run an arbitrary command with elevated privileges and fully compromise the workstation. Methods for communicating with the Named Pipe are exposed in the ResMpc.dll file. You can find it running in Task Manager as the. When connected to the Named Pipe it is possible to write a command to the Named Pipe, which starts an application that will be executed with elevated (Administrator) privileges. This files most often have description RES Workspace Manager - Workspace Composer. It is possible for a local attacker to bypass this restriction by spawning a new Composer process, inject a new thread in this process, and connect to this Named Pipe.įigure 2: Named Pipe created by the Ivanti Workspace Control PE service Normally only Composer ( pfwsmgr.exe) is allowed to connect to this Named Pipe and send commands to the service. Workspace Control runs a service named Ivanti Workspace Control PE that exposes a Named Pipe. ![]() It was found that this feature can be abused by a local attacker to run any application with Administrator privileges.įigure 1: Administrators can add Administrator rights to applications Details This is a powerful feature that allows a low privileged user to run an application with Administrator privileges. Workspace Control contains a feature named Dynamic Privileges that provides the possibility to add or remove Administrator privileges to a process. Ivanti Workspace Control (formerly known as RES ONE Workspace) is a User Environment Management solution. This issue was resolved in Ivanti Workspace Control version 10.3.10.0. This issue was successfully verified on Ivanti Workspace Control version 10.2.700.1 & 10.2.950.0. This thread connects to a Named Pipe and sends an instruction to a service to launch an attacker-defined application with elevated privileges.ĬVE-2018-15592 DOC-69692 - A locally authenticated user with low privileges can run processes with elevated privileges by leveraging an unspecified attack vector Tested versions This issue can be exploited by spawning a new Composer process, injecting a malicious thread in this process. It was found that Ivanti Workspace Control allows a local (unprivileged) attacker to run arbitrary commands with Administrator privileges.
0 Comments
Leave a Reply. |