About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

AWS WorkSpaces Client Remote Code Execution- 624

David Yesland - Rhino SecurityPosted 4 Years Ago
  • Desktop clients install custom URIs. In this case, AWS installed the workspaces URI on the system. This allowed for the launching of applications with username, password and other things using the URI only.
  • A common attack for desktop clients with custom URIs is finding an argument or command injection at the load up of the application. Since the browsers specifically URL encode items for this reason (%20 for a space), argument injection is becoming less and less common for these though.
  • The URI handler deliberately URL decodes the string and passes it as a parameter to the Workspaces command without sanitizing the input. The new command is passed to Workspaces executable. Although this seems fine, this uses that uses uses the Chromium Embedded Framework (CEF). Since the --gpu-launcher of this is known to have a command injection problem, this is bad!
  • The URI workspaces://anything%20--gpu-launcher=%22calc.exe%22@REGISTRATION_CODE will launch a calculator on Windows systems, which demonstrates code execution on the device.
  • Even though the browser protects against this nicely, people still make mistakes. Additionally, true command injection is unlikely in this context with commands being escaped by modern frameworks. But, argument injection can be just as bad and is not thought about as an attacker vector nearly as often.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed