search

PowerShell / PSReadLine

A bash inspired readline implementation for PowerShell
BSD 2-Clause "Simplified" License
3.75k stars 296 forks source link

EMET/Defender Exploit Guard - Crash #1466

Closed elliot-huffman closed 4 years ago

elliot-huffman commented 4 years ago

Environment

PS version: 5.1.18362.752
PSReadline version: 2.0.0-beta2
os: 10.0.18362.1 (WinBuild.160101.0800)
PS file version: 10.0.18362.1 (WinBuild.160101.0800)
HostName: ConsoleHost
BufferWidth: 237
BufferHeight: 3000

Exception report

-----------------------------------------------------------------------
Last 24 Keys:
 g e t - w i n e v e n t Tab Space - p r Tab Ctrl+Space Space Ctrl+Space y Ctrl+Space y

Exception:

-----------------------------------------------------------------------
System.ArgumentOutOfRangeException: The value must be greater than or equal to zero and less than the console's buffer size in that dimension.
Parameter name: top
Actual value was -1669.
   at System.Console.SetCursorPosition(Int32 left, Int32 top)
   at Microsoft.PowerShell.PSConsoleReadLine.Menu.EnsureMenuAndInputIsVisible(IConsole console, Int32 tooltipLineCount)
   at Microsoft.PowerShell.PSConsoleReadLine.Menu.DrawMenu(Menu previousMenu)
   at Microsoft.PowerShell.PSConsoleReadLine.PossibleCompletionsImpl(CommandCompletion completions, Boolean menuSelect)
   at Microsoft.PowerShell.PSConsoleReadLine.CompleteImpl(Boolean menuSelect)
   at Microsoft.PowerShell.PSConsoleReadLine.ProcessOneKey(ConsoleKeyInfo key, Dictionary`2 dispatchTable, Boolean ignoreIfNoAction, Object arg)
   at Microsoft.PowerShell.PSConsoleReadLine.InputLoop()
   at Microsoft.PowerShell.PSConsoleReadLine.ReadLine(Runspace runspace, EngineIntrinsics engineIntrinsics)

Steps to reproduce

Enable Windows defender exploit guard. See below for the Exploit Guard xml for configuration. Start coding in the native powershell console and use ctrl+space autocomplete to fill stuff out and it will crash.

Expected behavior

List of results are displayed when using Ctrl+Space on the command line.

Actual behavior

Upon pressing "y" to show all the results, the PSReadline crashes.

elliot-huffman commented 4 years ago

Hi Team,

I was running as admin in the current working directory of C:\Windows\System32\. I do not have Defender ATP, it is just vanilia Defender in Win 10 pro x64.

Here is my System info: System Info.zip

Here is my exploit guard config (xml):

<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
  <SystemConfig>
    <DEP Enable="true" EmulateAtlThunks="false" />
    <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
    <ControlFlowGuard Enable="true" SuppressExports="false" />
    <SEHOP Enable="true" TelemetryOnly="false" />
    <Heap TerminateOnError="true" />
  </SystemConfig>
  <AppConfig Executable="clview.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="cnfnot32.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="excel.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="excelcnv.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ExtExport.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="graph.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ie4uinit.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ieinstal.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ielowutil.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ieUnatt.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msaccess.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="mscorsvw.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="msfeedssync.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="mshta.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msoadfsb.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msoasb.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msohtmed.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msosrec.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msosync.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msoxmled.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="mspub.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msqry32.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ngen.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="ngentask.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="onenote.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="onenotem.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="orgchart.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="outlook.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="powerpnt.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="PresentationHost.exe">
    <DEP Enable="true" EmulateAtlThunks="false" />
    <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
    <SEHOP Enable="true" TelemetryOnly="false" />
    <Heap TerminateOnError="true" />
  </AppConfig>
  <AppConfig Executable="PrintDialog.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="runtimebroker.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="scanost.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="scanpst.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="sdxhelper.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="selfcert.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="setlang.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="SystemSettings.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="C:\Windows\System32\vmcompute.exe">
    <ControlFlowGuard Enable="true" SuppressExports="true" StrictControlFlowGuard="true" />
  </AppConfig>
  <AppConfig Executable="C:\Windows\System32\vmwp.exe">
    <ControlFlowGuard Enable="true" SuppressExports="true" StrictControlFlowGuard="true" />
  </AppConfig>
  <AppConfig Executable="winword.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="wordconv.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
</MitigationPolicy>

Here is my PS version info:

PS C:\Windows\system32> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.18362.752
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.18362.752
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
elliot-huffman commented 4 years ago

Disabling exploit guard fixes the issue, however this opens the system up to more attacks. Here is the xml for a disabled exploit guard:

<?xml version="1.0" encoding="UTF-8"?>
<MitigationPolicy>
  <AppConfig Executable="clview.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="cnfnot32.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="excel.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="excelcnv.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ExtExport.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="graph.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ie4uinit.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ieinstal.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ielowutil.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ieUnatt.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msaccess.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="mscorsvw.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="msfeedssync.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="mshta.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msoadfsb.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msoasb.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msohtmed.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msosrec.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msosync.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msoxmled.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="mspub.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="msqry32.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="ngen.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="ngentask.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="onenote.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="onenotem.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="orgchart.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="outlook.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="powerpnt.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="PresentationHost.exe">
    <DEP Enable="true" EmulateAtlThunks="false" />
    <ASLR ForceRelocateImages="true" RequireInfo="false" BottomUp="true" HighEntropy="true" />
    <SEHOP Enable="true" TelemetryOnly="false" />
    <Heap TerminateOnError="true" />
  </AppConfig>
  <AppConfig Executable="PrintDialog.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="runtimebroker.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="scanost.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="scanpst.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="sdxhelper.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="selfcert.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="setlang.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="SystemSettings.exe">
    <ExtensionPoints DisableExtensionPoints="true" />
  </AppConfig>
  <AppConfig Executable="C:\Windows\System32\vmcompute.exe">
    <ControlFlowGuard Enable="true" SuppressExports="true" StrictControlFlowGuard="true" />
  </AppConfig>
  <AppConfig Executable="C:\Windows\System32\vmwp.exe">
    <ControlFlowGuard Enable="true" SuppressExports="true" StrictControlFlowGuard="true" />
  </AppConfig>
  <AppConfig Executable="winword.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
  <AppConfig Executable="wordconv.exe">
    <ASLR ForceRelocateImages="true" RequireInfo="false" />
  </AppConfig>
</MitigationPolicy>
iSazonov commented 4 years ago

Did you update to latest version as #1306 suggest?

iSazonov commented 4 years ago

PSReadline version: 2.0.0-beta2

Please update to latest version.

daxian-dbw commented 4 years ago

@elliot-labs This issue was very likely fixed (see #1306). Please upgrade to the 2.0.1 version of PSReadLine from PowerShellGallery. See the upgrading section for instructions. Feel free to reopen the issue if you find it still repros after moving to the 2.0.1 version of PSReadLine.