- Dec 23, 2014
- 8,593
Thank you. But for Follina having Powershell in Contrained Language Mode we are safe correct?
Yes. Follina is completely blocked by CLM because before executing the PowerShell code from the HTML script, the sdiagnhost.exe application executes the PowerShell script: ‘C:\Windows\diagnostics\system\PCW\RS_ProgramCompatibilityWizard.ps1’
which is blocked by CLM.
So, even the PowerShell code in the HTML script would not use advanced functions, the attack will fail.
This PS CL Mode Bypass, posted in "another forum" looks interesting:
GitHub - calebstewart/bypass-clm: PowerShell Constrained Language Mode Bypass
PowerShell Constrained Language Mode Bypass. Contribute to calebstewart/bypass-clm development by creating an account on GitHub.github.com
I'm assuming, hopefully correctly, that selecting InstallUtil.exe under SRP Blocked sponsors would stop this.
The bypass is useful when the attacker first executes the loader bypass-clm.exe which is a kind of fake PowerShell, and next from this fake PowerShell executes attacking tools written for PowerShell.
But, this will not work with Follina exploit. Simply, the ms-msdt will not use bypass-clm.exe.