Windows Screenshot Utility Greenshot Vulnerability Enable Malicious code execution – PoC Released
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A critical security flaw has been discovered in Greenshot, a popular open-source screenshot utility for Windows.
The vulnerability allows a local attacker to execute arbitrary code within the Greenshot process, potentially enabling them to bypass security measures and carry out further attacks.
A proof-of-concept (PoC) exploit has been released, demonstrating the severity of the issue. The vulnerability affects Greenshot version 1.3.300, released on August 20, 2025, and all earlier versions.
The flaw has been addressed in the newly released version 1.3.301, and all users are strongly urged to update their software immediately to protect against potential exploitation.
Windows Screenshot Utility Greenshot Vulnerability
The vulnerability lies in the way Greenshot handles inter-process communication. Specifically, it improperly processes data received via the Windows WM_COPYDATA message system.
The application uses BinaryFormatter.Deserialize to process incoming data without first validating its origin or integrity. This oversight means that any local process running with the same user privileges can send a specially crafted message to the Greenshot main window, triggering the vulnerability.
The core of the problem is a logical error in the code’s execution flow. The application deserializes the received data before it checks whether the communication channel is authorized.
Consequently, any malicious code, or “gadget chain,” embedded in the serialized payload executes automatically, regardless of whether the sender is trusted.
This allows an attacker to run their own code under the guise of the legitimate, digitally signed Greenshot application.
The impact of this vulnerability is significant, as it allows for arbitrary code execution within a trusted process. By running malicious payloads inside Greenshot.exe, an attacker can potentially evade application control policies like AppLocker or Windows Defender Application Control (WDAC).
These security systems often work by restricting which executables can run, but they may not monitor the internal behavior of already-trusted applications.
The release of a PoC demonstrates this, showing how a simple payload can launch the Windows Command Prompt (cmd[.]exe) directly from the Greenshot process.
For enterprises, this poses a serious risk. If an attacker gains an initial low-privilege foothold on a workstation, they could leverage the installed Greenshot application to execute code stealthily.
This technique, sometimes referred to as “living inside a trusted app,” can be used for persistence, lateral movement, or as a staging point for more advanced in-process attacks without raising immediate alarms.
No known workarounds exist to mitigate this flaw, making the update to version 1.3.301 the only effective solution.
#Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Windows Screenshot Utility Greenshot Vulnerability Enable Malicious code execution – PoC Released
Author: Guru BaranA critical security flaw has been discovered in Greenshot, a popular open-source screenshot utility for Windows.
The vulnerability allows a local attacker to execute arbitrary code within the Greenshot process, potentially enabling them to bypass security measures and carry out further attacks.
A proof-of-concept (PoC) exploit has been released, demonstrating the severity of the issue. The vulnerability affects Greenshot version 1.3.300, released on August 20, 2025, and all earlier versions.
The flaw has been addressed in the newly released version 1.3.301, and all users are strongly urged to update their software immediately to protect against potential exploitation.
Windows Screenshot Utility Greenshot Vulnerability
The vulnerability lies in the way Greenshot handles inter-process communication. Specifically, it improperly processes data received via the Windows WM_COPYDATA message system.
The application uses BinaryFormatter.Deserialize to process incoming data without first validating its origin or integrity. This oversight means that any local process running with the same user privileges can send a specially crafted message to the Greenshot main window, triggering the vulnerability.
The core of the problem is a logical error in the code’s execution flow. The application deserializes the received data before it checks whether the communication channel is authorized.
Consequently, any malicious code, or “gadget chain,” embedded in the serialized payload executes automatically, regardless of whether the sender is trusted.
This allows an attacker to run their own code under the guise of the legitimate, digitally signed Greenshot application.
The impact of this vulnerability is significant, as it allows for arbitrary code execution within a trusted process. By running malicious payloads inside Greenshot.exe, an attacker can potentially evade application control policies like AppLocker or Windows Defender Application Control (WDAC).
These security systems often work by restricting which executables can run, but they may not monitor the internal behavior of already-trusted applications.
The release of a PoC demonstrates this, showing how a simple payload can launch the Windows Command Prompt (cmd[.]exe) directly from the Greenshot process.
For enterprises, this poses a serious risk. If an attacker gains an initial low-privilege foothold on a workstation, they could leverage the installed Greenshot application to execute code stealthily.
This technique, sometimes referred to as “living inside a trusted app,” can be used for persistence, lateral movement, or as a staging point for more advanced in-process attacks without raising immediate alarms.
No known workarounds exist to mitigate this flaw, making the update to version 1.3.301 the only effective solution.
#Cyber_Security_News #Vulnerability #Vulnerability_News #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
