### Key Information #### Vulnerability Overview - **Vulnerability Name**: Insecure .NET deserialization via WM_COPYDATA enables local code execution - **Affected Versions**: <= 1.3.300 - **Fixed Version**: 1.3.301 - **CVE ID**: CVE-2022-31050 - **CVSS v3 Base Score**: 8.4/10 #### Description - **Root Cause**: Greenshot directly passes attacker-controlled data to the BinaryFormatter.Deserialize() method when handling WM_COPYDATA messages, leading to local arbitrary code execution. - **Key Points**: - BinaryFormatter is insecure when handling untrusted data, allowing instantiation of arbitrary types and triggering gadget chains. - Authorization checks occur after deserialization, so any gadget bypasses channel membership authentication. - Attackers can send payloads to the target window under compatible integrity levels. #### Impact - **Local Arbitrary Code Execution**: Occurs within trusted, signed processes. - **Policy Evasion**: Attackers can execute payloads in memory without creating new processes, bypassing AppLocker/WDAC rules. - **Enterprise Reality**: Can be exploited for persistence or as a foothold for further intra-process or inter-process attacks. #### POC - A demonstration video and POC sender are provided, showing how to trigger code execution by passing a BinaryFormatter stream via WM_COPYDATA messages. #### Reproduction Steps 1. Install and launch Greenshot 1.3.300. 2. Ensure the POC sender runs at the same integrity level as Greenshot. 3. Run the sender and pass a payload containing a BinaryFormatter stream. 4. Observe code execution occurring within the Greenshot.exe context.