CODEWITHSUNDEEP
powershell
Vimes
Vimes

Reputation: 11897

PowerShell execution policy subverted by a powershell.exe parameter

In PowerShell, is there an advantage to a restrictive execution policy besides trying to control which script files can run?

By default, PowerShell scripts are not allowed to run, but it seems like if a malicious party wants to run PowerShell script they can just bootstrap into it using a BAT file that calls PowerShell with the -ExecutionPolicy parameter set to "bypass".

Am I missing something, or does this defeat the execution policy mechanism? Why sign scripts (which looks like quite a hassle) when you can just make the execution policy less restrictive?

Below is a BAT script I wrote that creates an unsigned .ps1 file and runs it. It works on a machine with the execution policy of Restricted, which should disallow scripts. UAC is on and no elevation prompt is shown. It even dials out to the Internet and gets the latest headline of the "Hey, Scripting Guy!" blog.

echo write-host "`r`nPowershell code running on $(hostname).`r`n`r`nHere's the latest headline from the 'Hey, Scripting Guy!' blog: '$(([xml](New-Object Net.WebClient).DownloadString("http://blogs.technet.com/b/heyscriptingguy/atom.aspx")).feed.entry[0].title)'.`r`n`r`nPress Enter to close.`r`n"; read-host > script.ps1
powershell -ExecutionPolicy bypass -Command .\script.ps1

Upvotes: 3

Views: 585

Answers (2)

mjolinor
mjolinor

Reputation: 68273

The execution policy will prevent someone from modifying an existing script that's being run by someone else, or as an automated process (e.g. a scheduled task). From a security standpoint, using that .bat file is no different that compiling code to do the same thing into an .exe.

Also, the -ExecutionPolicy parameter doesn't work when the execution policy is set via local/group policy on the machine (per Ansgar's comment on the question).

Upvotes: 1

JaredPar
JaredPar

Reputation: 754725

The default PowerShell execution policy of disallowing scripts is useful for little more than preventing accidental invocations of the script. It can be trivially violated, even on earlier versions of powershell which didn't have the per instance parameter, by doing the following

  • Open any script you want to run in notepad
  • Copy the contents to the clipboard
  • Paste the clipboard to an instance of powershell

Anyone who really wants to run a script can do so using this or a variety of other mechanisms. It's only really useful for preventing unintentional execution of scripts

Upvotes: 0

Related Questions