Greenshot Local Code Execution Vulnerability via Insecure WM_COPYDATA Deserialization

A local code execution vulnerability has been identified in Greenshot, an open-source Windows screenshot utility, in versions through 1.3.300. The issue arises from the deserialization of attacker-controlled data in WM_COPYDATA messages using BinaryFormatter.Deserialize, without proper validation or authorization. This vulnerability allows a local process at the same integrity level to execute arbitrary code within the Greenshot process. The flaw exists in a WinForms WndProc handler for WM_COPYDATA, where the application first deserializes the data and only later checks if the channel is authorized. As a result, any embedded gadget chain in the serialized payload is executed regardless of channel membership. A local attacker capable of sending WM_COPYDATA to the Greenshot main window can exploit this for in-process code execution, potentially evading application control policies by running malicious payloads within the trusted Greenshot.exe process.

Impact

Exploitation of this vulnerability leads to local arbitrary code execution in the context of the Greenshot process, which is trusted and signed. This in-process execution can help bypass application control policies that regulate process creation, as the code runs in memory without launching a new process. Such a capability is particularly valuable in an enterprise environment, where an attacker could exploit a low-privilege access to execute code stealthily, maintain persistence, or facilitate further attacks between processes.

Reproduction

To reproduce this vulnerability, Greenshot version 1.3.300 must be installed and running on a Windows system. A separate process at the same integrity level as Greenshot can then send a WM_COPYDATA message to the Greenshot main window, including a payload that has been crafted to exploit the deserialization flaw. This can be done using a simple sender application that locates the Greenshot window, prepares the serialized payload, and sends it via the WM_COPYDATA message. Once the payload is received, the embedded code will execute within the Greenshot process.

Remediation

Users can upgrade to Greenshot version 1.3.301, which addresses this vulnerability by implementing a safety check for the BinaryFormatter deserialization when handling WM_COPYDATA messages.