Greenshot OS Command Injection Vulnerability in External Command Plugin

A command injection vulnerability has been identified in Greenshot, an open-source Windows screenshot utility, specifically in versions through 1.3.310. The issue arises in the ExternalCommand plugin, where user-controlled filenames are inserted into shell commands without proper sanitization. This flaw allows attackers to execute arbitrary commands by crafting filenames that include shell metacharacters. The vulnerability is rooted in the 'FormatArguments' method of 'ExternalCommandDestination.cs', which directly uses 'string.Format()' to process filenames for command execution.

Impact

Exploitation of this vulnerability allows for arbitrary command execution with the privileges of the user running Greenshot. This could lead to unauthorized actions on the system, such as modifying files, installing malware, or creating persistence mechanisms.

Reproduction

The vulnerability can be reproduced by configuring the ExternalCommand plugin to use a shell interpreter like 'cmd.exe' or 'powershell.exe', and then processing a file with a filename that includes injection payloads, such as 'test.png" & calc.exe & echo ".png'. This can be done manually or by using a script to create the malicious file and set up the necessary Greenshot configuration.

Remediation

Users are advised to update to Greenshot version 1.3.311, where this vulnerability has been patched. For those unable to update, it is recommended to disable the ExternalCommand plugin or avoid configuring it with command interpreters.