Greenshot Untrusted Executable Search Path Vulnerability Allowing Arbitrary Code Execution

A binary hijacking vulnerability has been identified in Greenshot versions prior to 1.3.312. This vulnerability allows local attackers to execute arbitrary code by exploiting the application's use of a relative path when launching explorer.exe. The issue arises when the user double-clicks the Greenshot tray icon, which opens the folder containing the most recent screenshot. Attackers can place a malicious executable named explorer.exe in a directory that is searched before the legitimate Windows binary, thereby executing code in the context of the application.

Impact

Exploitation of this vulnerability allows for arbitrary code execution, potentially with elevated privileges if the application is running as an administrator. The vulnerability takes advantage of a common user interaction, double-clicking the tray icon, to execute attacker-controlled code while maintaining the appearance of normal application behavior.

Reproduction

To reproduce this vulnerability, first, install Greenshot version 1.3.312 or earlier. Then, place a malicious executable named 'explorer.exe' in a directory that is searched before 'C:\Windows' in the Windows executable search order. When the malicious executable is in place, double-click the Greenshot tray icon. The application will launch the malicious 'explorer.exe' instead of the legitimate Windows Explorer, executing any embedded code.

Remediation

Users are advised to update to a version of Greenshot that is 1.3.312 or later. If no update is available, the application can be manually configured to launch system executables using absolute paths or to use Windows APIs that bypass executable name resolution.