PinchTab Command Injection Vulnerability in Windows Cleanup Routine Allows Arbitrary PowerShell Execution

A command injection vulnerability has been identified in PinchTab version 0.8.4, specifically in the Windows cleanup process for Chrome. When an instance is stopped, the cleanup routine creates a PowerShell command string using a profile path-derived 'needle'. In this version, while backslashes are escaped, other PowerShell metacharacters are not properly neutralized. This oversight allows an attacker with authenticated, administrative-equivalent API access to inject commands that are executed in the context of the PinchTab process user on the Windows host.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of PowerShell commands on the affected Windows system, with the potential for full compromise of data and processes accessible to the user account under which PinchTab is running. Additionally, in environments where PinchTab instances are automatically restarted, the injected commands could be executed repeatedly, causing resource exhaustion and system instability.

Reproduction

To reproduce this vulnerability, launch a PinchTab instance with a crafted profile name that includes PowerShell metacharacters, such as a single quote followed by a command (e.g., 'poc';calc). After the instance is running, stop it using the API, which will trigger the cleanup routine and execute the injected command.

Remediation

Users are advised to update to PinchTab version 0.8.5, which addresses this vulnerability by improving the validation of profile names to prevent the inclusion of PowerShell metacharacters.