Microsoft UFO OS Command Injection Vulnerability in Shell Action Replay

A command injection vulnerability has been identified in the Microsoft UFO open-source framework, specifically in tagged releases up to and including v3.0.0. The issue arises in the shell action replay path, where the ShellReceiver.run_shell() method passes command strings from action parameters directly to subprocess.Popen() with shell=True and executable=powershell.exe. This behavior is also accessible through ShellReceiver.execute_command(). The vulnerability allows an attacker to execute arbitrary PowerShell commands by manipulating session/action JSON files, which UFO processes as trusted input during action replay.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the victim's machine, executed as the user running the UFO process. This could lead to unauthorized access to files, modification or deletion of local data, theft of credentials or tokens, and disruption of automation workflows that utilize shared UFO session artifacts.

Reproduction

To reproduce this vulnerability, first clone the Microsoft UFO repository and check out the v3.0.0 release. Then, create a UFO session/action JSON record that includes a shell action with a command parameter designed to execute a PowerShell command. Once this JSON file is prepared, replay or resume the session in UFO. The injected command will be executed as a PowerShell process, confirming the successful exploitation of the command injection vulnerability.

Remediation

Users are advised to update to the latest version of Microsoft UFO, as the main branch contains a fix for this vulnerability. However, no tagged security release has been made available yet.