Of the problems in the PowerShell Gallery could be exploited by malicious people to be able to perpetrate attacks on the Windows registry.

PowerShell Gallery, what it is in a nutshell

The PowerShell Gallery is a central repository maintained by Microsoft that allows developers to share, download and distribute PowerShell code; this code can include PowerShell modules, scripts, and desired state configuration resources (DSC).

The PowerShell Gallery provides a convenient way for users to access a wide variety of PowerShell tools, scripts, and components created by the community and by Microsoft itself. However, it has been reported that the PowerShell Gallery has security issues related to the possibility of inserting malicious packages and the difficulty of identifying legitimate packages due to some vulnerabilities.

This gallery can be accessed via the site of the same name.

What are the problems encountered

“These vulnerabilities make typosquatting attacks unavoidable in this registry, while making it extremely difficult for users to identify the true owner of a packageAqua security researchers Mor Weinberger, Yakir Kadkoda and Ilay Goldman said in a relationship.

Maintained by Microsoft, the PowerShell Gallery it’s a central repository for sharing and capturing PowerShell code, including PowerShell modules, various scripts, and Desired State Configuration (DSC) resources. The registry boasts 11,829 unique packages and a total of 244,615 packages.

The problems identified by the cloud security firm include the service’s lax policy towards package names, lack of protections against typosquatting attacks, thus allowing attackers to load malicious PowerShell modules that appear genuine to unsuspecting users.

A second vulnerability involves the ability of a malicious actor to spoof a form’s metadata, including Author(s), Copyright, and Description fields, to make it more legitimate, thereby tricking unsuspecting users into installing them.

“The only way for users to determine the true author/owner is to open the ‘Package Details’ tab“, said the researchers.

“However, this will only lead them to the fake perpetrator profile [un hacker che si camuffa con nickname]since the attacker [cioè l’hacker, in sintesi] can freely choose any name when creating a user in the PowerShell Gallery. Therefore, determining the actual author of a PowerShell module in the PowerShell Gallery is a challenging task.”

A third vulnerability was also discovered that could be exploited by attackers to enumerate all package names and versions, including those not listed and intended to be hidden from public view.

This can be accomplished using the PowerShell API”https://www.powershellgallery.com/api/v2/Packages?$skip=number,” allowing an attacker to gain unlimited access to the complete database of PowerShell packages, including their versions.

“This uncontrolled access gives malicious actors the ability to search inside unlisted packages for potentially sensitive information. As a result, any unlisted package that contains confidential data becomes highly susceptible to compromise“explained the researchers.

Aqua said it reported the deficiencies to Microsoft in September 2022, following which the Windows company is said to have reactive fixes in place by March 7, 2023. However, the issues remain reproducible.

“As we rely more and more on open-source projects and registries, the security risks associated with them become more apparent“concluded the researchers.

“The responsibility to protect users lies primarily with the platform. It is essential that the PowerShell Gallery, and similar platforms, take the necessary security measures to improve their security.”

So what to do?

In addition to waiting for the big M (Microsoft) to update not only Windows (PowerShell is in fact a Windows tool), also waiting for the Powershell Gallery database (therefore from thesite of the same name) these harmful scripts for the operating system are removed.

Creating some sort of pseudo-virus with Windows bat files (which use the Windows command prompt, and eventually PowerShell is but a heir), is terribly easy, add to this that many people don’t have a real understanding of of the PowerShell tool so it’s a snap to download a file that affects the operating system without your knowledge.