Greenshot Arbitrary Code Execution Vulnerability

[TESTER-sec]

It was reported on the Greenshot JIRA that a special file can be created that can exploit Greenshot.

https://greenshot.atlassian.net/jira/software/c/projects/BUG/issues/BUG-3061?filter=allissues

At this point, the project knows about this vulnerability. So it begs the questions - Then why is Greenshot still available for download?

The download link be taken down until a new version with a security fix is released? Also the project should issue a public advisory. If the reported vulnerability will not be fixed anytime soon, then what is the risk to those who use the latest (2017) version?

[Lakritzator]

Hi,

It feels like you see us like a company? I work on Greenshot whenever I have free time left, and also feel like it. I do not have time to read and answer everything that gets reported on a timely base. I didn't read the issue before I noticed your issue.

Let's look at the information first: so someone reports it is possible to to have Greenshot execute code by opening a special .greenshot file. As I couldn't say it's impossible, let us assume it is. For this vulnerability, someone has to receive this specific file and open it with Greenshot. It's a bit like someone receiving a word document with malware, or a malware executable.

There is not much sense in taking down the download link, it can be downloaded on so many sites, that we are not really much in control. We could do so, just for the sake. What does make sense is a public advisory, and see what we can undertake to minimize damage. One step I could image, is provide a quick and simple registry fix to remove the file-type registration, so if someone clicks a .greenshot file it is no longer opened with Greenshot. This won't prevent them from using other means inside of Greenshot, but it's a bit cumbersome and thus not likely.

I will get into contact with this person on JIRA, I have to see it to understand.

Best wishes,
Robin

[TESTER-sec]

It feels like you see us like a company? I work on Greenshot whenever I have free time left, and also feel like it. I do not have time to read and answer everything that gets reported on a timely base. I didn't read the issue before I noticed your issue.

Hello Robin,

We are aware that Greenshot is maintained by volunteers. Everybody is grateful for your efforts.

Thank you

[rxhvtjv]

This is no surprise, greenshot does not seem to care about security. They provided a weak excuse for literally triggering an unwanted internet connection plus browser popup on an alleged "silent" install. That poses a security risk and they are well aware of it. They have no intention to fix it.

[rxhvtjv]

It was reported on the Greenshot JIRA that a special file can be created that can exploit Greenshot.

https://greenshot.atlassian.net/jira/software/c/projects/BUG/issues/BUG-3061?filter=allissues

At this point, the project knows about this vulnerability. So it begs the questions - Then why is Greenshot still available for download?

The download link be taken down until a new version with a security fix is released? Also the project should issue a public advisory. If the reported vulnerability will not be fixed anytime soon, then what is the risk to those who use the latest (2017) version?

Thank you for the link and documentation, I will make good use of that info.

[rxhvtjv]

It feels like you see us like a company? I work on Greenshot whenever I have free time left, and also feel like it. I do not have time to read and answer everything that gets reported on a timely base. I didn't read the issue before I noticed your issue.

Hello Robin,

We are aware that Greenshot is maintained by volunteers. Everybody is grateful for your efforts.

Thank you

While that is true, it simply is no excuse to expose the system to such risks and things that are unwanted by the user.

It's still their software and responsibility, regardless of the fact that it’s available from different sources.

They cannot perpetually ignore user requests and legitimate issues in the software.

[TESTER-sec]

This is no surprise, greenshot does not seem to care about security. They provided a weak excuse for literally triggering an unwanted internet connection plus browser popup on an alleged "silent" install. That poses a security risk and they are well aware of it. They have no intention to fix it.

Greenshot is a freeware developed and maintained by volunteers. It looks like it is actually a "one-man shop." They do not owe anybody anything nor does anybody have a right to expect any fixes.

Ethically they should put out an advisory. If they do that, and distribute that advisory appropriately, then they have fulfilled their obligation to userland regarding the current version.

My original post was not to elicit a fix necessarily, but for the project to release an advisory on its own website as well as send that advisory to the most popular, widely used download sites.

It was reported on the Greenshot JIRA that a special file can be created that can exploit Greenshot.
https://greenshot.atlassian.net/jira/software/c/projects/BUG/issues/BUG-3061?filter=allissues
At this point, the project knows about this vulnerability. So it begs the questions - Then why is Greenshot still available for download?
The download link be taken down until a new version with a security fix is released? Also the project should issue a public advisory. If the reported vulnerability will not be fixed anytime soon, then what is the risk to those who use the latest (2017) version?

Thank you for the link and documentation, I will make good use of that info.

All a user need do is block .greenshot file type. How easy was that? It's not as if distributing malicious .greenshot files is ever going to be a viable malware campaign.

It feels like you see us like a company? I work on Greenshot whenever I have free time left, and also feel like it. I do not have time to read and answer everything that gets reported on a timely base. I didn't read the issue before I noticed your issue.

Hello Robin,
We are aware that Greenshot is maintained by volunteers. Everybody is grateful for your efforts.
Thank you

While that is true, it simply is no excuse to expose the system to such risks and things that are unwanted by the user.

It's still their software and responsibility, regardless of the fact that it’s available from different sources.

They cannot perpetually ignore user requests and legitimate issues in the software.

Don't like it? Then you have the freedom not to use Greenshot. Go use something else.

It feels like you see us like a company? I work on Greenshot whenever I have free time left, and also feel like it. I do not have time to read and answer everything that gets reported on a timely base. I didn't read the issue before I noticed your issue.

Hello Robin,
We are aware that Greenshot is maintained by volunteers. Everybody is grateful for your efforts.
Thank you

While that is true, it simply is no excuse to expose the system to such risks and things that are unwanted by the user.

It's still their software and responsibility, regardless of the fact that it’s available from different sources.

They cannot perpetually ignore user requests and legitimate issues in the software.

It is a freeware. They can ignore whatever they want. They have no obligation to anyone. Read the Greenshot EULA.

[Lakritzator]

@HJLBX I blocked the person, he is unfortunately only here to troll. See #470 and #476
I wasn't quick enough to find the block, it's the first person I ever had to, so he got to other issues like this.

FYI: I requested more information about the mentioned vulnerability, but didn't get any yet. The person might be busy with other stuff, or it might be nothing (trolling, discrediting, joke).

[Lakritzator]

To make Windows ignore the .greenshot files, you can removed the registry keys by providing a Greenshot-Remove-Filetype.reg file with the following content:

Windows Registry Editor Version 5.00

[-HKEY_CLASSES_ROOT\.greenshot]
[-HKEY_CLASSES_ROOT\Greenshot]

[-HKEY_CURRENT_USER\Software\Classes\.greenshot]
[-HKEY_CURRENT_USER\Software\Classes\Greenshot]

I couldn't attach the file itself, as GitHub is sensible and totally does it correct not to attach .reg files 😏

Or use Powershell:

Remove-Item -Path HKCU:\SOFTWARE\Classes\.greenshot -Force
Remove-Item -Path HKCU:\SOFTWARE\Classes\Greenshot -Force
Remove-Item -Path HKLM:\SOFTWARE\Classes\.greenshot -Force
Remove-Item -Path HKLM:\SOFTWARE\Classes\Greenshot -Force

This doesn't prevent from opening them in Greenshot itself, this is possible via the Greenshot tray icon, selecting "Open image from file" (when you have it on English)

[AkechiShiro]

Hi @Lakritzator I believe this issue should get addressed as a metasploit module is currently being written to exploit it, this shoud lower the entry level for any kind of attackers, see rapid7/metasploit-framework#18253

I don't think this is all about trolls and spamming at the end of the day, but some people have been badly communicating that's true. They've been adding unnecessary/unhelpful noise to this issue.

I don't use Greenshot so I'm not requesting a fix, if there is a fix, I want to be done, I'd try and give a hand at it myself.
EDIT: Adding PoC : https://www.exploit-db.com/exploits/51633

[ZoltrixGFC]

https://nvd.nist.gov/vuln/detail/CVE-2023-34634

[jklingen]

The fix is now finally included in the stable (and signed) 1.3 release (as of v1.3.292). 🎉
(Unstable releases already included it as of v1.3.275.)