extension Winrm Web IIS Management blocked
Am-Na-D opened this issue · 1 comments
Extension name
Winrm IIS Web App Management
Extension version
3.*
Environment type (Please select at least one enviroment where you face this issue)
- Self-Hosted
- Microsoft Hosted
- VMSS Pool
- Container
Azure DevOps Server type
dev.azure.com (formerly visualstudio.com)
Azure DevOps Server Version (if applicable)
Azure Devops Server 2022.0.1
Operation system
windows server 2022 /2019/2016
Question
hi
recently we faced a new problem and our antivirus blocked the Winrm iis web management task in a remote machine.
I look into the extension (https://github.com/microsoft/azure-pipelines-extensions/tree/master/Extensions/IISWebAppDeploy/Src/Tasks/IISWebAppMgmt/IISWebAppMgmtV3) and understand the reasons of the block is Invoke-expression command that exists inside on of the PowerShell in extension files.
now I wanna know, why that just happened.
What's the problem?
why AV must block this command?
is it a risky command for Windows?
NOTICE: the brand of our AN is BitDefender
NOTICE: our BitDefender use AMSI of the windowsHi @Am-Na-D
Generally, your defender identifies the potential vulnerability correctly.
The use of Invoke-Expression in PowerShell can be risky, particularly when incorporating unsanitized user input:
# Simulated user input that includes an injection attempt
$userInput = "Get-Date && Remove-Item -Path C:\SensitiveFile -Force"
# Dangerous use of Invoke-Expression with user input
Invoke-Expression "Write-Output 'The current date is: ';$userInput"As the example shows, the command executed by Invoke-Expression might contain some malicious command, attaches via && operator. So, it's not recommended to use Invoke-Expression.
From our side we're trying to minimize its usage as much as we can. Also, we have built in sanitization for commands, we're executing, which prevents potential code injections.
Hope I answered your question😊
If you don't have any other questions - feel free to close this issue.