Problem:
Applications (usually ClickOnce) with ".." present at some point in their directory structures fail to elevate when defined in a 'Privilege Elevation' rule of a configuration. As of version 6.8.3, "\.\.", the regex representation of "..", has been included as a default blacklist rule within both 'lwl_elevation_service.xml' and 'default_lwl_elevation_service.xml' of the ProfileUnity client tools.
**NOTE** - Even if not immediately before or after "\", it's poor development practice to create a directory structure that contains ".." at any point in the path and is adhered to by most commercial applications. The occurrence of ".." in the file path of an executable is generally only observed in Line Of Business (LOB)/internally-developed applications. Removing the "\.\." blacklist rule from 'lwl_elevation_service.xml' should be a last resort due to the exposure of possible filesystem traversal vulnerabilities.
Possible Resolution(s):
- Create a Powershell script containing the commands shown below - e.g. AppElevate.ps1. Comments are optional.
# Stop ProfileUnity Elevation Service
Stop-Service lwlelevation
# Rename original lwl_elevation_service.xml
Rename-Item "C:\Program Files\ProfileUnity\Elevation\lwl_elevation_service.xml" "C:\Program Files\ProfileUnity\Elevation\lwl_elevation_service.xml.old"
# Pipe content except the line containing "\.\." from renamed XML, creating a new XML of the original name
Get-Content "C:\Program Files\ProfileUnity\Elevation\lwl_elevation_service.xml.old" | select-string -notmatch "\\.\\." | Set-Content "C:\Program Files\ProfileUnity\Elevation\lwl_elevation_service.xml"
# Start ProfileUnity Elevation Service
Start-Service lwlelevation - Create a post-login 'Application Launcher' rule using the parameters below. The script needs to run post-login as setting the timing to "During Configuration Execution" will prevent any elevation rules defined in the configuration from applying.
Target:
%SystemRoot%\System32\cmd.exe
Arguments:
/c powershell.exe -executionpolicy bypass -windowstyle hidden -noninteractive -nologo -NoProfile \\Server\Share\Scripts\AppElevate.ps1Timing:
After Configuration ExecutionHide Progress During Execution:
True
Product: ProfileUnity
Product Version: 6.8.3 and above