PowerShell security issue with file access

I ran into strange behavior of PowerShell, which I consider being a security issue. I don’t know if this is expected behavior built in by Microsoft, but by using this “bug”, you can check the contents of a folder to which you don’t have access permissions. When using the Test-Path cmdlet, the command behaves a bit different than expected.

If Test-Path is used on a file which is in a folder where you don’t have access permissions to (eg. NTFS permissions are set), the command returns $false, but also throws an UnauthorizedAccessException (access denied). However, when the file actually doesn’t exist, the command will only return $false. By catching the error, you know if the file exists or not. By using a brute-force method, you can enumerate the entire contents of the directory. This way it’s possible to find out what kind of applications are installed on a machine, and possibly exploiting weakness in these applications. Read More