CVE-2023-34634 Overview
CVE-2023-34634 is an insecure deserialization vulnerability in Greenshot versions 1.2.10 and below. The screenshot utility deserializes .NET content from .greenshot files without proper type validation. Opening a crafted .greenshot file triggers arbitrary code execution in the context of the current user.
The flaw affects the desktop screenshot tool widely deployed across Windows endpoints. Attackers can weaponize the file format by embedding malicious serialized .NET objects that execute upon deserialization. Exploit code is publicly available through Exploit-DB and Packet Storm, increasing the practical risk to organizations running unpatched installations.
Critical Impact
Arbitrary code execution on the victim endpoint with the privileges of the user opening the crafted .greenshot file, enabling initial access and lateral movement scenarios.
Affected Products
- Greenshot 1.2.10 and earlier versions
- Subsequent reports reference Greenshot 1.3.274 deserialization command execution
- Windows endpoints with Greenshot installed as the default .greenshot file handler
Discovery Timeline
- 2023-08-01 - CVE-2023-34634 published to NVD
- 2025-10-02 - Last updated in NVD database
Technical Details for CVE-2023-34634
Vulnerability Analysis
The vulnerability is an Insecure Deserialization flaw in how Greenshot processes its proprietary .greenshot file format. The application uses .NET binary deserialization to reconstruct objects stored in these files. The deserializer accepts arbitrary type information embedded in the serialized stream without restricting permitted types.
Attackers craft a .greenshot file containing a malicious object graph using known .NET deserialization gadget chains. When a user opens the file, Greenshot invokes the deserializer, which instantiates the attacker-controlled types and triggers method execution during object reconstruction. The result is arbitrary code execution under the user's account.
The attack requires user interaction but no authentication. The exploit operates locally once the malicious file reaches the target, typically delivered through phishing, file shares, or removable media.
Root Cause
The root cause is the use of an unsafe .NET deserialization mechanism such as BinaryFormatter without a SerializationBinder that restricts deserializable types. Microsoft has documented BinaryFormatter as dangerous and deprecated for untrusted input. The Greenshot maintainers addressed the issue in commit a152e2883fca7f78051b3bd6b1e5cc57355cb44c, which constrains the types accepted during deserialization.
Attack Vector
An attacker creates a malicious .greenshot file using publicly available gadget generators such as ysoserial.net. The file is delivered through email attachments, shared drives, or web downloads. When the victim double-clicks the file, the registered Greenshot handler deserializes the embedded payload and executes the attacker's command. Refer to the Exploit-DB #51633 entry and Packet Storm advisory for technical details.
Detection Methods for CVE-2023-34634
Indicators of Compromise
- Unexpected child processes spawned by Greenshot.exe, particularly cmd.exe, powershell.exe, rundll32.exe, or mshta.exe
- .greenshot files originating from email attachments, downloads, or external shares
- Outbound network connections initiated by Greenshot.exe to untrusted hosts shortly after file open events
- File write events from Greenshot.exe placing executables or scripts into user-writable directories
Detection Strategies
- Monitor process lineage for Greenshot.exe parenting interpreters or LOLBins, which indicates deserialization gadget execution
- Alert on .greenshot files arriving via mail gateways, browsers, or messaging clients given the file type is uncommon outside the originating user workflow
- Inspect command-line arguments of child processes for encoded PowerShell, Base64 blobs, or download cradles
Monitoring Recommendations
- Inventory endpoints running Greenshot and confirm installed version against the patched release
- Enable EDR telemetry for process creation, image loads, and script block logging on hosts with Greenshot installed
- Correlate file open events for .greenshot extensions with subsequent process and network activity
How to Mitigate CVE-2023-34634
Immediate Actions Required
- Upgrade Greenshot to a version that includes commit a152e2883fca7f78051b3bd6b1e5cc57355cb44c or later
- Block inbound .greenshot file attachments at mail and web gateways until patching is verified
- Instruct users not to open .greenshot files received from external or untrusted sources
- Hunt for prior execution using process lineage queries focused on Greenshot.exe children
Patch Information
The maintainers fixed the deserialization handling in the upstream repository. Review the GitHub commit a152e288 and the Greenshot Bug Ticket BUG-3061 for the authoritative fix. Deploy the updated Greenshot build through standard software distribution channels and validate version on all endpoints.
Workarounds
- Unregister the .greenshot file association from Greenshot if patching cannot be completed immediately
- Apply application allowlisting rules that prevent Greenshot.exe from spawning script interpreters or shells
- Restrict the delivery of .greenshot files through email and web content filters
# Remove .greenshot file association on Windows (PowerShell, run as admin)
cmd /c "assoc .greenshot="
cmd /c "ftype Greenshot.File="
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
