CVE-2023-34634 Overview
CVE-2023-34634 is an insecure deserialization vulnerability affecting Greenshot, a popular open-source screenshot utility for Windows. Greenshot version 1.2.10 and below allows arbitrary code execution because .NET content is insecurely deserialized when a .greenshot file is opened. This vulnerability enables attackers to craft malicious .greenshot files that, when opened by a victim, execute arbitrary code on the target system.
Critical Impact
Successful exploitation allows attackers to execute arbitrary code with the privileges of the user running Greenshot. This can lead to complete system compromise, data theft, malware installation, or lateral movement within a network.
Affected Products
- Greenshot versions 1.2.10 and below
- All Greenshot installations processing untrusted .greenshot files
- Windows systems running vulnerable Greenshot versions
Discovery Timeline
- 2023-08-01 - CVE-2023-34634 published to NVD
- 2025-10-02 - Last updated in NVD database
Technical Details for CVE-2023-34634
Vulnerability Analysis
This vulnerability stems from insecure .NET deserialization practices within Greenshot's file handling mechanism. When a user opens a .greenshot file, the application deserializes the file contents without proper validation or security controls. The .NET BinaryFormatter serialization mechanism is known to be inherently insecure when processing untrusted data, as it can instantiate arbitrary types during deserialization.
The attack requires local access or user interaction to open a malicious file. The vulnerability affects confidentiality, integrity, and availability as successful exploitation grants the attacker full control over the execution flow, allowing arbitrary code execution within the context of the Greenshot process.
Root Cause
The root cause is the use of insecure deserialization when processing .greenshot project files. The application uses .NET's BinaryFormatter to deserialize file contents without implementing proper type restrictions or validation. This allows an attacker to embed malicious serialized objects within a .greenshot file that execute arbitrary code when deserialized.
The vulnerability specifically relates to how custom types like NativePoint structures are serialized and deserialized within drawing containers such as SpeechbubbleContainer. The patch modifies these to use standard Point types, reducing the attack surface for type confusion during deserialization.
Attack Vector
The attack vector is local, requiring user interaction to open a malicious .greenshot file. An attacker could distribute malicious files via:
- Email attachments disguised as legitimate screenshot project files
- File sharing platforms or cloud storage
- Compromised websites offering Greenshot templates
- Social engineering to convince users to open crafted files
The following patch demonstrates the security fix applied to address this vulnerability:
[Serializable]
public class SpeechbubbleContainer : TextContainer
{
- private NativePoint _initialGripperPoint;
+ private Point _initialGripperPoint;
// Only used for serializing the TargetGripper location
- private NativePoint _storedTargetGripperLocation;
+ private Point _storedTargetGripperLocation;
/// <summary>
/// Store the current location of the target gripper
Source: GitHub Greenshot Commit
The patch replaces custom NativePoint types with standard Point types in the SpeechbubbleContainer class, reducing the deserialization attack surface by using well-known, controlled types instead of custom serializable classes.
Detection Methods for CVE-2023-34634
Indicators of Compromise
- Unexpected .greenshot files appearing in download directories or email attachments
- Greenshot process spawning child processes or making unexpected network connections
- Suspicious file access patterns following the opening of .greenshot files
- Process execution chains originating from Greenshot.exe
Detection Strategies
- Monitor for Greenshot.exe spawning unexpected child processes such as cmd.exe, powershell.exe, or mshta.exe
- Implement endpoint detection rules for .NET deserialization gadget chains
- Use application whitelisting to restrict executable spawning from Greenshot
- Deploy behavioral analysis to detect anomalous post-exploitation activities
Monitoring Recommendations
- Enable enhanced logging for file operations involving .greenshot extensions
- Monitor network traffic originating from Greenshot processes for command-and-control indicators
- Implement SentinelOne's behavioral AI to detect deserialization exploit patterns
- Review security logs for unusual process creation events correlated with Greenshot execution
How to Mitigate CVE-2023-34634
Immediate Actions Required
- Update Greenshot to the latest version that includes the security patch
- Avoid opening .greenshot files from untrusted or unknown sources
- Configure email gateways to quarantine or block .greenshot file attachments
- Educate users about the risks of opening files from untrusted sources
Patch Information
The vendor has released a security patch addressing this vulnerability. The fix is available in commit a152e2883fca7f78051b3bd6b1e5cc57355cb44c on the official Greenshot GitHub repository. Users should update to the patched version immediately. For additional details, refer to the GitHub Greenshot Commit and the Greenshot Bug Tracker Issue.
Workarounds
- Block or quarantine .greenshot files at email and web gateways until patching is complete
- Implement application control policies to prevent Greenshot from spawning unexpected child processes
- Use endpoint protection solutions like SentinelOne to detect and block exploitation attempts
- Consider temporarily disabling Greenshot's file association with .greenshot files in high-risk environments
# Windows: Remove .greenshot file association as a temporary workaround
assoc .greenshot=
# Alternatively, block the extension at the Group Policy level
# or use SentinelOne's application control policies
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
