If you believe you have found a security issue in LaraC2 Shell, please report it privately. Do not open a public issue.
- Email: al.kefallonitis@gmail.com
- Subject line:
[larac2shell security] <short description>
Please include:
- Affected version / commit SHA
- Reproduction steps or proof-of-concept
- Impact assessment (what an attacker could do)
- Any suggested remediation
You can expect an acknowledgement within 72 hours and a remediation plan (fix, workaround, or coordinated disclosure timeline) within 14 days of initial contact.
In scope:
- Authentication bypass or credential mishandling in the shell itself
- Injection flaws in command construction, B64 encoding, or library upload paths
- Improper handling of user-supplied data that could compromise the operator
- Dependency vulnerabilities affecting
shell/runtime behaviour
Out of scope:
- MDE API behaviour or Microsoft service vulnerabilities — report those to MSRC
- Misuse of the tool by an authorised operator against their own tenant (this is the tool's intended purpose, per DISCLAIMER.md)
- Rate-limit evasion, since the framework intentionally respects MDE's documented limits
Only the latest commit on main is supported. This is a single-branch project distributed via git clone; there are no tagged releases at this time.
These are not vulnerabilities — they are documented design trade-offs. Operators should review them before choosing an auth method.
- Internal auth method 1 (Credentials + TOTP) retains the supplied username, password, and TOTP secret in-memory (inside
$script:Int_ReauthParams) for the lifetime of the shell process. This is required for silent re-auth when the portalsccauthcookie expires (~1 hr). The values are never written to disk or passed on the command line, but they are resident in the PowerShell runspace. For stronger isolation, prefer method 2 (passkey / Azure Key Vault HSM) or method 7 (client credentials with a config-file secret). - Config files containing
clientSecretshould have their filesystem permissions restricted. The shell does not enforce or check this. - PSReadLine history is disabled (
HistorySaveStyle = SaveNothing) while the shell is running, so commands typed at the[API ...]>prompt are not persisted to the history file. History from other PowerShell sessions is unaffected. - No secrets on CLI: the shell never accepts secrets via command-line arguments. Secrets come from config files or interactive prompts only.
Security researchers who report valid issues will be credited in release notes unless they request otherwise.