/build/static/layout/Breadcrumb_cap_w.png

CVE-2021-36934 HiveNightmare workaround via Powershell

Hi All,


First time here, I'm a systems admin at a medium sized organisation!


I looking to see if anyone has managed to push a workaround for the above vulnerability via the Kace SMA?


CVE-2021-36934

There is a write up from Sophos below.

https://nakedsecurity.sophos.com/2021/07/21/windows-hivenightmare-bug-could-leak-passwords-heres-what-to-do/

The suggested workaround from microsoft is below:

DxIB1ZFJ56ATAAAAAElFTkSuQmCC

My plan was to push a powershell script from Kace to set the permissions, remove existing shadow copies and create a new restore point. I have written a powershell script which works fine locally, using the vssadmin command. It fails when running through kace with an error:

vssadmin.exe : The term 'vssadmin.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

I have tried to explicitly specify the path to VSSAdmin but it still fails:

C:\windows\system32\vssadmin.exe : The term 'C:\windows\system32\vssadmin.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Alternatively, I have tried the following script from JoranSlingerland. Similarly, this will run fine locally on my PC but not through kace, still complaining that VSSAdmin

https://github.com/JoranSlingerland/CVE-2021-36934

This still fails to find the vssadmin.exe file, and also is unable to run the WMI commands either.


Where am I going wrong? Has anyone else used Kace SMA to install a workaround for this vulnerability?


TIA :D




More info.  Basic script I have tried to run is below:


icacls c:\windows\system32\config\*.* /inheritance:e vssadmin delete shadows /quiet /all wmic shadowcopy call create Volume=C:\

5MwAAAABJRU5ErkJggg==


Logs:


Output Log

Running as SYSTEM Checking if registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Kace\KBot Configuration\hiveps' value 'key' is equal to '151' did not succeed: (0) Setting registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Kace\KBot Configuration\hiveps' value 'key' equal to '152' succeeded processed file: c:\windows\system32\config\Journal processed file: c:\windows\system32\config\RegBack processed file: c:\windows\system32\config\systemprofile processed file: c:\windows\system32\config\TxR Successfully processed 4 files; Failed processing 0 files vssadmin : The term 'vssadmin' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\209\hive.ps1:2 char:1 + vssadmin delete shadows /quiet /all + ~~~~~~~~ + CategoryInfo : ObjectNotFound: (vssadmin:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Executing (Win32_ShadowCopy)->create() Launched Process: powershell.exe

Activity Log

verify - registry_value_is Checking if registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Kace\KBot Configuration\hiveps' value 'key' is equal to '151' verify - set_registry_value Setting registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Kace\KBot Configuration\hiveps' value 'key' equal to '152' verify - launch_program Launching program: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' '-executionpolicy bypass -File C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\209\hive.ps1' wait='true' verify - on_remediation_success verify - on_remediation_failure

Debug Log

Running kbot: runkbot 209 1628006234 KBotScript::LogScriptInfo - Start id=209 name=hive nightmare Powershell version=1628006234 type=policy execute disconnected=true logged_off=false execute events KBotScript::LogScriptInfo - Finish KBotScript::LogScriptInfo - Start id=209 name=hive nightmare Powershell version=1628006234 type=policy execute disconnected=true logged_off=false execute events KBotScript::LogScriptInfo - Finish KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Quest\KACE\kbots_cache\\packages\kbots\209\ CleanupDependencies: file hive.ps1 is part of the dependency list, keep the file runkbot ----- launching [path='C:\WINDOWS\System32\WindowsPowerShell\v1.0' program='powershell.exe' parms='-executionpolicy bypass -File C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\209\hive.ps1' wait='true'] ----- runkbot ----- completed [exitCode=0] -----

0 Comments   [ + ] Show comments

Answers (4)

Posted by: Justin_kace 1 month ago
Senior White Belt
2

Calling powershell .exe from the sysnative folder failed to run the script at all. However this has helped me to find the issue!


I added "cd $Env:WinDir\sysnative" to the start of my script, and changed "vssadmin" to .\vssadmin.exe and the script now runs successfully. I also had trouble running wmic commands, so I had to use the explicit path for this too.

It's a bit crude, but here is the script that seems to run without fail:

icacls c:\windows\system32\config\*.* /inheritance:e
cd $Env:WinDir\sysnative
.\vssadmin.exe delete shadows /quiet /all
cd wbem
.\wmic.exe shadowcopy call create Volume=C:\
cd ..
.\vssadmin.exe list shadows


in hindsight, it would probably have been tidier to use:

icacls c:\windows\system32\config\*.* /inheritance:e
cd $Env:WinDir\sysnative
.\vssadmin.exe delete shadows /quiet /all
.\wbem\wmic.exe shadowcopy call create Volume=C:\
.\vssadmin.exe list shadows


Thanks for your help with this, I hope this also helps anyone else who was having trouble patching this vulnerability!


Comments:
  • Thank you! I've been struggling to build a standard Kace script with tasks. $(KACE_SYS_DIR) as the path works great for icacls, but always returned invalid path for vssadmin. Using %WinDir%\sysnative for vssadmin works perfectly!

    Great work finding the correct path! - JonHall 1 month ago
Posted by: paulfaz 1 month ago
Yellow Belt
0

Had similar issue due to kace agent being 32-bit so running 32-bit powershell on 64-bit Windows. Try launching powershell using the path below and that should run 64-bit powershell.


%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe

Posted by: Justin_kace 1 month ago
Senior White Belt
0

Hi Paul,


Thanks for your suggestion, I will try this now! Fingers crossed!



Posted by: JonHall 1 month ago
Senior Purple Belt
0

I used Justin's path info to build a standard Kace script with tasks. It will fail if there aren't any shadows present, but I'm not too concerned about false failures. I think the two icacls commands are necessary, but I'm not positive on that. The first appeared to clear the High vulnerability, and the second cleared the Medium one.

AaAO7Owhc6utAAAAAElFTkSuQmCC

 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ