/build/static/layout/Breadcrumb_cap_w.png
03/05/2019 490 views

I have set up a Script to run a Powershell Script to fix an Unquoted Windows Service Path vulnerability.  I have run .ps1 script manually and I know it does what it needs to.  I have set up the following in my K1000 system Script area:

The Entire Parameters Section is:  -nologo -executionpolicy bypass -WindowStyle hidden -file $(KACE_DEPENDENCY_DIR)\Windows_Path_Enumerate.ps1


I will run it against a machine or two for testing, and the results will be Successful (I have masked the Domain and User):


Output Log

Running with credntials provided: domain [xxxxx] user [xxxxx]
Launched Process: powershell.exe

Activity Log

verify - on_verify_success
verify - on_verify_failure
verify - launch_program
Launching program: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' '-nologo -executionpolicy bypass -WindowStyle hidden -file C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\95\Windows_Path_Enumerate.ps1' wait='false'

Debug Log

Running kbot: runkbot 95 1551803362
KBotScript::LogScriptInfo - Start
id=95 name=Copy of Windows Enumerate version=1551803362 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScript::LogScriptInfo - Start
id=95 name=Copy of Windows Enumerate version=1551803362 type=policy
execute disconnected=false logged_off=true
execute events
KBotScript::LogScriptInfo - Finish
KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Dell\KACE\kbots_cache\\packages\kbots\95\
CleanupDependencies: file Windows_Path_Enumerate.ps1 is part of the dependency list, keep the file
runkbot    ----- launching [path='C:\Windows\System32\WindowsPowerShell\v1.0' program='powershell.exe' parms='-nologo -executionpolicy bypass -WindowStyle hidden -file C:\ProgramData\Dell\KACE\kbots_cache\packages\kbots\95\Windows_Path_Enumerate.ps1' wait='false'] -----
runkbot    ----- completed [exitCode=0] -----

However, when I check the registry of the machine I've run this on, it is still unquoted, hence the vulnerability remains.  If I run it manually on the PC, it works.  I have 200 PCs I need to do this on, so it would be a blessing if I can get this to work.  It seems it is not taking the ExecutionPolicy setting, but it is not failing, so I can't be sure.  Does anyone have any ideas about how to get this to work?  Thanks for any help anyone can provide

0 Comments   [ + ] Show comments

Comments


All Answers

3

You are running into the 32 bit client restrictions.  I bet the change is going to wow6432node keys under the HKLM\software\ instead of in HKLM\software.

Nate shared this PS code on Kace slack with everyone

# Relaunch in x64 powershell if not already

if ($PSHOME -like "*syswow64*") {

Write-Output 'Relaunching as x64'

& (Join-Path ($PSHOME -replace 'syswow64', 'sysnative') powershell.exe) `

-File $Script:MyInvocation.MyCommand.Path `

@args

Exit

}


Answered 03/05/2019 by: SMal.tmcc
Red Belt

  • https://gist.github.com/ArtisanByteCrafter/91167d5178a13f7c038236a5d7881ca7
    • Thank you for the reply. The problem is, these are 32-Bit OS machines. When I added the lines to switch to 64 Bit, it threw an error. Once I removed the lines, it worked properly
      • my bad assumed 64bit have not been around a 32bit machine in years