-
-
Save MDawg957/46255379b19af82c245b22b2e0109f19 to your computer and use it in GitHub Desktop.
Aides in the detection and removal of the problem created by CVE-2021-36934
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36934 | |
$ErrorActionPreference = "SilentlyContinue" ; | |
if ((get-acl $env:windir\system32\config\sam).Access | | |
? IdentityReference -match 'BUILTIN\\Users' | | |
select -expandproperty filesystemrights | | |
select-string 'Read'){ | |
#write-host "May be vulnerable: Arbitrary Read permissions for SAM file" | |
return $false | |
} | |
else { | |
#write-host "Does not seem to be vulnerable, SAM permissions are fine" | |
return $true | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# based off of https://github.com/JoranSlingerland/CVE-2021-36934/blob/main/CVE-2021-36934.ps1 | |
# and https://github.com/AdamNSTA/Syncro/blob/main/CVE-2021-36934/Workaround.ps1 | |
# change permissions and delete shadows | |
function Test-SamAccess { | |
(get-acl $env:windir\system32\config\sam).Access | | |
? IdentityReference -match 'BUILTIN\\Users' | | |
select -expandproperty filesystemrights | | |
select-string 'Read' | |
} | |
$vulnerable = $true | |
#check permissions | |
if ($vulnerable -eq $true) { | |
if (Test-SamAccess){ | |
write-host "May be vulnerable: Arbitrary Read permissions for SAM file" | |
Write-host "Adjusting permissions to remove vulnerability" | |
icacls $env:windir\system32\config\*.* /inheritance:e | |
If (Test-SamAccess){ | |
$permissionsSuccess = $false | |
write-host "Follow-up: May be vulnerable: Arbitrary Read permissions for SAM file" | |
} | |
else { | |
$permissionsSuccess = $true | |
write-host "Follow-up: May not be be vulnerable, SAM permissions are correct" | |
} | |
} | |
else { | |
$permissionsSuccess = $true | |
write-host "Follow-up: May not be be vulnerable, SAM permissions are correct" | |
$vulnerable = $false | |
} | |
} | |
#check if System Restore is present | |
if ($vulnerable -eq $true -AND $permissionsSuccess -eq $true) { | |
$checkShadow = Get-CimInstance win32_shadowcopy -Property DeviceObject | |
if ($checkShadow) { | |
write-host "System protection is enabled. Removing any current restore points." | |
vssadmin delete shadows /quiet /all | |
#in case the vssadmin command trips security scanners, use the following instead: | |
#Get-CimInstance win32_shadowcopy | ?{$_.VolumeName -eq $(Get-Volume $env:SystemDrive.Replace(':','')).path} | | |
#Remove-CimInstance | |
try { | |
write-host "Creating new restore point" | |
Checkpoint-Computer -Description "CVE-2021-36934" -RestorePointType "MODIFY_SETTINGS" -ErrorAction stop | |
write-host "New restore point created" | |
$vulnerable = $false | |
$fixed = $true | |
} | |
Catch { | |
write-host "Unable to create new system restore point" | |
If (-NOT (Get-ComputerRestorePoint)) { | |
write-host "There are no restore points." | |
$vulnerable = $false | |
$fixed = $true | |
} | |
Else { | |
write-host "Unable to remove old restore points." | |
$fixed = $false | |
} | |
} | |
} | |
} | |
else { | |
write-host "System protection not enabled" | |
$vulnerable = $false | |
$fixed = $true | |
} | |
#output data | |
write-host "vulnerable: $vulnerable" | |
write-host "Fixed: $fixed" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment