Created
May 19, 2015 13:22
-
-
Save heyvoon/54904c81b20f64b5c0c5 to your computer and use it in GitHub Desktop.
This script will scan services ImgPath in the registry for # unquoted paths. Same script can be used to remediate by just changing # the variables below.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########################################################################### | |
# | |
# NAME: RemediateRegImgPathVulnerability.ps1 | |
# | |
# AUTHOR: Teksoporte.es | |
# HOMEPAGE: http://blog.teksoporte.es | |
# | |
# COMMENT: This script will scan services ImgPath in the registry for | |
# unquoted paths. Same script can be used to remediate by just changing | |
# the variables below. | |
# | |
# VERSION HISTORY: | |
# 1.0 18/05/2015 - Initial release | |
# | |
########################################################################### | |
Function Get-ServicePathVulnerabilities { | |
[CmdletBinding()] | |
Param ( | |
$Fix = $true, | |
$Status = $null | |
) # End Param | |
Begin { | |
$VulnerableServices=@() | |
if ($Fix){Write-Verbose "Scan Mode: Fix"} else {Write-Verbose "Scan Mode: Audit"} | |
} # End Begin | |
Process { | |
# Gather Services information from WMI | |
$Services = Get-WmiObject -Class win32_service -Property name,pathname | |
# Filter out services that have been enclosed with quotations | |
$UnquotedPath = $Services | Where-Object {$_.PathName -notmatch '"'} | Select Name,PathName | |
# Loop through services without quotations | |
foreach ($Path in $UnquotedPath) { | |
$Drive = $Path.PathName | Split-Path -Qualifier | |
$Executable = $Path.PathName | Split-Path -Leaf | |
# Conditional Logic to determine vulnerability | |
# Note: Some service paths may be unquoted and include spaces, but not vulnerable. They could just be a path to executable (no spaces) with a command line switch parameter that may contain a space. | |
# To avoid false positives, the logic below will exclude spaces used in any parameters | |
if( ($Path.PathName -match ' ') -and ($Executable -notmatch ' ') -and ($Path.PathName -notmatch './') ) { | |
# Vulnerability Found | |
Write-Warning ("Unquoted Service Path Discovered for " + $Path.Name + " PATH: " + $Path.PathName) | |
$VulnerableServices += New-Object PSObject -Property @{ | |
ServiceName = $Path.Name | |
ServicePath = $Path.PathName | |
HostName = $env:COMPUTERNAME | |
} # End Object | |
} # End conditional operators | |
} # End Foreach Path in UnquotedPath | |
# Attempt to encapsulate path in quotes if specified | |
if ($Fix) { | |
$VulnerableServices | ForEach-Object { | |
Write-Verbose ("Attempting to fix " + $_.Servicename) | |
$OriginalPath = $_.ServicePath | |
$QuotedServicePath = ('"' + $_.ServicePath + '"') | |
$RegistryLocation = ('HKLM:\SYSTEM\CurrentControlSet\Services\' + $_.ServiceName) | |
Try { | |
Set-ItemProperty -Path $RegistryLocation -Name ImagePath -Value $QuotedServicePath -Verbose | |
$_.ServicePath = $QuotedServicePath | |
} Catch { | |
Write-Error ("Unable to fix " + $_.Servicename) | |
} # End Try/Catch | |
} # End Foreach object in VulnerableServices | |
} # End if Fix was Specified | |
} # End Process | |
End { | |
if ($fix -Or !$VulnerableServices) { | |
$Status = "Compliant" | |
Write-Verbose "No Unquoted Service path Vulnerabilites have been found" | |
Write-Host $Status | |
} else { | |
$Status = "Non-Complaint" | |
Write-Host $Status | |
Return $VulnerableServices | |
} | |
} # End End | |
} # Get-ServicePathVulnerabilites | |
$LogPath = $env:WINDIR | |
if(!(Test-Path $LogPath)) { | |
New-Item $LogPath -ItemType Directory -Force | |
} | |
#Start-Transcript -Path $LogPath\ServicePathVulnerabilities.log -Append | |
#Start-Transcript -Path $LogPath\$env:COMPUTERNAME -Append | |
Write-Verbose "Scanning for Unquoted Service Path Vulnerabilities" | |
$GenLog = $True # Select $True or $False to ENable or Disable the creation of Log file. | |
$GetServicePathVulnerabilities = Get-ServicePathVulnerabilities -Verbose | |
# Export Findings if Log parameter is true | |
if ($GenLog) { | |
Try { | |
$GetServicePathVulnerabilities | Export-Clixml -Path $LogPath\Temp\SrvPathVulsRemediation.xml -Force -Verbose | |
} Catch { | |
Write-Error "Unable to export XML file to $LogPath" | |
} | |
} | |
#Stop-Transcript |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment