heyvoon/RemediateRegImgPathVulnerability.ps1

## RemediateRegImgPathVulnerability.ps1
###########################################################################
#
# NAME: RemediateRegImgPathVulnerability.ps1
#
# AUTHOR:  	Teksoporte.es
# HOMEPAGE:	http://blog.teksoporte.es
#
# COMMENT: This script will scan services ImgPath in the registry for
# unquoted paths. Same script can be used to remediate by just changing
# the variables below.
#
# VERSION HISTORY:
# 1.0 18/05/2015 - Initial release
#
###########################################################################
Function Get-ServicePathVulnerabilities {
[CmdletBinding()]

    Param (
        $Fix = $true,
        $Status = $null
    ) # End Param

    Begin {
        $VulnerableServices=@()

        if ($Fix){Write-Verbose "Scan Mode: Fix"} else {Write-Verbose "Scan Mode: Audit"}

    } # End Begin

    Process {

        # Gather Services information from WMI
        $Services = Get-WmiObject -Class win32_service -Property name,pathname

        # Filter out services that have been enclosed with quotations
        $UnquotedPath = $Services | Where-Object {$_.PathName -notmatch '"'} | Select Name,PathName

        # Loop through services without quotations
        foreach ($Path in $UnquotedPath) {

            $Drive = $Path.PathName | Split-Path -Qualifier
            $Executable = $Path.PathName | Split-Path -Leaf

            # Conditional Logic to determine vulnerability
            # Note: Some service paths may be unquoted and include spaces, but not vulnerable. They could just be a path to executable (no spaces) with a command line switch parameter that may contain a space.
            #       To avoid false positives, the logic below will exclude spaces used in any parameters
            if( ($Path.PathName -match ' ') -and ($Executable -notmatch ' ') -and ($Path.PathName -notmatch './') ) {

                # Vulnerability Found
                Write-Warning ("Unquoted Service Path Discovered for " + $Path.Name + "    PATH: " + $Path.PathName)
                $VulnerableServices += New-Object PSObject -Property @{
                    ServiceName = $Path.Name
                    ServicePath = $Path.PathName
                    HostName = $env:COMPUTERNAME
                } # End Object

            } # End conditional operators


        } # End Foreach Path in UnquotedPath

        # Attempt to encapsulate path in quotes if specified
        if ($Fix) {
            $VulnerableServices | ForEach-Object {
                Write-Verbose ("Attempting to fix " + $_.Servicename)
                $OriginalPath = $_.ServicePath
                $QuotedServicePath = ('"' + $_.ServicePath + '"')
                $RegistryLocation = ('HKLM:\SYSTEM\CurrentControlSet\Services\' + $_.ServiceName)

                Try {
                    Set-ItemProperty -Path $RegistryLocation -Name ImagePath -Value $QuotedServicePath -Verbose
                    $_.ServicePath = $QuotedServicePath
                } Catch {
                    Write-Error ("Unable to fix " + $_.Servicename)
                } # End Try/Catch

            } # End Foreach object in VulnerableServices

        } # End if Fix was Specified

    } # End Process


    End {

    if ($fix -Or !$VulnerableServices) {
        $Status = "Compliant"
        Write-Verbose "No Unquoted Service path Vulnerabilites have been found"
        Write-Host $Status
        } else {
        $Status = "Non-Complaint"
        Write-Host $Status
        Return $VulnerableServices
        }

    } # End End

} # Get-ServicePathVulnerabilites

$LogPath = $env:WINDIR
if(!(Test-Path $LogPath)) {
    New-Item $LogPath -ItemType Directory -Force
}

#Start-Transcript -Path $LogPath\ServicePathVulnerabilities.log -Append
#Start-Transcript -Path $LogPath\$env:COMPUTERNAME -Append


Write-Verbose "Scanning for Unquoted Service Path Vulnerabilities"

$GenLog = $True     # Select $True or $False to ENable or Disable the creation of Log file.
$GetServicePathVulnerabilities = Get-ServicePathVulnerabilities -Verbose

# Export Findings if Log parameter is true
if ($GenLog) {
    Try {
        $GetServicePathVulnerabilities | Export-Clixml -Path $LogPath\Temp\SrvPathVulsRemediation.xml -Force -Verbose
    } Catch {
        Write-Error "Unable to export XML file to $LogPath"
    }
}

#Stop-Transcript
	###########################################################################
	#
	# NAME: RemediateRegImgPathVulnerability.ps1
	#
	# AUTHOR: Teksoporte.es
	# HOMEPAGE: http://blog.teksoporte.es
	#
	# COMMENT: This script will scan services ImgPath in the registry for
	# unquoted paths. Same script can be used to remediate by just changing
	# the variables below.
	#
	# VERSION HISTORY:
	# 1.0 18/05/2015 - Initial release
	#
	###########################################################################
	Function Get-ServicePathVulnerabilities {
	[CmdletBinding()]

	Param (
	$Fix = $true,
	$Status = $null
	) # End Param

	Begin {
	$VulnerableServices=@()

	if ($Fix){Write-Verbose "Scan Mode: Fix"} else {Write-Verbose "Scan Mode: Audit"}

	} # End Begin

	Process {

	# Gather Services information from WMI
	$Services = Get-WmiObject -Class win32_service -Property name,pathname

	# Filter out services that have been enclosed with quotations
	$UnquotedPath = $Services \| Where-Object {$_.PathName -notmatch '"'} \| Select Name,PathName

	# Loop through services without quotations
	foreach ($Path in $UnquotedPath) {

	$Drive = $Path.PathName \| Split-Path -Qualifier
	$Executable = $Path.PathName \| Split-Path -Leaf

	# Conditional Logic to determine vulnerability
	# Note: Some service paths may be unquoted and include spaces, but not vulnerable. They could just be a path to executable (no spaces) with a command line switch parameter that may contain a space.
	# To avoid false positives, the logic below will exclude spaces used in any parameters
	if( ($Path.PathName -match ' ') -and ($Executable -notmatch ' ') -and ($Path.PathName -notmatch './') ) {

	# Vulnerability Found
	Write-Warning ("Unquoted Service Path Discovered for " + $Path.Name + " PATH: " + $Path.PathName)
	$VulnerableServices += New-Object PSObject -Property @{
	ServiceName = $Path.Name
	ServicePath = $Path.PathName
	HostName = $env:COMPUTERNAME
	} # End Object

	} # End conditional operators


	} # End Foreach Path in UnquotedPath

	# Attempt to encapsulate path in quotes if specified
	if ($Fix) {
	$VulnerableServices \| ForEach-Object {
	Write-Verbose ("Attempting to fix " + $_.Servicename)
	$OriginalPath = $_.ServicePath
	$QuotedServicePath = ('"' + $_.ServicePath + '"')
	$RegistryLocation = ('HKLM:\SYSTEM\CurrentControlSet\Services\' + $_.ServiceName)

	Try {
	Set-ItemProperty -Path $RegistryLocation -Name ImagePath -Value $QuotedServicePath -Verbose
	$_.ServicePath = $QuotedServicePath
	} Catch {
	Write-Error ("Unable to fix " + $_.Servicename)
	} # End Try/Catch

	} # End Foreach object in VulnerableServices

	} # End if Fix was Specified

	} # End Process


	End {

	if ($fix -Or !$VulnerableServices) {
	$Status = "Compliant"
	Write-Verbose "No Unquoted Service path Vulnerabilites have been found"
	Write-Host $Status
	} else {
	$Status = "Non-Complaint"
	Write-Host $Status
	Return $VulnerableServices
	}

	} # End End

	} # Get-ServicePathVulnerabilites

	$LogPath = $env:WINDIR
	if(!(Test-Path $LogPath)) {
	New-Item $LogPath -ItemType Directory -Force
	}

	#Start-Transcript -Path $LogPath\ServicePathVulnerabilities.log -Append
	#Start-Transcript -Path $LogPath\$env:COMPUTERNAME -Append


	Write-Verbose "Scanning for Unquoted Service Path Vulnerabilities"

	$GenLog = $True # Select $True or $False to ENable or Disable the creation of Log file.
	$GetServicePathVulnerabilities = Get-ServicePathVulnerabilities -Verbose

	# Export Findings if Log parameter is true
	if ($GenLog) {
	Try {
	$GetServicePathVulnerabilities \| Export-Clixml -Path $LogPath\Temp\SrvPathVulsRemediation.xml -Force -Verbose
	} Catch {
	Write-Error "Unable to export XML file to $LogPath"
	}
	}

	#Stop-Transcript