Last active
December 9, 2020 11:20
-
-
Save lansalot/f0e6dfce85c35ec86cb8489dd27dd4d5 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # https://www.theregister.com/2020/12/07/microsoft_teams_rce_flaw/ | |
| # https://github.com/oskarsve/ms-teams-rce | |
| # Taking the vulnerable version from the above repo. I'm hoping that's the latest version this flaw exists on | |
| # Output format is for limitations in our MSP software | |
| # username:version (shows what version user is running, for every user running Teams at time of scan) | |
| # RunMin = Lowest version found running | |
| # RunMax = Highest version found running | |
| # InstalledVersions = What versions are registered in add/remove programs | |
| # and if the installed version is vulnerable, but user versions have updated, let us know situation is actually OK | |
| # updated to version 30290 instead of 21759 as author found that some of the vulns had been updated late October apparently | |
| # Version history: https://whatpulse.org/app/microsoft-teams | |
| $vulnerable = New-Object System.Version 1.3.00.30290 | |
| $script:runningMax = New-Object System.Version 0.0.0.0 | |
| $script:runningMin = New-Object System.Version 10.0.0.0 | |
| Function comp ($v) { | |
| if ($v -gt $script:runningMax) { $script:runningMax = $v } | |
| if ($v -lt $script:runningMin) { $script:runningMin = $v } | |
| } | |
| $isVulnerable = $false | |
| $BadVersions = @() | |
| $Procs = Get-WmiObject Win32_Process -Filter "name='teams.exe'" | Select ProcessID, Name, @{Name = "UserName"; Expression = { $_.GetOwner().Domain + "\" + $_.GetOwner().User } } | |
| # this test shouldn't be needed, but PS2 is screwing it up... | |
| if ($null -ne $procs) { | |
| ForEach ($Proc in $procs) { | |
| Try { | |
| $process = Get-Process -id $proc.processid -ErrorAction Stop | |
| $v = New-Object System.Version $process.productversion | |
| comp $v | |
| if ($v -le $vulnerable) { | |
| $isVulnerable = $true | |
| $BadVersions += "$($Proc.UserName):$($Process.ProductVersion)" | |
| } | |
| } | |
| catch { | |
| # Sometimes this throws an error with high process IDs, so ignore it | |
| } | |
| } | |
| $BadVersions = @($BadVersions | Sort -Unique) | |
| $BadVersions += "RunMin $($script:runningMin) RunMax $($script:runningMax)" | |
| if ($script:runningMin -le $vulnerable) { | |
| $BadVersions += "Running vulnerable version" | |
| } | |
| else { | |
| $BadVersions += "Oldest running is OK tho" | |
| } | |
| } | |
| $SW = @(Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* -ea SilentlyContinue | Where-Object { $_.DisplayName -match 'Teams' -and $_.Publisher -match 'Microsoft Corporation' -and $_.SystemComponent -ne 0x1 -and $_.ParentDisplayName -eq $null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, HelpLink, UninstallString) | |
| $SW += @(Get-ItemProperty HKLM:\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* -ea SilentlyContinue | Where-Object { $_.DisplayName -match 'Teams' -and $_.Publisher -match 'Microsoft Corporation' -and $_.SystemComponent -ne 0x1 -and $_.ParentDisplayName -eq $null } | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate, HelpLink, UninstallString) | |
| ForEach ($TeamsInstallation in $SW) { | |
| # just in case somehow >1 here | |
| $InstalledVersion = New-Object System.Version $TeamsInstallation.DisplayVersion | |
| if ($InstalledVersion -le $vulnerable) { | |
| $isVulnerable = $true | |
| $BadVersions += "InstalledVuln $($InstalledVersion)" | |
| } | |
| } | |
| if ($isVulnerable) { | |
| $BadVersions -join "," | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment