mbrownnycnyc/get-CVE-2017-3823_detect_vuln_versions.ps1

## get-CVE-2017-3823_detect_vuln_versions.ps1
#refactoring of https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-cisco-webex-browser-extension-remote-code-execution/
#  to actively remediate, search for "<# remove me to remediate" and remove/comment out that line.

$ldapBaseDN = "DC=contoso,DC=corp"
$acceptableWebExVersionmininum = "1.0.7"
$outcsv = "$env:userprofile\desktop\cve-2017-3823_report.csv"


# with reference to http://theadminguy.com/2009/04/30/portscan-with-powershell/
function fastping{
  [CmdletBinding()]
  param(
  [String]$computername = "127.0.0.1",
  [int]$delay = 100
  )

  $ping = new-object System.Net.NetworkInformation.Ping
  # see http://msdn.microsoft.com/en-us/library/system.net.networkinformation.ipstatus%28v=vs.110%29.aspx
  try {
    if ($ping.send($computername,$delay).status -ne "Success") {
      return $false;
    } else {
      if ( ($udpport -gt 0) -or ($tcpport -gt 0) ) {

      }
      return $true;
    }
  } catch {
    return $false;
  }
}


$results = @()
#$result will be computer, user, result
# result contains [TRUE, FALSE, NA, FAIL]


#target all computers that are enabled in a domain, pull list from available GC
$computers = $Computers = Get-ADComputer -SearchBase $ldapBaseDN -Filter {(enabled -eq "true")} | select name -ExpandProperty name
#C:\Users\mattyboy\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma

foreach ($computer in $computers ) {
  if (fastping $computer ){

    if (test-path \\$computer\c$\Users\) {
      #then we are an admin on the target, have access to the UNC path
      $userprofiledirs = Get-ChildItem \\$computer\c$\Users\| where { $_.attributes -eq "Directory" } | select fullname

      foreach ($userprofiledir in $userprofiledirs) {
          #set the object to hold values temporarily
          $tempresult = "" | select computer, user, result

          #get webex chrome plugin version
          $tempresult.computer = $computer
          $tempresult.user = $($userprofiledir.fullname -split "\\")[($userprofiledir.fullname -split "\\").count - 1]
          if ( test-path "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma" ) {

              $webexversiondir = (get-childitem "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma").name

              $webexversion = [version]($($webexversiondir -split "_")[0])
              If ( $webexversion -lt [version]$acceptableWebExVersionmininum ) {
                $tempresult.result = "TRUE: Cisco WebEx chrome plugin is vulnerable $webexversion"
                #<# remove me to remediate
                Remove-Item -Recurse -Force "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma\"
                if ( $lastexitcode -eq "1" ) {
                  $tempresult.result = "REMEDIATED: Cisco WebEx chrome plugin was vulnerable $webexversion.  It has been deleted."
                } else {
                  $tempresult.result = "TRUE: Cisco WebEx chrome plugin is vulnerable $webexversion.  Requested remediation has failed."
                }
                #>
                $tempresult
                $results += $tempresult

              } else {
                $tempresult.result = "FALSE: Cisco WebEx chrome plugin is not vulnerable $webexversion "
                $tempresult
                $results += $tempresult
              }

          } else {
            $tempresult.result = "NA: Cisco WebEx chrome plugin is not installed"
            $tempresult
            $results += $tempresult
          }


      } #end foreach

    } else {
      #we can't access the UNC path target
      $tempresult.computer = $computer
      $tempresult.user = "FAIL"
      $tempresult.result = "FAIL: no access to user profile path.  Is the runas user a local admin?"
      $tempresult
      $results += $tempresult
    }

  } else {
    $tempresult.computer = $computer
    $tempresult.user = "FAIL"
    $tempresult.result = "FAIL: no ping response."
    $tempresult
    $results += $tempresult
  }

}

$results | convertto-csv -notypeinfo > $outcsv
	#refactoring of https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-cisco-webex-browser-extension-remote-code-execution/
	# to actively remediate, search for "<# remove me to remediate" and remove/comment out that line.

	$ldapBaseDN = "DC=contoso,DC=corp"
	$acceptableWebExVersionmininum = "1.0.7"
	$outcsv = "$env:userprofile\desktop\cve-2017-3823_report.csv"



	# with reference to http://theadminguy.com/2009/04/30/portscan-with-powershell/
	function fastping{
	[CmdletBinding()]
	param(
	[String]$computername = "127.0.0.1",
	[int]$delay = 100
	)

	$ping = new-object System.Net.NetworkInformation.Ping
	# see http://msdn.microsoft.com/en-us/library/system.net.networkinformation.ipstatus%28v=vs.110%29.aspx
	try {
	if ($ping.send($computername,$delay).status -ne "Success") {
	return $false;
	} else {
	if ( ($udpport -gt 0) -or ($tcpport -gt 0) ) {

	}
	return $true;
	}
	} catch {
	return $false;
	}
	}



	$results = @()
	#$result will be computer, user, result
	# result contains [TRUE, FALSE, NA, FAIL]


	#target all computers that are enabled in a domain, pull list from available GC
	$computers = $Computers = Get-ADComputer -SearchBase $ldapBaseDN -Filter {(enabled -eq "true")} \| select name -ExpandProperty name
	#C:\Users\mattyboy\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma

	foreach ($computer in $computers ) {
	if (fastping $computer ){

	if (test-path \\$computer\c$\Users\) {
	#then we are an admin on the target, have access to the UNC path
	$userprofiledirs = Get-ChildItem \\$computer\c$\Users\\| where { $_.attributes -eq "Directory" } \| select fullname

	foreach ($userprofiledir in $userprofiledirs) {
	#set the object to hold values temporarily
	$tempresult = "" \| select computer, user, result

	#get webex chrome plugin version
	$tempresult.computer = $computer
	$tempresult.user = $($userprofiledir.fullname -split "\\")[($userprofiledir.fullname -split "\\").count - 1]
	if ( test-path "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma" ) {

	$webexversiondir = (get-childitem "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma").name

	$webexversion = [version]($($webexversiondir -split "_")[0])
	If ( $webexversion -lt [version]$acceptableWebExVersionmininum ) {
	$tempresult.result = "TRUE: Cisco WebEx chrome plugin is vulnerable $webexversion"
	#<# remove me to remediate
	Remove-Item -Recurse -Force "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma\"
	if ( $lastexitcode -eq "1" ) {
	$tempresult.result = "REMEDIATED: Cisco WebEx chrome plugin was vulnerable $webexversion. It has been deleted."
	} else {
	$tempresult.result = "TRUE: Cisco WebEx chrome plugin is vulnerable $webexversion. Requested remediation has failed."
	}
	#>
	$tempresult
	$results += $tempresult

	} else {
	$tempresult.result = "FALSE: Cisco WebEx chrome plugin is not vulnerable $webexversion "
	$tempresult
	$results += $tempresult
	}

	} else {
	$tempresult.result = "NA: Cisco WebEx chrome plugin is not installed"
	$tempresult
	$results += $tempresult
	}


	} #end foreach

	} else {
	#we can't access the UNC path target
	$tempresult.computer = $computer
	$tempresult.user = "FAIL"
	$tempresult.result = "FAIL: no access to user profile path. Is the runas user a local admin?"
	$tempresult
	$results += $tempresult
	}

	} else {
	$tempresult.computer = $computer
	$tempresult.user = "FAIL"
	$tempresult.result = "FAIL: no ping response."
	$tempresult
	$results += $tempresult
	}

	}

	$results \| convertto-csv -notypeinfo > $outcsv