Create a gist now

Instantly share code, notes, and snippets.

#refactoring of https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-cisco-webex-browser-extension-remote-code-execution/
# to actively remediate, search for "<# remove me to remediate" and remove/comment out that line.
$ldapBaseDN = "DC=contoso,DC=corp"
$acceptableWebExVersionmininum = "1.0.7"
$outcsv = "$env:userprofile\desktop\cve-2017-3823_report.csv"
# with reference to http://theadminguy.com/2009/04/30/portscan-with-powershell/
function fastping{
[CmdletBinding()]
param(
[String]$computername = "127.0.0.1",
[int]$delay = 100
)
$ping = new-object System.Net.NetworkInformation.Ping
# see http://msdn.microsoft.com/en-us/library/system.net.networkinformation.ipstatus%28v=vs.110%29.aspx
try {
if ($ping.send($computername,$delay).status -ne "Success") {
return $false;
} else {
if ( ($udpport -gt 0) -or ($tcpport -gt 0) ) {
}
return $true;
}
} catch {
return $false;
}
}
$results = @()
#$result will be computer, user, result
# result contains [TRUE, FALSE, NA, FAIL]
#target all computers that are enabled in a domain, pull list from available GC
$computers = $Computers = Get-ADComputer -SearchBase $ldapBaseDN -Filter {(enabled -eq "true")} | select name -ExpandProperty name
#C:\Users\mattyboy\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma
foreach ($computer in $computers ) {
if (fastping $computer ){
if (test-path \\$computer\c$\Users\) {
#then we are an admin on the target, have access to the UNC path
$userprofiledirs = Get-ChildItem \\$computer\c$\Users\| where { $_.attributes -eq "Directory" } | select fullname
foreach ($userprofiledir in $userprofiledirs) {
#set the object to hold values temporarily
$tempresult = "" | select computer, user, result
#get webex chrome plugin version
$tempresult.computer = $computer
$tempresult.user = $($userprofiledir.fullname -split "\\")[($userprofiledir.fullname -split "\\").count - 1]
if ( test-path "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma" ) {
$webexversiondir = (get-childitem "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma").name
$webexversion = [version]($($webexversiondir -split "_")[0])
If ( $webexversion -lt [version]$acceptableWebExVersionmininum ) {
$tempresult.result = "TRUE: Cisco WebEx chrome plugin is vulnerable $webexversion"
#<# remove me to remediate
Remove-Item -Recurse -Force "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma\"
if ( $lastexitcode -eq "1" ) {
$tempresult.result = "REMEDIATED: Cisco WebEx chrome plugin was vulnerable $webexversion. It has been deleted."
} else {
$tempresult.result = "TRUE: Cisco WebEx chrome plugin is vulnerable $webexversion. Requested remediation has failed."
}
#>
$tempresult
$results += $tempresult
} else {
$tempresult.result = "FALSE: Cisco WebEx chrome plugin is not vulnerable $webexversion "
$tempresult
$results += $tempresult
}
} else {
$tempresult.result = "NA: Cisco WebEx chrome plugin is not installed"
$tempresult
$results += $tempresult
}
} #end foreach
} else {
#we can't access the UNC path target
$tempresult.computer = $computer
$tempresult.user = "FAIL"
$tempresult.result = "FAIL: no access to user profile path. Is the runas user a local admin?"
$tempresult
$results += $tempresult
}
} else {
$tempresult.computer = $computer
$tempresult.user = "FAIL"
$tempresult.result = "FAIL: no ping response."
$tempresult
$results += $tempresult
}
}
$results | convertto-csv -notypeinfo > $outcsv
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment