Last active
January 27, 2017 19:54
-
-
Save mbrownnycnyc/35d948d32bcef4a44e8576dca08d6f41 to your computer and use it in GitHub Desktop.
script to check if chrome webex versions are vulnerable to exploit described in CVE-2017-3823. https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170124-webex (https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvc86959) https://bugs.chromium.org/p/project-zero/issues/detail?id=1096 && https://bugs.chromium.org/p/proje…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#refactoring of https://www.tripwire.com/state-of-security/vulnerability-management/vert-threat-alert-cisco-webex-browser-extension-remote-code-execution/ | |
# to actively remediate, search for "<# remove me to remediate" and remove/comment out that line. | |
$ldapBaseDN = "DC=contoso,DC=corp" | |
$acceptableWebExVersionmininum = "1.0.7" | |
$outcsv = "$env:userprofile\desktop\cve-2017-3823_report.csv" | |
# with reference to http://theadminguy.com/2009/04/30/portscan-with-powershell/ | |
function fastping{ | |
[CmdletBinding()] | |
param( | |
[String]$computername = "127.0.0.1", | |
[int]$delay = 100 | |
) | |
$ping = new-object System.Net.NetworkInformation.Ping | |
# see http://msdn.microsoft.com/en-us/library/system.net.networkinformation.ipstatus%28v=vs.110%29.aspx | |
try { | |
if ($ping.send($computername,$delay).status -ne "Success") { | |
return $false; | |
} else { | |
if ( ($udpport -gt 0) -or ($tcpport -gt 0) ) { | |
} | |
return $true; | |
} | |
} catch { | |
return $false; | |
} | |
} | |
$results = @() | |
#$result will be computer, user, result | |
# result contains [TRUE, FALSE, NA, FAIL] | |
#target all computers that are enabled in a domain, pull list from available GC | |
$computers = $Computers = Get-ADComputer -SearchBase $ldapBaseDN -Filter {(enabled -eq "true")} | select name -ExpandProperty name | |
#C:\Users\mattyboy\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma | |
foreach ($computer in $computers ) { | |
if (fastping $computer ){ | |
if (test-path \\$computer\c$\Users\) { | |
#then we are an admin on the target, have access to the UNC path | |
$userprofiledirs = Get-ChildItem \\$computer\c$\Users\| where { $_.attributes -eq "Directory" } | select fullname | |
foreach ($userprofiledir in $userprofiledirs) { | |
#set the object to hold values temporarily | |
$tempresult = "" | select computer, user, result | |
#get webex chrome plugin version | |
$tempresult.computer = $computer | |
$tempresult.user = $($userprofiledir.fullname -split "\\")[($userprofiledir.fullname -split "\\").count - 1] | |
if ( test-path "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma" ) { | |
$webexversiondir = (get-childitem "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma").name | |
$webexversion = [version]($($webexversiondir -split "_")[0]) | |
If ( $webexversion -lt [version]$acceptableWebExVersionmininum ) { | |
$tempresult.result = "TRUE: Cisco WebEx chrome plugin is vulnerable $webexversion" | |
#<# remove me to remediate | |
Remove-Item -Recurse -Force "$($userprofiledir.fullname)\AppData\Local\Google\Chrome\User Data\Default\Extensions\jlhmfgmfgeifomenelglieieghnjghma\" | |
if ( $lastexitcode -eq "1" ) { | |
$tempresult.result = "REMEDIATED: Cisco WebEx chrome plugin was vulnerable $webexversion. It has been deleted." | |
} else { | |
$tempresult.result = "TRUE: Cisco WebEx chrome plugin is vulnerable $webexversion. Requested remediation has failed." | |
} | |
#> | |
$tempresult | |
$results += $tempresult | |
} else { | |
$tempresult.result = "FALSE: Cisco WebEx chrome plugin is not vulnerable $webexversion " | |
$tempresult | |
$results += $tempresult | |
} | |
} else { | |
$tempresult.result = "NA: Cisco WebEx chrome plugin is not installed" | |
$tempresult | |
$results += $tempresult | |
} | |
} #end foreach | |
} else { | |
#we can't access the UNC path target | |
$tempresult.computer = $computer | |
$tempresult.user = "FAIL" | |
$tempresult.result = "FAIL: no access to user profile path. Is the runas user a local admin?" | |
$tempresult | |
$results += $tempresult | |
} | |
} else { | |
$tempresult.computer = $computer | |
$tempresult.user = "FAIL" | |
$tempresult.result = "FAIL: no ping response." | |
$tempresult | |
$results += $tempresult | |
} | |
} | |
$results | convertto-csv -notypeinfo > $outcsv |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment