Last active
October 17, 2023 20:41
-
-
Save mdjx/46989e177ee36c1fd38944ebda3af73d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| function PNValidate { | |
| $Results = [PSCustomObject]@{ | |
| Spooler = $null | |
| PatchInstalled = $false | |
| RestrictDriverInstallationToAdministrators = $null | |
| NoWarningNoElevationOnInstall = $null | |
| UpdatePromptSettings = $null | |
| Exploitable = $true | |
| Explanation = $null | |
| } | |
| # Check spooler status | |
| $Spooler = (Get-Service Spooler -ErrorAction SilentlyContinue).Status | |
| if (($null -eq $Spooler) -or ($Spooler -ne "Running")) { | |
| $Results.Spooler = "Secure" | |
| } | |
| else { | |
| $Results.Spooler = "Insecure" | |
| } | |
| # Check patch installation status | |
| $Patches = @("KB5004954", "KB5004958", "KB5004956", "KB5004960", "KB5004953", "KB5004951", "KB5004955", "KB5004959", "KB5004948", ` | |
| "KB5004950", "KB5004945", "KB5004946", "KB5004947", "KB5004249", "KB5004238", "KB5004244", "KB5004245", "KB5004237", ` | |
| "KB5004289", "KB5004307", "KB5004298", "KB5004285", "KB5004305", "KB5004299", "KB5004294", "KB5004302") | |
| $InstalledPatches = (Get-HotFix).HotFixID | |
| $Patches | % { if ($InstalledPatches -contains $_) { $Results.PatchInstalled = $true } } | |
| # Check registry keys | |
| # RestrictDriverInstallationToAdministrators | |
| $RestrictDriverInstallationToAdministrators = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue).RestrictDriverInstallationToAdministrators | |
| if (($RestrictDriverInstallationToAdministrators -eq $null) -or ($RestrictDriverInstallationToAdministrators -ne 1)) { | |
| $Results.RestrictDriverInstallationToAdministrators = "Insecure" | |
| } | |
| else { | |
| $Results.RestrictDriverInstallationToAdministrators = "Secure" | |
| } | |
| # NoWarningNoElevationOnInstall | |
| $NoWarningNoElevationOnInstall = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue).NoWarningNoElevationOnInstall | |
| if (($NoWarningNoElevationOnInstall -eq $null) -or ($NoWarningNoElevationOnInstall -eq 0)) { | |
| $Results.NoWarningNoElevationOnInstall = "Secure" | |
| } | |
| else { | |
| $Results.NoWarningNoElevationOnInstall = "Insecure" | |
| } | |
| # UpdatePromptSettings | |
| $UpdatePromptSettings = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue).UpdatePromptSettings | |
| if (($UpdatePromptSettings -eq $null) -or ($UpdatePromptSettings -eq 0)) { | |
| $Results.UpdatePromptSettings = "Secure" | |
| } | |
| else { | |
| $Results.UpdatePromptSettings = "Insecure" | |
| } | |
| # Validate results | |
| if ($Results.Spooler -eq "Secure") { | |
| $Results.Exploitable = $false | |
| $Results.Explanation = "Not exploitable as spooler service is not running" | |
| } | |
| elseif (($Results.PatchInstalled -eq $true) -and ($Results.RestrictDriverInstallationToAdministrators -eq "Secure")) { | |
| $Results.Exploitable = $false | |
| $Results.Explanation = "Not exploitable as patch is installed and RestrictDriverInstallationToAdministrators is set to secure value" | |
| } | |
| else { | |
| if ($Results.PatchInstalled -eq $true) { | |
| if ($Results.NoWarningNoElevationOnInstall -eq "Insecure") { | |
| $Results.Explanation = "Exploitable as NoWarningNoElevationOnInstall is set to insecure value" | |
| } | |
| elseif (($Results.NoWarningNoElevationOnInstall -eq "Secure") -and ($Results.UpdatePromptSettings -eq "Secure")) { | |
| $Results.Exploitable = $false | |
| $Results.Explanation = "Not exploitable as patch is installed and the registry settings NoWarningNoElevationOnInstall and UpdatePromptSettings are both set to secure values" | |
| } | |
| elseif (($Results.NoWarningNoElevationOnInstall -eq "Secure") -and ($Results.UpdatePromptSettings -eq "Insecure")) { | |
| $Results.Explanation = "Exploitable as UpdatePromptSettings is set to insecure value" | |
| } | |
| } | |
| else { | |
| $Results.Explanation = "Exploitable as patch is not installed" | |
| } | |
| } | |
| $Results | |
| } |
Welp... If you haven't looked yet. Another spooler CVE
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481
No fix/patch. Doesn't mention if the registry changes help. Only workaround is disable.
Yup saw that, waiting for some more details to come out regarding workarounds/reg values, etc.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
No worries, I've updated the Gist to include the regular July patches (instead of just the OOB patches that were out when I initially wrote this)