Monday, October 14, 2019

UPDATE: Vulnerability Vendor Plugin Oops!

Saw an encoded Powershell command that looked suspicious in the Windows Event logs.  If you defend at all - looking at Process Creation Events (4688) is quite useful.

cmd /c "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -EncodedCommand "IAAkAHMAZQByAHYAaQBjAGUAIAA9ACAAKABHAGUAdAAtAFcATQBJAE8AYgBqAGUAYwB0ACAAVwBpAG4AMwAyAF8AUwBlAHIAdgBpAGMAZQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAHwAIABXAGgAZQByAGUALQBPAGIAagBlAGMAdAAgAC0AUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQAgAC0AbABpAGsAZQAgACcAbQBhAHMAdgBjACcAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAE4AYQBtAGUALAAgAEQAaQBzAHAAbABhAHkATgBhAG0AZQAsACAAUwB0AGEAcgB0AGUAZAAsACAAUwB0AGEAdABlACkADQAKAA0ACgAkAGEAZwBlAG4AdAAgAD0AIAAoAEcAZQB0AC0AVwBNAEkATwBiAGoAZQBjAHQAIABXAGkAbgAzADIAXwBQAHIAbwBkAHUAYwB0ACAALQBFAHIAcgBvAHIAQQBjAHQAaQBvAG4AIABTAHQAbwBwACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAALQBQAHIAbwBwAGUAcgB0AHkAIABOAGEAbQBlACAALQBsAGkAawBlACAAJwBNAGMAQQBmAGUAZQAgAEEAZwBlAG4AdAAnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIABOAGEAbQBlACwAIABWAGUAcgBzAGkAbwBuACkADQAKAA0ACgANAAoAaQBmACAAKAAhACQAcwBlAHIAdgBpAGMAZQAgAC0AbwByACAAIQAkAGEAZwBlAG4AdAAgACkAIAB7AA0ACgANAAoAIAAgACAAIABXAHIAaQB0AGUALQBIAG8AcwB0ACAAJwBIAEIAUwBTACAAaQBzACAAbgBvAHQAIABpAG4AcwB0AGEAbABsAGUAZAAnACAAIAANAAoAfQANAAoADQAKAA0ACgBlAGwAcwBlAGkAZgAgACgAJABzAGUAcgB2AGkAYwBlAC4AUwB0AGEAdABlACAALQBlAHEAIAAnAFIAdQBuAG4AaQBuAGcAJwAgAC0AQQBuAGQAIAAkAHMAZQByAHYAaQBjAGUALgBTAHQAYQByAHQAZQBkACAALQBlAHEAIAAnAFQAcgB1AGUAJwAgAC0AQQBuAGQAIAAkAGEAZwBlAG4AdAAuAHYAZQByAHMAaQBvAG4AIAAtAGcAZQAgACcANAAnACkAIAB7ACAADQAKAA0ACgAgACAAIAAgAFcAcgBpAHQAZQAtAEgAbwBzAHQAIAAnAEgAQgBTAFMAIABpAHMAIABpAG4AcwB0AGEAbABsAGUAZAAgAGEAbgBkACAAcgB1AG4AbgBpAG4AZwAnACAADQAKAA0ACgB9ACAADQAKAA0ACgBlAGwAcwBlAGkAZgAgACgAJABzAGUAcgB2AGkAYwBlAC4AUwB0AGEAdABlACAALQBuAGUAIAAnAFIAdQBuAG4AaQBuAGcAJwAgAC0AbwByACAAJABzAGUAcgB2AGkAYwBlAC4AUwB0AGEAcgB0AGUAZAAgAC0AZQBxACAAJwBGAGEAbABzAGUAJwApACAAewANAAoADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcASABCAFMAUwAgAGkAcwAgAG4AbwB0ACAAcgB1AG4AbgBpAG4AZwAnAA0ACgANAAoAfQANAAoADQAKAGUAbABzAGUAIAB7ACAADQAKACAAIAAgACAAVwByAGkAdABlAC0ASABvAHMAdAAgACcAUwBvAG0AZQB0AGgAaQBuAGcAIABlAGwAcwBlACAAaQBzACAAdwByAG8AbgBnACcADQAKAH0AIAA="

Deleted the last part - kind of sensitive, but not greatly - looks like this is part of a plugin for a popular vulnerability scanning tool.  Decoding it decodes to this:

$service = (Get-WMIObject Win32_Service -ErrorAction Stop | Where-Object -Property Name -like 'masvc' | Select-Object Name, DisplayName, Started, State)
$agent = (Get-WMIObject Win32_Product -ErrorAction Stop | Where-Object -Property Name -like 'McAfee Agent' | Select-Object Name, Version)
if (!$service -or !$agent ) {
    Write-Host 'HBSS is not installed'  
}
elseif ($serviceState -eq 'Running' -And $serviceStarted -eq 'True' -And $agentversion -ge '4') { 
    Write-Host 'HBSS is installed and running' 

elseif ($serviceState -ne 'Running' -or $serviceStarted -eq 'False') {
    Write-Host 'HBSS is not running'
}
else {
    Write-Host 'Something else is wrong'


Notice how some of the variables aren't defined?  This happens from time to time.  We're so excited about finding out a cool way to do something that we might forget a step or two.  Not judging the person that created this.  I'm not perfect myself.

This might fix it.

$service = (Get-WMIObject Win32_Service -ErrorAction Stop | Where-Object -Property Name -like 'masvc' | Select-Object Name, DisplayName, Started, State)

$agent = (Get-WMIObject Win32_Product -ErrorAction Stop | Where-Object -Property Name -like 'McAfee Agent' | Select-Object Name, Version)


$serviceState = $service.State

$serviceStarted = $service.Started
$agentversion = $agent.Version

if (!$service -or !$agent ) {
Write-Host 'HBSS is not installed' -ForegroundColor Red}
elseif (($serviceState -eq "Running") -and ($serviceStarted -eq "True") -and ($agentversion -ge "4")) {
Write-Host 'HBSS is installed and running' -ForegroundColor Green
}
elseif (($serviceState -ne "Running") -or ($serviceStarted -eq "False")) {
Write-Host 'HBSS is not running' -ForegroundColor Red
}
else {Write-Host 'Something else is wrong' -ForegroundColor Red}



*Yes, I'm running a test instance of McAfee - they have easy to get eval versions.*

I did disclose it to the vendor.  The vendor hasn't fixed it, yet.  Keep in mind, I literally just disclosed it.

Maybe if enough people mention it, it will be put higher in the priority list, though.  I turned this in to help the community.  Shouldn't be difficult to figure out which vendor this belongs to.  Not mentioning the specific vendor by name in case it gets me or them in trouble.  

After looking at the scan details, I know the plugin as well.  Afraid to mention it because whoever put it out there had good intentions.  We all have less than ideal days.  Maybe they will recognize their own code and submit a fix.

If someone can think of a better fix and can figure out who the vendor is, please, tell them.  Thanks.

UPDATE:  They have notified me that this should be fixed now and asked to test it.