Error in powershell script

gabrielcovello · July 26, 2022, 7:11pm

Hi!

I have this Powershell script working on my computer:

$securepwd = '01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d41fd44d4b7d6944828922848be6ea2300000000020000000000106600000001000020000000895b407ff1c1890fb548a132948b88919171c79c435f0fc1e6c432cde51c6bfd000000000e8000000002000020000000b33acaca73ca31afb784ef91dc315990803d326f86fd97f7b074c5d74c805be0200000004584b56553e5ff0f4195d20c89fa128ef4b0950aa70ea39f3bc9f38f51e3366840000000434502c90d2c48bb714db3c1d7c025e592a19c4a76cbc1cd2477427f720ed0edb9603b1c03b8aaa12056f00f1f237e5eb64d37692d32b88a292973f8ba57f686' | ConvertTo-SecureString
$Marshal = [System.Runtime.InteropServices.Marshal]
$Bstr = $Marshal::SecureStringToBSTR($securepwd)
$pwd = $Marshal::PtrToStringAuto($Bstr)
net user Administrator $pwd

It decrypts a text and uses it to change Administrator’s password.

When I run it from BigFix, I have this error:

   C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File "c:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__bes7.ps1"
   Error executing script c:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__bes7.ps1: ConvertTo-SecureString : El sistema no puede encontrar la ruta especificada.
En C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__bes7.ps1: 1 Car cter: 511
+ ... 00f1f237e5eb64d37692d32b88a292973f8ba57f686' | ConvertTo-SecureString
+                                                    ~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [ConvertTo-SecureString], CryptographicException
    + FullyQualifiedErrorId : ImportSecureString_InvalidArgument_CryptographicError,Microsoft.PowerShell.Commands.Conv 
   ertToSecureStringCommand
 
Excepci¢n al llamar a "SecureStringToBSTR" con los argumentos "1": "El valor no puede ser nulo.
Nombre del par metro: s"
En C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__bes7.ps1: 3 Car cter: 1
+ $Bstr = $Marshal::SecureStringToBSTR($securepwd)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : ArgumentNullException
 
No se encuentra ninguna sobrecarga para "PtrToStringAuto" y el n£mero de argumentos "1".
En C:\Program Files (x86)\BigFix Enterprise\BES Client\__BESData\__bes7.ps1: 4 Car cter: 1
+ $pwd = $Marshal::PtrToStringAuto($Bstr)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodCountCouldNotFindBest
 

   Script ended (the script returned exit code 0 but completed with errors, exit code overridden with -1) (fixlet 227517)
At 14:08:20 -0300 -

Any idea what could it be?

Thanks!

JasonWalker · July 27, 2022, 1:19pm

What happens if you run the script manually on another machine?
I’m no PowerShell guru, but my understanding is that by SecureStrings use the Windows DPAPI, and that by default a SecureString can only be decrypted by the same user account on the same machine. It’s likely that your SecureString bytes are not decodable when switching to the LocalSystem account or running on another computer.

Mike · July 28, 2022, 9:44am

Jason is correct. Per MSDN:

If an encryption key is specified by using the Key or SecureKey parameters, the Advanced Encryption Standard (AES) encryption algorithm is used. The specified key must have a length of 128, 192, or 256 bits because those are the key lengths supported by the AES encryption algorithm. If no key is specified, the Windows Data Protection API (DPAPI) is used to encrypt the standard string representation.

In order to do what you are looking to do, you must convert the password to the encrypted string using AES (i.e. add the -Key or -SecureKey parameter when using ConvertFrom-SecureString) then provide that same key when decoding.

Alternatively, you could leverage BigFix Secure Parameters to provide the password and not have worry about the encryption yourself. If your not familiar with how to do this, put this code snip into the description of your task:

<input id="password" type="password" name="password"> 
<script>
document.body.ontakeaction = function() {
   var password = document.getElementById( "password" ).value;
   TakeSecureFixletAction( Relevance('id of current fixlet'), Relevance('id of current bes site'), "Action1", {}, { password: password } );
   return false;
}
</script>

and then you can access the decrypted password within your actionscript with:

net user Administrator {parameter "password" of action}

@brolly33 did a great overview of Secure Parameters over on the BigFix Tech Advisors YouTube Channel