I’m developing an ActionScript to identify machines affected by MS Unquoted Path Vulnerability, and have come up with this:
(((it does not contain "%22") of (values "ImagePath" of keys "HKLM\SYSTEM\CurrentControlSet\services" of keys of registry as string) AND (it contains "%20") of (values "ImagePath" of keys "HKLM\SYSTEM\CurrentControlSet\services" of keys of registry as string)) AND (name of operating system starts with "Win"))
Logic is:
Find keys NOT containing quotes (%22) but keys that DO contain spaces (%20) for value “ImagePath” in registry location HKLM\SYSTEM\CurrentControlSet\services
However, I don’t believe it is working. Any ideas?
Reading this right-to-left, you are examining “keys of registry” but not specifying which keys.
You want the subkeys beneath “HKLM\SYSTEM\CurrentControlSet\services” so you’d need to use values "ImagePath" of keys of key "HKLM\SYSTEM\CurrentControlSet\services" of registry as string
I’m also pretty sure you can’t use “AND” with plurals. But if you could, what you’re asking here is “keys with %22 exist” and “keys with %20 exist”, but not whether they’re both in the same key.
You’re also putting the check for “windows os” at the end; you should put it at the beginning, because if this evaluates on non-windows it would have already gotten an error by trying to read the registry first.
As tricky as some Relevance logic can be, it was intended to be “more friendly and readable” by using natural language constructs. (I know it doesn’t feel like it, especially if you’re experienced in other scripting languages.) I find it helps more in Relevance than in some other languages, to try to write a single sentence to describe what you’re looking for.
“Windows systems, that have any keys with an ImagePath value containing a space and not containing quotes, under the Services registry keys”
Give this a try -
(name of operating system starts with "Win") AND (exists keys whose (value "ImagePath" of it as string contains "%20" and value "ImagePath" of it as string does not contain "%22") of keys "HKLM\SYSTEM\CurrentControlSet\services" of registry)
This does the Windows check first; then it loops through the "keys of keys “HKLM\System\CurrentControlSet\Services” of registry - so it only walks through these subkeys one time. For each key it examines, it checks for both “%20” and lack of “%22” in the ImagePath value. The “Exists” should make it stop evaluating on the first one that it finds, potentially saving time because if a positive result is found early, it can skip checking the remaining keys.
An interesting idea (and great explanation of why the original relevance trips up) but any service with parameters in the ImagePath throws a false positive - everything running svchost.exe for example.
Having pooped on this party, pressures of work mean I can’t help with a solution for a while - sorry.
services whose (exists (image paths of it as lowercase) whose (it does not start with "%22" and preceding text of first ".exe" of it contains " "))
Q: services whose (exists (image paths of it as lowercase) whose (it does not start with "%22" and preceding text of first ".exe" of it contains " "))
A: "Bonjour Service" "Bonjour Service" "Running"
A: "BRA_Scheduler" "Brother BRAdminPro Scheduler" "Running"
tisk tisk Blizzard and Brother…
Q: image paths of services whose (exists (image paths of it as lowercase) whose (it does not start with "%22" and preceding text of first ".exe" of it contains " "))
A: C:\Program Files (x86)\Blizzard\Bonjour Service\mDNSResponder.exe
A: C:\Program Files (x86)\Brother\BRAdmin Professional 3\bratimer.exe
I can’t find a flaw in this for the life of me but still, BF and the vulnerability tool don’t agree. Will look into this again and report back. Thanks @strawgate ! I also replaced " " with “%20”…that shouldn’t affect it, right? This is what it currently is:
(name of operating system starts with “Win”) AND (exists keys whose (value “ImagePath” of it as string does not start with “%22” AND preceding text of first “.exe” of it contains “%20”) of keys “HKLM\SYSTEM\CurrentControlSet\services” of registry)
Perhaps “of keys” does not drill down to the bottom registry level? e.g. HKLM\SYSTEM\CurrentControlSet\services\Intel Storage Counters\Linkage\Export
The only path that matters for unquoted service paths is the, “Image Path” of the service which is always located at the root of the service’s node (i.e. services\Intel Storage Counters). Do you know what is in Linkage\Export?
The vulnerability tool may be incorrectly looking at every path under services or maybe there is something under Linkage\Export that is significant.
It may be due to the service being 64 bit. There was code input to attempt to look in the 64 bit Program Files which your example seems to indicate you are looking for but you would need to specifically use the file of inspector
I haven’t read this thread, I’m just looking at your raw relevance in the first post, and it has an error.
This should give you the raw image paths of the services using the registry:
values "ImagePath" of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of registries
You were missing the extra keys of there ^
Always start with relevance that returns the entire set of elements you are working with to know you are getting the raw data you need to start with, then work on filtering it down from there.
This should get you the image paths you are looking for:
(preceding text of last ".exe" of it | it) whose(it contains "%20") of (it as string) whose(it contains "%20" AND it does not contain "%22") of values "ImagePath" of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of registries
This should give you the names of the keys (services) that have this condition met:
names of keys whose(exists (preceding text of last ".exe" of it | it) whose(it contains "%20") of (it as string) whose(it contains "%20" AND it does not contain "%22") of values "ImagePath" of it) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of registries
Can you provide a link to the vul tool so we have something to validate against? Any other related info on this?
Finally got around to carving some time out to focus on this.
(name of operating system contains "Win") AND exists (values "ImagePath" of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services" of native registries as string) whose (it does not start with "%22" and preceding text of first ".exe" of it contains "%20")
Matches what Nessus finds, 100%, at least for the first few hosts I tested it on.