(imported comment written by brolly3391)
Good try Ryan. That was one of my false lead accounts.
You will have to dig a bit deeper to get the “real” user/password combo.
I have been thinking more and more about what 52Merc suggested and I think there is something hiding in there. (cue the Mission Impossible theme music)
Cheers,
Brolly
(imported comment written by Doug_Coburn)
Here is an example of how to download and run the RunAsCurrentUser.exe program.
download http://support.bigfix.com/download/bes/util/RunAsCurrentUser.exe
continue if {(size of it = 69632 AND sha1 of it = “9bf587d2d4a81e1d8c179ade6a4daf64daa0db31”) of file “RunAsCurrentUser.exe” of folder “__Download”}
wait __Download/RunAsCurrentUser.exe --w cmd.exe /C flag /change
Doug
(imported comment written by SystemAdmin)
I feel dumb…but this still doesn’t work for me. I’ve tried quite a few different things with no luck. At the moment, I use a .bat file to copy three files to a new directory on the C: drive (another .bat file and 2 supporting files). I then download and execute “RunAscurrentuser.exe” and tell it to execute the .bat file. No luck. Doesn’t even appear to run, but no errors.
I have to copy/edit two files that happen to sit under each users “documents and settings” folder so I have to detect who the user is to copy correctly. Below is my action script and the .bat file.
download http://server.thatplace.com:52311/Uploads/2984dfdfa1c4d2d79d28d2a311f61faf7f6fe4a3/big28.tmp
continue if { (size of it = 36350 and sha1 of it = “2984dfdfa1c4d2d79d28d2a311f61faf7f6fe4a3”) of file “big28.tmp” of folder “__Download”}
extract big28.tmp
wait “{pathname of system folder & “\cmd.exe”}” /C “{(pathname of client folder of current site) & “__Download\preupd.bat”}”
download http://support.bigfix.com/download/bes/ \u2026 ntUser.exe
continue if {(size of it = 69632 AND sha1 of it = “9bf587d2d4a81e1d8c179ade6a4daf64daa0db31”) of file “RunAsCurrentUser.exe” of folder “__Download”}
wait __Download/RunAsCurrentUser.exe --w cmd.exe /C c:\jdeupdate\jdeupd.bat /change
The .bat file looks like this:
cd c:\jdeupdate
type jdeupd.txt >> c:\Docume~1%USERNAME%\Applic~1\ICAClient\APPSRV.ini
copy Peoplesoft.lnk c:\Docume~1%USERNAME%\Desktop\Peoplesoft.lnk
Things work fine if I change the %USERNAME% variable to a real username (but that obviously won’t work for 1000 people).
Any help is appreciated as I need to provide an answer Monday morning.
Thanks,
Tim
(imported comment written by brolly3391)
Tim,
I started a new thread for your question.
http://forum.bigfix.com/viewtopic.php?pid=989
Cheers,
Brolly.
(imported comment written by Rolf.Wilhelm91)
Hi Brolly,
I know, this is an old discussion, but here are some ideas …
brolly33
There are ways of further obfuscating the embedded password to prevent this type of attack but any delivery of account information via automation will present some sort of attack surface, however minimal. There is no way to totally eliminate this issue that I know of. It becomes a risk analysis/acceptance item.
What about
temporarily
create an administrators account inside of the fixlet?
net user mytempadmin mypwd /add
net localgroup administrators mytempadmin /add
net user mytempadmin /delete
this kind of action will lower the risk, because you need administrative rights anyway to reuse the code if you find it in a cache. The only risk I can see at the moment is that it can be misused while the action is running. There is no network access possible, because the BigFix Client cannot create a domain account while running as local system.
brolly33
I did some quick research on RunAs and now realize that you are right. It does not support passing the password via scripting. You might check out an API call CreateProcessAsUser used in combination with LogonUser. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/createprocessasuser.asp
You would be essentially writing your own RunAs with the credentials embedded instead of prompted.
This problem is still open and need at least an external tool like “su” from one of the old resource kits.
Regards,
Rolf.
(imported comment written by brolly3391)
Hi Rolf,
I am glad to see people are still thinking about this. The idea of using a discardable temp admin account has been tossed out there before. Of all the ideas so far I think it is the one with the most merit. The risk there is that the task could fail sometime between the account creation and deletion. That would leave the tempadmin account sitting around and the action in the action site would have both the temp admin account and password exposed.
Honestly, most instances where you think you need a logged on admin account it will turn out that there is a workaround and you can avoid having to take the risk of having a local admin account compromised. Most of the time people want to use an account with network privileges to get a file off of a server share. Remember that you can always host the file on a web server. The BES Client can get to those types of files even while running in the system context.
Cheers,
Brolly.
PS - if you run into this need, start a new thread and let the community see if we can figure out a workaround.
(imported comment written by ryanlrussell)
So, sorry to come back to this months later, but it’s that time of year, and a man’s thoughts turn to reverse engineering. Plus, I’ve finally put some projects to bed, and I had a little time.
Turns out I just needed a break to let some things simmer, and then another 20 minutes or so. Total time spent was in the neighborhood of 12 hours to figure it out. I can do this again in about 10 minutes now.
I believe
this
is your card?
H:\Embedded Password.WBT’
var=arrdimension(100)
var[0]=“1234567”
var[1]=“admin”
var[2]=“localadmin”
var[3]=random (123456)
var[4]=“p4$$w0rD”
var[5]=“LclAdmn”
var[6]=“admi4nis2tra1tor”
var[7]="$1f0ry0urapp13"
var[8]=strcat(“A”,random (99),“b03h”)
var[9]=TimeDate()
var
10
=“B1gF1xR0cks”
var
11
=“fowrt&hen*hHuieFerh”
var
12
=“ownrh#wln)lwn0”
var
14
=“1234hjkl”
var
15
=“raharnnk3”
var
16
= strcat(random (99999999999),"")
var
17
=“could have used a bigger array”
var
19
=“DfsuBenjo”"
var
19
=strcat(random (99999),"")
var
20
="&hellhw*g"
var
21
=“Ben and Ryan, Thanks for the challenge. I understand that with other people’,27h,'s account information”
var
22
="any risk of exposure is too great. Any embedded account information is more vulnerable because there is nothing "
var
23
=“to preventrepeated attacks in the privacy of the attacker’,27h,'s own workspace. With time, any system can be broken.”
var
24
=“aqwsderf”
var
25
=“5”
var
26
=“4”
var
27
=“calc”
var
28
=“wordpad”
var
29
=“notepad”
#definefunction A(strC)
strDC=""
for x=1 to strLen(strC)
char=strSub(strC,x,1)
deChar=char2num(char)
if deChar < 64 || (deChar > 90 && deChar < 97) || deChar > 122 then strDC= strCat(strDC,char)
if (deChar > 64 && deChar < 78) || (deChar > 96 && deChar < 110) then strDC= strCat(strDC,num2char(deChar+13))
if (deChar > 77 && deChar < 91) || (deChar > 109 && deChar < 123) then strDC= strCat(strDC,num2char(deChar-13))
next
return strDC
#endfunction
errormode(@off)
for x=random (5) to random (20)+8
t=random(24)
u=random(5)
v=random(3)
runWithLogon(strCat(var
26+v
,".exe"),"","",@NORMAL,@NOWAIT,var[v],".",var[t],0 )
if x==7 then runWithLogon(strCat(var
27
,".exe"),"","",@NORMAL,@NOWAIT,var[0],".",a(var[x]),0 )
if x==6 then runWithLogon(strCat(var
29
,".exe"),"","",@NORMAL,@NOWAIT,var[2],".",a(var[x]),0 )
next
errormode(@on)
(imported comment written by brolly3391)
Ryan!
Well done. That is indeed the psuedocode I wrote in winbatch to obfuscate my password.
The good bet is still on BigFix.
Cheers,
Brolly
(imported comment written by ErinC91)
Thought I’d add my tuppence to this thread.
I use the AutoIT scripting language’s
RunAsSet
command to run bigfix deployments with domain administrator accounts.
This enables bigfix deployments to access network shares without the need for the null share folder.
The script even checks the domain and uses the correct admin password as applicable. This is great for me since I deal with different domains with different script-admin accounts.
The script is compiled into an executable and set so no-one can decompile it to reveal the passwords in the actual script. (this is the possible falldown of this method, I don’t know how easy it would be to decompile it should you be determined)
This is my autoit script edited a little to remove my account details;
If @LogonDomain =
"Domain1" then ; Store password in a variable $PassWord =
"password1" ; Set Admin rights
for any Run commands RunAsSet(
"ScriptAccount1",
"Dom1", $PassWord) ElseIf @LogonDomain =
"Domain2" then ; Store password in a variable $PassWord =
"password2" ; Set Admin rights
for any Run commands RunAsSet(
"ScriptAccount2",
"Domain2", $PassWord) ElseIf @LogonDomain =
"Domain3" then ; Store password in a variable $Password =
"password3" ; Set Admin rights
for any Run commands RunAsSet(
"ScriptAccount3",
"Domain3", $PassWord) EndIf ; Run the setup executable from the current folder Run(
"setup.exe",
"", @SW_MAXIMIZE) ; Reset user
's permissions RunAsSet() exit
AutoIt is
freeware
and available from www.hiddensoft.com it’s been a lifesaver for me.
(imported comment written by ryanlrussell)
ErinC
I don’t know how easy it would be to decompile it should you be determined
If you’d like to know, post a copy or send it to ryan underscore russell at bigfix dot com.
(imported comment written by ErinC91)
I’m guessing that it’s fairly easy to decompile by your answer Ryan ?
I’ve attached a compiled script. When compiling it I specifically did not tick the box to allow decompilation.
edit: hmm, attaching .exe files disallowed ? zipped and re-attached
(imported comment written by ryanlrussell)
Sorry, I guess we don’t all any attachments on the board. Could I get you to mail the .zip to me?
(imported comment written by ErinC91)
I’ve emailed it to your hotmail address Ryan, thanks.