The Perils of Vendor Bloatware
In today's Stormcast, Johannes summarizes the current issue with some of the software that comes pre-installed on Dell Laptops. In short, Dell Foundation Services- which is used for remote management - allows unauthenticated WMI queries to be processed through a simple SOAP interface. We've used WMI in many stories for reconnaissance, pentesting and attack activities (check out our Diary Archives and Search function for more on this).
Anyway, on one hand, an IT Manager might say "who better to write desktop management software than the hardware vendor". A smarter IT Manager might say "no, someone who builds hardware for a living is the *worst* person to buy software from, especially if it's free software". Maybe the ground lies somewhere in between - I typically format every new machine, use the vendor hardware drivers for whatever OS I install, and stop there (at least as far as hardware vendor code goes)
Long story short, after the past year of Superfish and Dell's equivalent of Superfish, and now this, I hope it's time we all look at the special presents we get "for free", preinstalled on new hardware!
References:
Today's Stormcast: https://isc.sans.edu/podcastdetail.html?id=4767 (or subscribe in iTunes or RSS)
Dell Foundation Services issue: http://rum.supply/2015/12/01/dell-foundation-services.2.html
Superfish 2.0: https://isc.sans.edu/diary/Superfish+2.0:+Dell+Windows+Systems+Pre-Installed+TLS+Root+CA/20411
===============
Rob VandenBrink
Metafore
Nessus and Powershell is like Chocolate and Peanut Butter!
In a typical security assessment, you'll do authenticated scans of internal hosts, looking for vulnerabilities due to missed patches or configuration issues. I often use Nessus for this, but find that for a typical IT manager, the Nessus findings can be overwhelming. While a pentester might look for a specific Java or Flash vulnerability, the IT manager doesn't want to know that "station x has 26 Java vulnerabiities". They want to know that "station x needs Java updated, and this is how not updating will affect the business. In a perfect world, that same IT manager might also ask "why exactly do we have Flash and Java installed all over the place?", but maybe that's a story for a different day.
Anyway, on a typical, medium sized network, you can count on hundreds of thousands of findings in an authenticated Nessus scan. In years past, I would have written some fancy sed / cut scripts to slice and dice this data, or maybe import the lot into a database and start from there on analysis. Today though, I'm using Powershell - it's free, it's easy, and it's installed everywhere already, so your client can replicate both the findings and the process.
First, let's import the CSV file that we get from Nessus. From the count, you can see exactly why this process can be so useful:
.
Let's take a look at the data structure:
First, let's look for flash Player issues. We're searching for all non-zero risk findings - Risk=zero just means "we found flash"
Now on to the useful part - which hosts are affected? Many of these hosts have dozens of discrete flash vulnerabilities, but for the IT manager, the "fix list" is the first important thing, and the second is "how do we prevent this going forward?"
Next we'll tackle Java. Not the "or" operator (|), and also that the match operator is case insensitive. Be careful though, because field names are *definitely* case sensitive. It's easy to get a "zero" result if you mess up on case and accidentally end up querying an empty variable. For Java, in this example we cut the 50,000-ish findings down to a short, useful list of 222.
So, what other issues do you want to hunt for, to whittle that total down?
Adobe Reader (note that I'm making sure to not double-count Flash issues here)
$adobe = $all | Where-Object {$_.Description -match “Adobe Reader” -And $_.Description -notmatch "Flash" -and $_.Risk -notmatch "None"}
.NET Framework:
$dotnet = $all | Where-Object {$_.Description -match "Net Framework" -and $_.Risk -notmatch "None" }
Silverlight:
$silverlight = $all | Where-Object {$_.Description -match "Silverlight" -and $_.Description -notmatch ".Net" -and $_.Risk -notmatch "None" }
Office:
$msoffice = $all | Where-Object {$_.Synopsis -match '(Office|Word|Powerpoint|Excel|Outlook)' -and $_.Risk -notmatch "None" }
Microsoft Patches, Security Advisories and Service Packs:
$misc_microsoft = $whatsleft | Where-Object {$_.Name -match '(MS[0-9][0-9]-[0-9][0-9][0-9]|MS KB|MS Security Advisory|Windows Service Pack)' }
Yes, even in 2015, in most shops of any size, you'll always find one or two hosts that have never had a patch or a service pack installed
After all that, what's left? Note that the query is broken up, mostly so you can read it:
$whatsleft = $all | Where-Object { $_.Description -notmatch '(Flash|Adobe|JRE|JSE|JAVA|Java|jre|jse)'} | Where-Object {$_.Name -notmatch '(Silverlight|Net Framework|Office|Word|Powerpoint|Excel|Outlook|Explorer)'} | Where-Object {$_.Name -notmatch '(MS[0-9][0-9]-[0-9][0-9][0-9]|MS KB|MS Security Advisory|Windows Service Pack)' } | Where-Object {$_.Risk -notmatch "None"}
The final summary of issues is:
$final_summary = $whatsleft2 | select 'Plugin ID', Name | Group-Object 'Plugin ID' | Sort-Object -Descending Count
To view just the issues:
$final_summary | Out-GridView
Back to the IT manager who needs "the list" though, we still need to deal with this host-by-host.
$summary_by_host = $whatsleft2 | select Host,'Plugin ID', Name | Sort-Object Host
Then dump that list to CSV:
$final_summary_by_host | Export-Csv ./final-summary.csv
Import that csv file into Excel, make a pivot table, and you've got a nice, compact "which host has what problem" report!
===============
Rob VandenBrink
Compugen
Comments