upstream/icinga-powershell-framework
1
0
Fork 0
mirror of https://github.com/Icinga/icinga-powershell-framework.git synced 2026-06-10 09:23:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix possible security issue in service register

Browse source
This commit is contained in:
Lord Hepipud 2021-07-09 09:14:13 +02:00
parent 75816c2805
commit ddb64146f3
4 changed files with 70 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/10-Knowledge-Base.md
View file

@ -14,3 +14,6 @@ For this reason you will find a list of Icinga knowledge base entries below. Ent
| [IWKB000004](knowledgebase/IWKB000004.md) | Use-Icinga : The 'Use-Icinga' command was found in the module 'icinga-powershell-framework', but the module could not be loaded. For more information, run 'Import-Module icinga-powershell-framework' |
| [IWKB000005](knowledgebase/IWKB000005.md) | powershell.exe : Failed to start service 'Icinga PowerShell Service (icingapowershell)'. |
| [IWKB000006](knowledgebase/IWKB000006.md) | The user you are running this command as does not have permission to access the Windows Update ComObject "Microsoft.Update.Session". |
| [IWKB000007](knowledgebase/IWKB000007.md) | Icinga Director Self-Service API fails with errors. [Error]: The remote host for address "..." could not be resolved [Error]: Failed to connect to your Icinga Director at "...". Please try again. |
| [IWKB000008](knowledgebase/IWKB000008.md) | The EventLog contains many `Perflib`, `PerfNet` and `PerfProc` errors/warnings with EventId `1008`, `2002` and `2004` |
| [IWKB000009](knowledgebase/IWKB000009.md) | The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service |

8
doc/31-Changelog.md
View file

@ -7,6 +7,14 @@ documentation before upgrading to a new release.
Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga-powershell-framework/milestones?state=closed).
## 1.3.2 (2021-07-09)
### Security Fixes
* [#298](https://github.com/Icinga/icinga-powershell-framework/issues/298) Fixes possible security vulnerability on Icinga for Windows service registration, by not quoting the service path on registration
You can read more on this on the [Knowledge Base Entry](https://icinga.com/docs/icinga-for-windows/latest/doc/knowledgebase/IWKB000009/) with further details, on how to apply the fix and test if you are affected.
## 1.3.1 (2021-02-04)
[Issue and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/12?closed=1)

58
doc/knowledgebase/IWKB000009.md Normal file
View file

@ -0,0 +1,58 @@
# Icinga Knowledge Base - IWKB000009
## Short Message
Security Scanner: The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service
## Reason
The path pointing to the `icinga-service.exe` is not encapsulated inside double quotes `"` during creation. This might open a possible vulnerability and provide a possible attack vector for attackers gaining access to the machine. In worst case, attackers can place a binary file on the location of the path where the whitespace stops. This binary is then executed with the privileges the service is running with, which could cause a security issue.
You can read this [blogpost](http://www.ryanandjeffshow.com/blog/2013/04/05/the-microsoft-windows-unquoted-service-path-vulnerability/) by Jeff Liford to get a better idea on the problem.
## Solution
This is directly fixed within Icinga for Windows v1.3.2, 1.4.2, v1.5.2 and 1.6.0 during the service creation. If you created the service starting with one of these versions, you are not affected.
If not, please update your environment to a version which includes the fix and start a new PowerShell. Afterwards use this code snippet to re-create the service with all your configuration:
```powershell
Use-Icinga;
$IcingaService = Get-CimInstance Win32_Service `
| Where-Object {
$_.Name -eq 'icingapowershell'
} `
| Select-Object Name, StartName, PathName;
if ($null -ne $IcingaService) {
$IfWUser = $IcingaService.StartName;
$IfWPath = $IcingaService.PathName.SubString(0, $IcingaService.PathName.IndexOf(' "'));
if ($IfWPath[0] -eq '"' -And $IfWPath[-1] -eq '"') {
return;
}
Uninstall-IcingaFrameworkService;
Install-IcingaFrameworkService -Path $IfWPath -User $IfWUser;
}
```
## Test Vulnerability
If you want to test if the above fix work or if you are affected by this problem, you can run this script:
```powershell
$IcingaService = Get-CimInstance Win32_Service `
| Where-Object {
$_.Name -eq 'icingapowershell'
} `
| Select-Object Name, StartName, PathName;
$IfWPath = $IcingaService.PathName.SubString(0, $IcingaService.PathName.IndexOf(' "'));
if ($IfWPath.Contains('"')) {
Write-Host -ForegroundColor Green 'Your service installation is secure';
} else {
Write-Host -ForegroundColor Red 'You are possibly affected by a whitespace service vulnerability';
}
```

2
lib/core/framework/Install-IcingaFrameworkService.psm1
View file

@ -61,7 +61,7 @@ function Install-IcingaFrameworkService()
}
$Path = [string]::Format(
'{0} \"{1}\"',
'\"{0}\" \"{1}\"',
$Path,
(Get-IcingaPowerShellModuleFile)
);