CVE-2021-36934 HiveNightmare workaround via Powershell
Hi All,
First time here, I'm a systems admin at a medium sized organisation!
I looking to see if anyone has managed to push a workaround for the above vulnerability via the Kace SMA?
There is a write up from Sophos below.
The suggested workaround from microsoft is below:
My plan was to push a powershell script from Kace to set the permissions, remove existing shadow copies and create a new restore point. I have written a powershell script which works fine locally, using the vssadmin command. It fails when running through kace with an error:
vssadmin.exe : The term 'vssadmin.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.I have tried to explicitly specify the path to VSSAdmin but it still fails:
C:\windows\system32\vssadmin.exe : The term 'C:\windows\system32\vssadmin.exe' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.Alternatively, I have tried the following script from JoranSlingerland. Similarly, this will run fine locally on my PC but not through kace, still complaining that VSSAdmin
https://github.com/JoranSlingerland/CVE-2021-36934
This still fails to find the vssadmin.exe file, and also is unable to run the WMI commands either.
Where am I going wrong? Has anyone else used Kace SMA to install a workaround for this vulnerability?
TIA :D
More info. Basic script I have tried to run is below:
icacls c:\windows\system32\config\*.* /inheritance:e vssadmin delete shadows /quiet /all wmic shadowcopy call create Volume=C:\
Logs:
Output Log
Running as SYSTEM Checking if registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Kace\KBot Configuration\hiveps' value 'key' is equal to '151' did not succeed: (0) Setting registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Kace\KBot Configuration\hiveps' value 'key' equal to '152' succeeded processed file: c:\windows\system32\config\Journal processed file: c:\windows\system32\config\RegBack processed file: c:\windows\system32\config\systemprofile processed file: c:\windows\system32\config\TxR Successfully processed 4 files; Failed processing 0 files vssadmin : The term 'vssadmin' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\209\hive.ps1:2 char:1 + vssadmin delete shadows /quiet /all + ~~~~~~~~ + CategoryInfo : ObjectNotFound: (vssadmin:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Executing (Win32_ShadowCopy)->create() Launched Process: powershell.exeActivity Log
verify - registry_value_is Checking if registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Kace\KBot Configuration\hiveps' value 'key' is equal to '151' verify - set_registry_value Setting registry 'HKEY_LOCAL_MACHINE\SOFTWARE\Kace\KBot Configuration\hiveps' value 'key' equal to '152' verify - launch_program Launching program: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' '-executionpolicy bypass -File C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\209\hive.ps1' wait='true' verify - on_remediation_success verify - on_remediation_failureDebug Log
Running kbot: runkbot 209 1628006234 KBotScript::LogScriptInfo - Start id=209 name=hive nightmare Powershell version=1628006234 type=policy execute disconnected=true logged_off=false execute events KBotScript::LogScriptInfo - Finish KBotScript::LogScriptInfo - Start id=209 name=hive nightmare Powershell version=1628006234 type=policy execute disconnected=true logged_off=false execute events KBotScript::LogScriptInfo - Finish KBotScriptManager::CleanupDependencies - clean up dependencies in kbot directory C:\ProgramData\Quest\KACE\kbots_cache\\packages\kbots\209\ CleanupDependencies: file hive.ps1 is part of the dependency list, keep the file runkbot ----- launching [path='C:\WINDOWS\System32\WindowsPowerShell\v1.0' program='powershell.exe' parms='-executionpolicy bypass -File C:\ProgramData\Quest\KACE\kbots_cache\packages\kbots\209\hive.ps1' wait='true'] ----- runkbot ----- completed [exitCode=0] -----Answers (4)
Calling powershell .exe from the sysnative folder failed to run the script at all. However this has helped me to find the issue!
I added "cd $Env:WinDir\sysnative" to the start of my script, and changed "vssadmin" to .\vssadmin.exe and the script now runs successfully. I also had trouble running wmic commands, so I had to use the explicit path for this too.
It's a bit crude, but here is the script that seems to run without fail:
icacls c:\windows\system32\config\*.* /inheritance:ecd $Env:WinDir\sysnative
.\vssadmin.exe delete shadows /quiet /all
cd wbem
.\wmic.exe shadowcopy call create Volume=C:\
cd ..
.\vssadmin.exe list shadows
in hindsight, it would probably have been tidier to use:
icacls c:\windows\system32\config\*.* /inheritance:ecd $Env:WinDir\sysnative
.\vssadmin.exe delete shadows /quiet /all
.\wbem\wmic.exe shadowcopy call create Volume=C:\
.\vssadmin.exe list shadows
Thanks for your help with this, I hope this also helps anyone else who was having trouble patching this vulnerability!
Comments:
-
Thank you! I've been struggling to build a standard Kace script with tasks. $(KACE_SYS_DIR) as the path works great for icacls, but always returned invalid path for vssadmin. Using %WinDir%\sysnative for vssadmin works perfectly!
Great work finding the correct path! - JonHall 3 years ago
Had similar issue due to kace agent being 32-bit so running 32-bit powershell on 64-bit Windows. Try launching powershell using the path below and that should run 64-bit powershell.
%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe
Hi Paul,
Thanks for your suggestion, I will try this now! Fingers crossed!
I used Justin's path info to build a standard Kace script with tasks. It will fail if there aren't any shadows present, but I'm not too concerned about false failures. I think the two icacls commands are necessary, but I'm not positive on that. The first appeared to clear the High vulnerability, and the second cleared the Medium one.
