Bryan Owen

“Oh no, clear text password – Powershell to the rescue”

Blog Post created by Bryan Owen on Mar 9, 2009

Some of you may be aware of the “Cyber Security Audit and Attack Detection Toolkit” research project at Digitalbond.  The audit component of the project works with the Nessus vulnerability scanner to assess policy compliance across both host and application specific settings.

 

One part of the checks for PI examines SMT tuning parameters (aka. PI timeout table).  A PIconfig script is used to export the table. In a catch22 kind of way, PIconfig prompts for a password when the system is set to “checkutilitylogin”.  Thus you could expect to find a clear text password in any PIconfig script built for unattended execution.

 

Restricted permissions on the script file offers some protection but we can do better with Powershell.

 

#initialize local variables

 

...snip…

 

# if no password file prompt for password and save the file

 

if (-not(Test-Path $pwfile)) {

 

$bytes = read-host "Enter PI password for $piuser to generate security audit data" -assecurestring

 

$bytes | ConvertFrom-SecureString | Set-Content $pwfile -force

 

}

 

 

 

# read the password file

 

$bytes = get-content $pwfile | ConvertTo-SecureString

 

$pipass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($bytes))

 

 

 

$picmd = "start /b /wait $piconfig input $bandolier\secaudit-piconfig-timeouts.txt exit -localuser $piuser -localpass $pipass

 

cmd /c $picmd

 

 

Powershell secure strings use the Windows data protection APIs. The default key is part of current user context so it’s important the task runas the same user account that initially generates the password file.

 

Given the power of Powershell and the lessons learned from exploit of the Windows Script Host environment, it’s no surprise that script execution is disabled by default!

Outcomes