Jump to content
rookie

CVE-2019-1182 Remediation Monitor + Script

Recommended Posts

Posted (edited)

Hey all,

I've been active in the community for a few years now but have never really posted in the forums. I've put together a script/remote monitor to address the latest RDP vulnerability from Microsoft and figured I've learned enough from the MSPGeek community it can't hurt to give some back. This first link is a SQL inject that will create a remote monitor on your "Service Plans\Windows Servers\Managed 24x7" and "Service Plans\Windows Workstations\Managed 8x5" groups. What groups it installs the monitor on are just defined on the inject with the GroupID so if you just look at the inject it's easy to change that GroupID to whatever you want before you run it.

!!!WARNING!!!! - You're running a SQL inject on your DB...this can be dangerous, proceed at your own risk. Read through the inject, make sure you're comfortable with what it's doing. This monitor is also live pulling a powershell script from MY github. This means if I decided to have a bad day and change the powershell script in my github to something malicious then I could effectively run my malicious code on ALL of your machines. I'm not malicious, but ya know...be smart, be safe! Feel free to host the powershell script at your own location and just swap the URL on the monitor. Lastly, I've tested this on several machines in my environment, but that doesn't mean there can't be an issue I haven't ran into yet. If you find a problem, let me know so I can fix it!

 

Download Links

SQL Inject: https://github.com/dkbrookie/Automate-Public/blob/master/CVE/CVE-2019-1182/SQL/CVE-2019-1182_Remediation.sql
Powershell: https://github.com/dkbrookie/Automate-Public/blob/master/CVE/CVE-2019-1182/Powershell/CVE-2019-1182.ps1
 

 

Script breakdown...

This script is outputting either !ERROR:, !WARNING:, or !SUCCESS: with details on the state of the install process. If you set the monitor alert template to create a ticket (I have it set to Default - Do Nothing so just change to what you want) it will output the Powershell results right into the ticket. The keywords from the script output above are to use in a state based remote monitor in Automate so this will go through what that looks like briefly.

  • The script checks the OS of the machine and figures out the correct KB number it needs to have installed to patch this vulnerability. Once it finds the right KB, it checks to see if the KB is installed or not. If it's not installed, it will install it with no reboot so this is safe to run mid-day. That means right from the monitor CHECK it is actually installing the remediation, so there is no separate script attached. The patch download/install is all self contained in the monitor check itself.
  • !FAILED: will only output if the machine is eligible to receive the CVE-2019-1182 patch and something in the script actually failed and needs attention
  • !WARNING: will only output if the machine is not eligible for the CVE-2019-1182 patch. The reason I've chosen the all managed servers/workstations groups is so you can highlight all of the machines quickly/easily in WARNING state that do not have this patch available to them. This would be a good time to use this as leverage to get your clients to upgrade some machines :)
  • !SUCCESS: will only output if the patch has been verified to be installed

 

Monitor breakdown...

  • The monitor will be named "CVE-2019-1182 Remediation"
  • The monitor runs every 4hrs but you can change this to whatever you want
  • FAILED state: Looks for the keyword "!ERROR:" from the powershell output
  • WARNING state: Looks for the keyword "!WARNING:" from the powershell output
  • SUCCESS state: Looks for the keyword "!SUCCESS:" from the powershell output

 

Enjoy!

 

-Rookie

Edited by rookie
  • Like 1
  • Thanks 4

Share this post


Link to post
Share on other sites

Waking up to a love letter from @rookie. I knew today was going to be a good day.

FYI - Rookie is a hidden gem in the MSP community. Slide into his slack DMs with an Automate related love offering and he's bound to return the favor. 😉

Share this post


Link to post
Share on other sites

Very nice!

My only concern is that Get-CimInstance doesn't appear to be supported on earlier Powershell versions, which caused the script to fail on some of my Windows 7 machines.

$osVers = (Get-CimInstance Win32_OperatingSystem).Caption

Can be replaced with 

$osVers = (Get-WmiObject win32_operatingsystem).Caption

 

Share this post


Link to post
Share on other sites

FYI, I was unsuccessful at importing the SQL statement.  Could you please provide some screenshots of the actual monitor so I could manually create it instead as I am having trouble deciphering some of the sql allowing me to recreate it.

I also tried modifying the following line with no luck.

/*GroupID*/856 /* 856 is the group ID for "Service Plans\Windows Servers\Managed 24x7" */
to
/*GroupID*/,856 /* 856 is the group ID for "Service Plans\Windows Servers\Managed 24x7" */

NOTE: I am on hosted automate w/CW and no longer have direct access to SQL to view any errors.

Share this post


Link to post
Share on other sites

I am also unsuccessful at importing.

Can't see the monitor anywhere although it looks like it is importing. I am hosted too. Did we loose the ability to import sql? Had no problems before.

Share this post


Link to post
Share on other sites
On 8/17/2019 at 2:10 PM, HickBoy said:

FYI, I was unsuccessful at importing the SQL statement.  Could you please provide some screenshots of the actual monitor so I could manually create it instead as I am having trouble deciphering some of the sql allowing me to recreate it.

I also tried modifying the following line with no luck.


/*GroupID*/856 /* 856 is the group ID for "Service Plans\Windows Servers\Managed 24x7" */
to
/*GroupID*/,856 /* 856 is the group ID for "Service Plans\Windows Servers\Managed 24x7" */

NOTE: I am on hosted automate w/CW and no longer have direct access to SQL to view any errors.

Yeah @HickBoy it's sounding like everyone hosted isn't able to run this...weird. Anyway, adding that comma before the group ID will not work...that group ID is the first value so would be no comma since the comma is the separator to define multiple different values for different columns.

 

On 8/17/2019 at 8:29 PM, Namik said:

I am also unsuccessful at importing.

Can't see the monitor anywhere although it looks like it is importing. I am hosted too. Did we loose the ability to import sql? Had no problems before.

Okay @Namik make an EXE monitor and use this line...

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "& {(new-object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dkbrookie/Automate-Public/master/CVE/CVE-2019-1182/Powershell/CVE-2019-1182.ps1') | iex}"

See the rest of the settings here in this screenshot: https://gyazo.com/208dd0394e75eef7ec202553da7a126f
 

 

On 8/16/2019 at 4:24 PM, chris_bb said:

Very nice!

My only concern is that Get-CimInstance doesn't appear to be supported on earlier Powershell versions, which caused the script to fail on some of my Windows 7 machines.


$osVers = (Get-CimInstance Win32_OperatingSystem).Caption

Can be replaced with 


$osVers = (Get-WmiObject win32_operatingsystem).Caption

 

Nice! Will test this out, thanks @chris_bb!

 

On 8/16/2019 at 8:52 AM, bigdog09 said:

Waking up to a love letter from @rookie. I knew today was going to be a good day.

FYI - Rookie is a hidden gem in the MSP community. Slide into his slack DMs with an Automate related love offering and he's bound to return the favor. 😉

❤️ you bigwoof @bigdog09

 

-Rookie

  • Like 1

Share this post


Link to post
Share on other sites
Posted (edited)
Insert INTO
    groupagents (
        GroupdID
        ,SearchID
        ,Name

The SQL statement has a typo on GroupID. Might also be good to add quotes around the Name column (`Name`).

Edited by Joe.McCall

Share this post


Link to post
Share on other sites
1 hour ago, Joe.McCall said:

Insert INTO
    groupagents (
        GroupdID
        ,SearchID
        ,Name

The SQL statement has a typo on GroupID. Might also be good to add quotes around the Name column (`Name`).

Ahh thanks man. This is fixed. On the Name one I usually do `Name` but when I SQLSpy'd the inject for a monitor from Automate it was just Name and not `Name` so I just directly copied/adapted it /shrug

Share this post


Link to post
Share on other sites
20 minutes ago, rookie said:

Ahh thanks man. This is fixed. On the Name one I usually do `Name` but when I SQLSpy'd the inject for a monitor from Automate it was just Name and not `Name` so I just directly copied/adapted it /shrug

It went through fine without the quotes on MaraiDB, but I noticed it highlighted in SQLyog so I figured I would mention it, in case there are potential issues with other mySQL versions.

Share this post


Link to post
Share on other sites
On 8/19/2019 at 3:20 PM, Joe.McCall said:

It went through fine without the quotes on MaraiDB, but I noticed it highlighted in SQLyog so I figured I would mention it, in case there are potential issues with other mySQL versions.

@Joe.McCall nice, good to hear. Yeah I might change it just for OCD sake at some point haha.

 

10 hours ago, Namik said:

Thankyou @rookie Excellent work!

@Namik Thanks! No problem!

Share this post


Link to post
Share on other sites

When I run this monitor and point it at your code or my code that is yours but in my gethub it errors out.  I get this on the monitor:

Failed Result:Get-HotFix : Cannot find the requested hotfix on the 'localhost' computer. Verify the input and run the command again.
At line:101 char:7
  If (!(Get-HotFix -Id $kb)) {
        ~~~~~~~~~~~~~~~~~~
      CategoryInfo          : ObjectNotFound: (:) [Get-HotFix], ArgumentException
      FullyQualifiedErrorId : GetHotFixNoEntriesFound,Microsoft.PowerShell.Commands.GetHotFixCommand
 
Get-HotFix : Cannot find the requested hotfix on the 'localhost' computer. Verify the input and run the command again.
At line:112 char:15
          If (!(Get-HotFix -Id $kb)) {
                ~~~~~~~~~~~~~~~~~~
      CategoryInfo          : ObjectNotFound: (:) [Get-HotFix], ArgumentException
      FullyQualifiedErrorId : GetHotFixNoEntriesFound,Microsoft.PowerShell.Commands.GetHotFixCommand
 
WARNING: !ERROR: kb4511553 install was attempted but did not show installed after it was executed, may need to be 
investiagted.
 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...