Open-AudIT

What's on your network?
It is currently Mon Jan 22, 2018 2:10 pm

All times are UTC + 10 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Fri May 15, 2015 6:38 pm 
Offline
Newbie

Joined: Tue May 12, 2015 12:34 am
Posts: 7
Location: Somerset UK
Hi,

not sure if this is the right place but I am evaluating Open Audit for our company and found that the audit_windows.vbs script was crashing out when trying to audit an old server 2008 machine.

Bit of digging and found a problem where it is enumerating the group memberships.

They had a user in one of the groups '\Everyone' in one of the groups and it obviously couldn't handle the missing domain part and was crashing out at the "if objGroup.name = objItem.Name then" code snippet below.

for Each objItem in colItems
users = ""
set objDSO = GetObject("WinNT:")
set colGroups = objDSO.OpenDSObject("WinNT://" & system_hostname & "", struser, strpass, ADS_USE_ENCRYPTION OR ADS_SECURE_AUTHENTICATION)
colGroups.Filter = Array("group")
group_members = ""
for Each objGroup In colGroups
if objGroup.Name = objItem.Name then

Quick fix - remove that 'user' from the group - which shouldnt have been there anyhow! but is this something that could be trapped for easily?

SteveP


Top
 Profile  
Reply with quote  
PostPosted: Sat May 16, 2015 4:28 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
Probably an easy fix but I'm having a little trouble figuring out what happened from your report. Do you happen to have the output of the actual error message with the line number. I can't see the script crashing on an if comparison line. I would have expected it to crash at line 3223:
Code:
member_domain = group_domain(ubound(group_domain)-1)


At least I suspect that. I'm having trouble replicating this because I can't create users with these illegal characters. Probably my limitation.

Or maybe it did die on that line because objGroup.Name died. My main problem is I can't replicate it.


Top
 Profile  
Reply with quote  
PostPosted: Mon May 18, 2015 7:11 pm 
Offline
Newbie

Joined: Tue May 12, 2015 12:34 am
Posts: 7
Location: Somerset UK
jpa wrote:
Probably an easy fix but I'm having a little trouble figuring out what happened from your report. Do you happen to have the output of the actual error message with the line number. I can't see the script crashing on an if comparison line. I would have expected it to crash at line 3223:
Code:
member_domain = group_domain(ubound(group_domain)-1)


At least I suspect that. I'm having trouble replicating this because I can't create users with these illegal characters. Probably my limitation.

Or maybe it did die on that line because objGroup.Name died. My main problem is I can't replicate it.

Unfortunately I dont have the output any more! My bad should have taken a copy!
But I 'hacked' the vbs script putting debug statements in and it would always bomb out at "for each objUser in objGroup.Members"

So what was happening was that I would see the output 'Inner Loop' and 'In if' but it would error before i got to the 'inner for' which is what lead me to believe that the problem was at the 'for each objUser in objGroup.Members'

This is the debug code:

Code:
for Each objGroup In colGroups
            wscript.echo "Inner loop"
            if objGroup.Name = objItem.Name then
               wscript.echo "In if  " & objGroup.Name
               for each objUser in objGroup.Members
                  wscript.echo "inner For:"


Top
 Profile  
Reply with quote  
PostPosted: Mon May 18, 2015 7:17 pm 
Offline
Newbie

Joined: Tue May 12, 2015 12:34 am
Posts: 7
Location: Somerset UK
jpa wrote:
Probably an easy fix but I'm having a little trouble figuring out what happened from your report. Do you happen to have the output of the actual error message with the line number. I can't see the script crashing on an if comparison line. I would have expected it to crash at line 3223:
Code:
member_domain = group_domain(ubound(group_domain)-1)


At least I suspect that. I'm having trouble replicating this because I can't create users with these illegal characters. Probably my limitation.

Or maybe it did die on that line because objGroup.Name died. My main problem is I can't replicate it.

OK reproduced it by adding the \everyone local user back in.

the output from the script is:
Code:
Inner loop
In if  Remote Desktop Users
inner For:
 Group Domain:
Member domain NT AUTHORITY
inner For:
 Group Domain:
Member domain NT AUTHORITY
inner For:
 Group Domain:
Member domain NT AUTHORITY
inner For:
 Group Domain:
Member domain NT AUTHORITY


I then get the 'Console Based Script Host' error:
Problem signature:
Problem Event Name: APPCRASH
Application Name: cscript.exe
Application Version: 5.8.9600.17415
Application Timestamp: 54504e52
Fault Module Name: adsnt.dll
Fault Module Version: 6.3.9600.17415
Fault Module Timestamp: 54505098
Exception Code: c0000005
Exception Offset: 0000000000001b03
OS Version: 6.3.9600.2.0.0.272.7
Locale ID: 2057
Additional Information 1: f3d5
Additional Information 2: f3d5371ac62cc58f19027b6adc3cca81
Additional Information 3: ac26
Additional Information 4: ac261e171fafcb7de8e1ec7a723e01d9

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=280262

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt


Hope that helps!


Top
 Profile  
Reply with quote  
PostPosted: Tue May 19, 2015 9:26 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
OK, but I'm an idiot so how are you creating your "\everone" user?


Top
 Profile  
Reply with quote  
PostPosted: Tue May 19, 2015 8:30 pm 
Offline
Newbie

Joined: Tue May 12, 2015 12:34 am
Posts: 7
Location: Somerset UK
jpa wrote:
OK, but I'm an idiot so how are you creating your "\everone" user?


Ok to add a 'local' user to a group

Server Manager
Expand Configuration
Expand Local Users and Groups
Select Groups
In right hand pane double click 'Remote Desktop users'
Click Add
Click locations and select the local server rather than the domain and click OK
in the Enter the object name to select box enter 'everyone' and click 'Check Names' and then click 'OK'

this should put '\everyone' in the member list
click OK to get back to close the dialog.


Top
 Profile  
Reply with quote  
PostPosted: Wed May 20, 2015 7:06 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1226
Thanks, I get it now. We are adding the Everyone group to another group.

So I replicated this and the easiest fix is to remove the group as you did. The crash only happens when using struser/strpass against a remote computer and from what I can tell is not a crash that vbscript can trap or ignore. It looks like the crash happens when accessing objGroup.Members.

I don't have the time to figure out a workaround (if any.) And we don't use struser/strpass or have "Everyone" in any of our groups so we're not affected. Hopefully someone else can step in.

Minimized code for testing:
Code:
strcomputer = "computer"
system_hostname = strcomputer
struser = "computer\Administrator"
strpass = "password"
Const wbemConnectFlagUseMaxWait = 128

Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_ENCRYPTION    = 2


Set wmiLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = wmiLocator.ConnectServer(strcomputer, "\root\cimv2",struser,strpass, "", "", wbemConnectFlagUseMaxWait)
set colItems = objWMIService.ExecQuery("Select * from Win32_Group where Domain = '" & system_hostname & "'",,32)
for Each objItem in colItems
   'wscript.echo "colItems name: " & objItem.Name
   set objDSO = GetObject("WinNT:")
   set colGroups = objDSO.OpenDSObject("WinNT://" & system_hostname & "", struser, strpass, ADS_USE_ENCRYPTION OR ADS_SECURE_AUTHENTICATION )
   colGroups.Filter = Array("group")
   group_members = ""
   for Each objGroup In colGroups
      if objGroup.Name = objItem.Name then
         for each objUser in objGroup.Members
            wscript.echo "ADSPath: " & objUser.ADSPath
            group_domain = split(objUser.ADSPath, "/")
            member_domain = group_domain(ubound(group_domain)-1)
            group_members = group_members & objUser.Name & "@" & member_domain & ", "
         next
      end if
   next
next


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group