Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 2:23 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 
Author Message
PostPosted: Fri May 15, 2015 6:38 pm 
Offline
Newbie

Joined: Tue May 12, 2015 12:34 am
Posts: 7
Location: Somerset UK
Hi,

not sure if this is the right place but I am evaluating Open Audit for our company and found that the audit_windows.vbs script was crashing out when trying to audit an old server 2008 machine.

Bit of digging and found a problem where it is enumerating the group memberships.

They had a user in one of the groups '\Everyone' in one of the groups and it obviously couldn't handle the missing domain part and was crashing out at the "if objGroup.name = objItem.Name then" code snippet below.

for Each objItem in colItems
users = ""
set objDSO = GetObject("WinNT:")
set colGroups = objDSO.OpenDSObject("WinNT://" & system_hostname & "", struser, strpass, ADS_USE_ENCRYPTION OR ADS_SECURE_AUTHENTICATION)
colGroups.Filter = Array("group")
group_members = ""
for Each objGroup In colGroups
if objGroup.Name = objItem.Name then

Quick fix - remove that 'user' from the group - which shouldnt have been there anyhow! but is this something that could be trapped for easily?

SteveP


Top
 Profile  
Reply with quote  
PostPosted: Sat May 16, 2015 4:28 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Probably an easy fix but I'm having a little trouble figuring out what happened from your report. Do you happen to have the output of the actual error message with the line number. I can't see the script crashing on an if comparison line. I would have expected it to crash at line 3223:
[code]member_domain = group_domain(ubound(group_domain)-1)[/code]

At least I suspect that. I'm having trouble replicating this because I can't create users with these illegal characters. Probably my limitation.

Or maybe it did die on that line because objGroup.Name died. My main problem is I can't replicate it.


Top
 Profile  
Reply with quote  
PostPosted: Mon May 18, 2015 7:11 pm 
Offline
Newbie

Joined: Tue May 12, 2015 12:34 am
Posts: 7
Location: Somerset UK
[quote="jpa"]Probably an easy fix but I'm having a little trouble figuring out what happened from your report. Do you happen to have the output of the actual error message with the line number. I can't see the script crashing on an if comparison line. I would have expected it to crash at line 3223:
[code]member_domain = group_domain(ubound(group_domain)-1)[/code]

At least I suspect that. I'm having trouble replicating this because I can't create users with these illegal characters. Probably my limitation.

Or maybe it did die on that line because objGroup.Name died. My main problem is I can't replicate it.

Unfortunately I dont have the output any more! My bad should have taken a copy!
But I 'hacked' the vbs script putting debug statements in and it would always bomb out at "for each objUser in objGroup.Members"

So what was happening was that I would see the output 'Inner Loop' and 'In if' but it would error before i got to the 'inner for' which is what lead me to believe that the problem was at the 'for each objUser in objGroup.Members'

This is the debug code:

[code]for Each objGroup In colGroups
wscript.echo "Inner loop"
if objGroup.Name = objItem.Name then
wscript.echo "In if " & objGroup.Name
for each objUser in objGroup.Members
wscript.echo "inner For:"[/code]

Top
 Profile  
Reply with quote  
PostPosted: Mon May 18, 2015 7:17 pm 
Offline
Newbie

Joined: Tue May 12, 2015 12:34 am
Posts: 7
Location: Somerset UK
[quote="jpa"]Probably an easy fix but I'm having a little trouble figuring out what happened from your report. Do you happen to have the output of the actual error message with the line number. I can't see the script crashing on an if comparison line. I would have expected it to crash at line 3223:
[code]member_domain = group_domain(ubound(group_domain)-1)[/code]

At least I suspect that. I'm having trouble replicating this because I can't create users with these illegal characters. Probably my limitation.

Or maybe it did die on that line because objGroup.Name died. My main problem is I can't replicate it.

OK reproduced it by adding the \everyone local user back in.

the output from the script is:
[code]Inner loop
In if Remote Desktop Users
inner For:
Group Domain:
Member domain NT AUTHORITY
inner For:
Group Domain:
Member domain NT AUTHORITY
inner For:
Group Domain:
Member domain NT AUTHORITY
inner For:
Group Domain:
Member domain NT AUTHORITY[/code]

I then get the 'Console Based Script Host' error:
Problem signature:
Problem Event Name: APPCRASH
Application Name: cscript.exe
Application Version: 5.8.9600.17415
Application Timestamp: 54504e52
Fault Module Name: adsnt.dll
Fault Module Version: 6.3.9600.17415
Fault Module Timestamp: 54505098
Exception Code: c0000005
Exception Offset: 0000000000001b03
OS Version: 6.3.9600.2.0.0.272.7
Locale ID: 2057
Additional Information 1: f3d5
Additional Information 2: f3d5371ac62cc58f19027b6adc3cca81
Additional Information 3: ac26
Additional Information 4: ac261e171fafcb7de8e1ec7a723e01d9

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=280262

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt


Hope that helps!

Top
 Profile  
Reply with quote  
PostPosted: Tue May 19, 2015 9:26 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
OK, but I'm an idiot so how are you creating your "\everone" user?


Top
 Profile  
Reply with quote  
PostPosted: Tue May 19, 2015 8:30 pm 
Offline
Newbie

Joined: Tue May 12, 2015 12:34 am
Posts: 7
Location: Somerset UK
[quote="jpa"]OK, but I'm an idiot so how are you creating your "\everone" user?


Ok to add a 'local' user to a group

Server Manager
Expand Configuration
Expand Local Users and Groups
Select Groups
In right hand pane double click 'Remote Desktop users'
Click Add
Click locations and select the local server rather than the domain and click OK
in the Enter the object name to select box enter 'everyone' and click 'Check Names' and then click 'OK'

this should put '\everyone' in the member list
click OK to get back to close the dialog.

Top
 Profile  
Reply with quote  
PostPosted: Wed May 20, 2015 7:06 am 
Offline
Moderator

Joined: Fri Jul 20, 2007 8:27 am
Posts: 1259
Thanks, I get it now. We are adding the Everyone group to another group.

So I replicated this and the easiest fix is to remove the group as you did. The crash only happens when using struser/strpass against a remote computer and from what I can tell is not a crash that vbscript can trap or ignore. It looks like the crash happens when accessing objGroup.Members.

I don't have the time to figure out a workaround (if any.) And we don't use struser/strpass or have "Everyone" in any of our groups so we're not affected. Hopefully someone else can step in.

Minimized code for testing:
[code]strcomputer = "computer"
system_hostname = strcomputer
struser = "computer\Administrator"
strpass = "password"
Const wbemConnectFlagUseMaxWait = 128

Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_ENCRYPTION = 2


Set wmiLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = wmiLocator.ConnectServer(strcomputer, "\root\cimv2",struser,strpass, "", "", wbemConnectFlagUseMaxWait)
set colItems = objWMIService.ExecQuery("Select * from Win32_Group where Domain = '" & system_hostname & "'",,32)
for Each objItem in colItems
'wscript.echo "colItems name: " & objItem.Name
set objDSO = GetObject("WinNT:")
set colGroups = objDSO.OpenDSObject("WinNT://" & system_hostname & "", struser, strpass, ADS_USE_ENCRYPTION OR ADS_SECURE_AUTHENTICATION )
colGroups.Filter = Array("group")
group_members = ""
for Each objGroup In colGroups
if objGroup.Name = objItem.Name then
for each objUser in objGroup.Members
wscript.echo "ADSPath: " & objUser.ADSPath
group_domain = split(objUser.ADSPath, "/")
member_domain = group_domain(ubound(group_domain)-1)
group_members = group_members & objUser.Name & "@" & member_domain & ", "
next
end if
next
next[/code]


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 7 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group