Open-AudIT
https://www.open-audit.org/phpBB3/

Open Audit 1.6.4 issue auditing old Server 2008 server
https://www.open-audit.org/phpBB3/viewtopic.php?f=20&t=6442
Page 1 of 1

Author:  Geascian [ Fri May 15, 2015 6:38 pm ]
Post subject:  Open Audit 1.6.4 issue auditing old Server 2008 server

Hi,

not sure if this is the right place but I am evaluating Open Audit for our company and found that the audit_windows.vbs script was crashing out when trying to audit an old server 2008 machine.

Bit of digging and found a problem where it is enumerating the group memberships.

They had a user in one of the groups '\Everyone' in one of the groups and it obviously couldn't handle the missing domain part and was crashing out at the "if objGroup.name = objItem.Name then" code snippet below.

for Each objItem in colItems
users = ""
set objDSO = GetObject("WinNT:")
set colGroups = objDSO.OpenDSObject("WinNT://" & system_hostname & "", struser, strpass, ADS_USE_ENCRYPTION OR ADS_SECURE_AUTHENTICATION)
colGroups.Filter = Array("group")
group_members = ""
for Each objGroup In colGroups
if objGroup.Name = objItem.Name then

Quick fix - remove that 'user' from the group - which shouldnt have been there anyhow! but is this something that could be trapped for easily?

SteveP

Author:  jpa [ Sat May 16, 2015 4:28 am ]
Post subject:  Re: Open Audit 1.6.4 issue auditing old Server 2008 server

Probably an easy fix but I'm having a little trouble figuring out what happened from your report. Do you happen to have the output of the actual error message with the line number. I can't see the script crashing on an if comparison line. I would have expected it to crash at line 3223:
[code]member_domain = group_domain(ubound(group_domain)-1)[/code]

At least I suspect that. I'm having trouble replicating this because I can't create users with these illegal characters. Probably my limitation.

Or maybe it did die on that line because objGroup.Name died. My main problem is I can't replicate it.

Author:  Geascian [ Mon May 18, 2015 7:11 pm ]
Post subject:  Re: Open Audit 1.6.4 issue auditing old Server 2008 server

[quote="jpa"]Probably an easy fix but I'm having a little trouble figuring out what happened from your report. Do you happen to have the output of the actual error message with the line number. I can't see the script crashing on an if comparison line. I would have expected it to crash at line 3223:
[code]member_domain = group_domain(ubound(group_domain)-1)[/code]

At least I suspect that. I'm having trouble replicating this because I can't create users with these illegal characters. Probably my limitation.

Or maybe it did die on that line because objGroup.Name died. My main problem is I can't replicate it.
Unfortunately I dont have the output any more! My bad should have taken a copy!
But I 'hacked' the vbs script putting debug statements in and it would always bomb out at "for each objUser in objGroup.Members"

So what was happening was that I would see the output 'Inner Loop' and 'In if' but it would error before i got to the 'inner for' which is what lead me to believe that the problem was at the 'for each objUser in objGroup.Members'

This is the debug code:

[code]for Each objGroup In colGroups
wscript.echo "Inner loop"
if objGroup.Name = objItem.Name then
wscript.echo "In if " & objGroup.Name
for each objUser in objGroup.Members
wscript.echo "inner For:"[/code]

Author:  Geascian [ Mon May 18, 2015 7:17 pm ]
Post subject:  Re: Open Audit 1.6.4 issue auditing old Server 2008 server

[quote="jpa"]Probably an easy fix but I'm having a little trouble figuring out what happened from your report. Do you happen to have the output of the actual error message with the line number. I can't see the script crashing on an if comparison line. I would have expected it to crash at line 3223:
[code]member_domain = group_domain(ubound(group_domain)-1)[/code]

At least I suspect that. I'm having trouble replicating this because I can't create users with these illegal characters. Probably my limitation.

Or maybe it did die on that line because objGroup.Name died. My main problem is I can't replicate it.
OK reproduced it by adding the \everyone local user back in.

the output from the script is:
[code]Inner loop
In if Remote Desktop Users
inner For:
Group Domain:
Member domain NT AUTHORITY
inner For:
Group Domain:
Member domain NT AUTHORITY
inner For:
Group Domain:
Member domain NT AUTHORITY
inner For:
Group Domain:
Member domain NT AUTHORITY[/code]

I then get the 'Console Based Script Host' error:
Problem signature:
Problem Event Name: APPCRASH
Application Name: cscript.exe
Application Version: 5.8.9600.17415
Application Timestamp: 54504e52
Fault Module Name: adsnt.dll
Fault Module Version: 6.3.9600.17415
Fault Module Timestamp: 54505098
Exception Code: c0000005
Exception Offset: 0000000000001b03
OS Version: 6.3.9600.2.0.0.272.7
Locale ID: 2057
Additional Information 1: f3d5
Additional Information 2: f3d5371ac62cc58f19027b6adc3cca81
Additional Information 3: ac26
Additional Information 4: ac261e171fafcb7de8e1ec7a723e01d9

Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=280262

If the online privacy statement is not available, please read our privacy statement offline:
C:\Windows\system32\en-US\erofflps.txt


Hope that helps!

Author:  jpa [ Tue May 19, 2015 9:26 am ]
Post subject:  Re: Open Audit 1.6.4 issue auditing old Server 2008 server

OK, but I'm an idiot so how are you creating your "\everone" user?

Author:  Geascian [ Tue May 19, 2015 8:30 pm ]
Post subject:  Re: Open Audit 1.6.4 issue auditing old Server 2008 server

[quote="jpa"]OK, but I'm an idiot so how are you creating your "\everone" user?

Ok to add a 'local' user to a group

Server Manager
Expand Configuration
Expand Local Users and Groups
Select Groups
In right hand pane double click 'Remote Desktop users'
Click Add
Click locations and select the local server rather than the domain and click OK
in the Enter the object name to select box enter 'everyone' and click 'Check Names' and then click 'OK'

this should put '\everyone' in the member list
click OK to get back to close the dialog.

Author:  jpa [ Wed May 20, 2015 7:06 am ]
Post subject:  Re: Open Audit 1.6.4 issue auditing old Server 2008 server

Thanks, I get it now. We are adding the Everyone group to another group.

So I replicated this and the easiest fix is to remove the group as you did. The crash only happens when using struser/strpass against a remote computer and from what I can tell is not a crash that vbscript can trap or ignore. It looks like the crash happens when accessing objGroup.Members.

I don't have the time to figure out a workaround (if any.) And we don't use struser/strpass or have "Everyone" in any of our groups so we're not affected. Hopefully someone else can step in.

Minimized code for testing:
[code]strcomputer = "computer"
system_hostname = strcomputer
struser = "computer\Administrator"
strpass = "password"
Const wbemConnectFlagUseMaxWait = 128

Const ADS_SECURE_AUTHENTICATION = 1
Const ADS_USE_ENCRYPTION = 2


Set wmiLocator = CreateObject("WbemScripting.SWbemLocator")
Set objWMIService = wmiLocator.ConnectServer(strcomputer, "\root\cimv2",struser,strpass, "", "", wbemConnectFlagUseMaxWait)
set colItems = objWMIService.ExecQuery("Select * from Win32_Group where Domain = '" & system_hostname & "'",,32)
for Each objItem in colItems
'wscript.echo "colItems name: " & objItem.Name
set objDSO = GetObject("WinNT:")
set colGroups = objDSO.OpenDSObject("WinNT://" & system_hostname & "", struser, strpass, ADS_USE_ENCRYPTION OR ADS_SECURE_AUTHENTICATION )
colGroups.Filter = Array("group")
group_members = ""
for Each objGroup In colGroups
if objGroup.Name = objItem.Name then
for each objUser in objGroup.Members
wscript.echo "ADSPath: " & objUser.ADSPath
group_domain = split(objUser.ADSPath, "/")
member_domain = group_domain(ubound(group_domain)-1)
group_members = group_members & objUser.Name & "@" & member_domain & ", "
next
end if
next
next[/code]

Page 1 of 1 All times are UTC + 10 hours
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/