Fix possible security issue in service register

Icinga · Jul 9, 2021 · ddb6414 · ddb6414
1 parent 75816c2
commit ddb6414
Show file tree

Hide file tree

Showing 4 changed files with 70 additions and 1 deletion.
diff --git a/doc/10-Knowledge-Base.md b/doc/10-Knowledge-Base.md
@@ -14,3 +14,6 @@ For this reason you will find a list of Icinga knowledge base entries below. Ent
 | [IWKB000004](knowledgebase/IWKB000004.md) | Use-Icinga : The 'Use-Icinga' command was found in the module 'icinga-powershell-framework', but the module could not be loaded. For more information, run 'Import-Module icinga-powershell-framework' |
 | [IWKB000005](knowledgebase/IWKB000005.md) | powershell.exe : Failed to start service 'Icinga PowerShell Service (icingapowershell)'. |
 | [IWKB000006](knowledgebase/IWKB000006.md) | The user you are running this command as does not have permission to access the Windows Update ComObject "Microsoft.Update.Session". |
+| [IWKB000007](knowledgebase/IWKB000007.md) | Icinga Director Self-Service API fails with errors. [Error]: The remote host for address "..." could not be resolved [Error]: Failed to connect to your Icinga Director at "...". Please try again. |
+| [IWKB000008](knowledgebase/IWKB000008.md) | The EventLog contains many `Perflib`, `PerfNet` and `PerfProc` errors/warnings with EventId `1008`, `2002` and `2004` |
+| [IWKB000009](knowledgebase/IWKB000009.md) | The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service |
diff --git a/doc/31-Changelog.md b/doc/31-Changelog.md
@@ -7,6 +7,14 @@ documentation before upgrading to a new release.
 
 Released closed milestones can be found on [GitHub](https://github.com/Icinga/icinga-powershell-framework/milestones?state=closed).
 
+## 1.3.2 (2021-07-09)
+
+### Security Fixes
+
+* [#298](https://github.com/Icinga/icinga-powershell-framework/issues/298) Fixes possible security vulnerability on Icinga for Windows service registration, by not quoting the service path on registration
+
+You can read more on this on the [Knowledge Base Entry](https://icinga.com/docs/icinga-for-windows/latest/doc/knowledgebase/IWKB000009/) with further details, on how to apply the fix and test if you are affected.
+
 ## 1.3.1 (2021-02-04)
 
 [Issue and PRs](https://github.com/Icinga/icinga-powershell-framework/milestone/12?closed=1)

diff --git a/doc/knowledgebase/IWKB000009.md b/doc/knowledgebase/IWKB000009.md
@@ -0,0 +1,58 @@
+# Icinga Knowledge Base - IWKB000009
+
+## Short Message
+
+Security Scanner: The remote Windows host has at least one service installed that uses an unquoted service path, which contains at least one whitespace. A local attacker can gain elevated privileges by inserting an executable file in the path of the affected service
+
+## Reason
+
+The path pointing to the `icinga-service.exe` is not encapsulated inside double quotes `"` during creation. This might open a possible vulnerability and provide a possible attack vector for attackers gaining access to the machine. In worst case, attackers can place a binary file on the location of the path where the whitespace stops. This binary is then executed with the privileges the service is running with, which could cause a security issue.
+
+You can read this [blogpost](http://www.ryanandjeffshow.com/blog/2013/04/05/the-microsoft-windows-unquoted-service-path-vulnerability/) by Jeff Liford to get a better idea on the problem.
+
+## Solution
+
+This is directly fixed within Icinga for Windows v1.3.2, 1.4.2, v1.5.2 and 1.6.0 during the service creation. If you created the service starting with one of these versions, you are not affected.
+
+If not, please update your environment to a version which includes the fix and start a new PowerShell. Afterwards use this code snippet to re-create the service with all your configuration:
+
+```powershell
+Use-Icinga;
+$IcingaService = Get-CimInstance Win32_Service `
+    | Where-Object {
+            $_.Name -eq 'icingapowershell'
+        } `
+    | Select-Object Name, StartName, PathName;
+
+if ($null -ne $IcingaService) {
+    $IfWUser = $IcingaService.StartName;
+    $IfWPath = $IcingaService.PathName.SubString(0, $IcingaService.PathName.IndexOf(' "'));
+
+    if ($IfWPath[0] -eq '"' -And $IfWPath[-1] -eq '"') {
+        return;
+    }
+
+    Uninstall-IcingaFrameworkService;
+    Install-IcingaFrameworkService -Path $IfWPath -User $IfWUser;
+}
+```
+
+## Test Vulnerability
+
+If you want to test if the above fix work or if you are affected by this problem, you can run this script:
+
+```powershell
+$IcingaService = Get-CimInstance Win32_Service `
+    | Where-Object {
+            $_.Name -eq 'icingapowershell'
+        } `
+    | Select-Object Name, StartName, PathName;
+
+$IfWPath = $IcingaService.PathName.SubString(0, $IcingaService.PathName.IndexOf(' "'));
+
+if ($IfWPath.Contains('"')) {
+    Write-Host -ForegroundColor Green 'Your service installation is secure';
+} else {
+    Write-Host -ForegroundColor Red 'You are possibly affected by a whitespace service vulnerability';
+}
+```
diff --git a/lib/core/framework/Install-IcingaFrameworkService.psm1 b/lib/core/framework/Install-IcingaFrameworkService.psm1
@@ -61,7 +61,7 @@ function Install-IcingaFrameworkService()
     }
 
     $Path = [string]::Format(
-        '{0} \"{1}\"',
+        '\"{0}\" \"{1}\"',
         $Path,
         (Get-IcingaPowerShellModuleFile)
     );