-
-
Save JJDsource/ef9cfe43a72e7950b1b500626753fd87 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function PNValidate { | |
$Results = [PSCustomObject]@{ | |
Host = $null | |
CVE_2021_34481Exploitable = $true | |
CVE_2021_34527Exploitable = $true | |
Explanation = $null | |
Spooler = $null | |
SpoolerStartType = $null | |
PatchInstalled = $false | |
PatchVersion = $null | |
RestrictDriverInstallationToAdministrators = $null | |
NoWarningNoElevationOnInstall = $null | |
UpdatePromptSettings = $null | |
} | |
# Get Hostname | |
$Results.Host = HOSTNAME.EXE | |
# Check spooler status | |
$Spooler = (Get-Service Spooler -ErrorAction SilentlyContinue).Status | |
if (($null -eq $Spooler) -or ($Spooler -ne "Running")) { | |
$Results.Spooler = "Secure" | |
} | |
else { | |
$Results.Spooler = "Insecure" | |
} | |
$SpoolerStartType = (Get-Service Spooler -ErrorAction SilentlyContinue).StartType | |
if (($null -eq $SpoolerStartType) -or ($SpoolerStartType -eq "Disabled")) { | |
$Results.SpoolerStartType = "Secure" | |
} | |
else { | |
$Results.SpoolerStartType = "Insecure" | |
} | |
# Check patch installation status | |
$Patches = @("KB5004954", "KB5004958", "KB5004956", "KB5004960", "KB5004953", "KB5004951", "KB5004955", "KB5004959", "KB5004948", ` | |
"KB5004950", "KB5004945", "KB5004946", "KB5004947", "KB5004249", "KB5004238", "KB5004244", "KB5004245", "KB5004237", ` | |
"KB5004289", "KB5004307", "KB5004298", "KB5004285", "KB5004305", "KB5004299", "KB5004294", "KB5004302") | |
$InstalledPatches = (Get-HotFix).HotFixID | |
foreach ($patch in $patches){ | |
if ($InstalledPatches -contains $patch) { | |
$Results.PatchInstalled = $true | |
$Results.PatchVersion = $patch | |
} | |
} | |
# Check registry keys | |
# RestrictDriverInstallationToAdministrators | |
$RestrictDriverInstallationToAdministrators = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue).RestrictDriverInstallationToAdministrators | |
if (($null -eq $RestrictDriverInstallationToAdministrators) -or ($RestrictDriverInstallationToAdministrators -ne 1)) { | |
$Results.RestrictDriverInstallationToAdministrators = "Insecure" | |
} | |
else { | |
$Results.RestrictDriverInstallationToAdministrators = "Secure" | |
} | |
# NoWarningNoElevationOnInstall | |
$NoWarningNoElevationOnInstall = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue).NoWarningNoElevationOnInstall | |
if (($null -eq $NoWarningNoElevationOnInstall) -or ($NoWarningNoElevationOnInstall -eq 0)) { | |
$Results.NoWarningNoElevationOnInstall = "Secure" | |
} | |
else { | |
$Results.NoWarningNoElevationOnInstall = "Insecure" | |
} | |
# UpdatePromptSettings | |
$UpdatePromptSettings = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -ErrorAction SilentlyContinue).UpdatePromptSettings | |
if (($null -eq $UpdatePromptSettings) -or ($UpdatePromptSettings -eq 0)) { | |
$Results.UpdatePromptSettings = "Secure" | |
} | |
else { | |
$Results.UpdatePromptSettings = "Insecure" | |
} | |
# Validate results | |
#Spooler off and Disabled | |
if (($Results.Spooler -eq "Secure") -and ($Results.SpoolerStartType -eq "Secure")) { | |
$Results.CVE_2021_34481Exploitable = $false | |
$Results.CVE_2021_34527Exploitable = $false | |
$Results.Explanation = "Both not exploitable as spooler service is not running and start type is disabled." | |
} | |
#Spooler off and not disbaled | |
elseif (($Results.Spooler -eq "Secure") -and ($Results.SpoolerStartType -eq "Insecure")) { | |
$Results.Explanation = "Print Spooler is currenlty not running but is set to start automatically. Set the start type to disabled." | |
} | |
#Spooler Running Patched and Registry fixxed | |
elseif (($Results.PatchInstalled -eq $true) -and ($Results.RestrictDriverInstallationToAdministrators -eq "Secure") -and ($Results.NoWarningNoElevationOnInstall -eq "Secure") -and ($Results.UpdatePromptSettings -eq "Secure")) { | |
$Results.CVE_2021_34527Exploitable = $false | |
$Results.Explanation = "CVE-2021-34527 is not exploitable. CVE-2021-34481 Requires the Spooler is disabled." | |
} | |
#Spooler running Patched but missing Reg Fix | |
else { | |
if ($Results.PatchInstalled -eq $true) { | |
if ($Results.NoWarningNoElevationOnInstall -eq "Insecure") { | |
$Results.Explanation = "Both exploitable as NoWarningNoElevationOnInstall is set to insecure value and spooler is running." | |
} | |
elseif (($Results.NoWarningNoElevationOnInstall -eq "Secure") -and ($Results.UpdatePromptSettings -eq "Insecure")) { | |
$Results.Explanation = "Both exploitable as UpdatePromptSettings is set to insecure value and Spooler is running." | |
} | |
elseif (($Results.NoWarningNoElevationOnInstall -eq "Secure") -and ($Results.UpdatePromptSettings -eq "secure") -and ($Results.RestrictDriverInstallationToAdministrators -eq "Insecure")) { | |
$Results.Explanation = "Both exploitable as RestrictDriverInstallationToAdministrators is set to insecure value and spooler is running." | |
} | |
} | |
else { | |
$Results.Explanation = "Both exploitable as no patch is not installed." | |
} | |
} | |
$Results | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment