From 8c1f701e6e9df29fe991f98265e2dd76acca4b8c Mon Sep 17 00:00:00 2001 From: Matt Davis Date: Mon, 26 Nov 2018 15:28:21 -0800 Subject: split PS wrapper and payload (CVE-2018-16859) (#49142) * prevent scriptblock logging from logging payload contents * added tests to verify no payload contents in PS Operational event log * fix script action to send split-aware wrapper * fix CLIXML error parser (return to -EncodedCommand exposed problems with it) --- test/integration/targets/win_become/tasks/main.yml | 33 ++++++++++++++++------ .../targets/win_exec_wrapper/tasks/main.yml | 18 +++++++++++- 2 files changed, 42 insertions(+), 9 deletions(-) (limited to 'test') diff --git a/test/integration/targets/win_become/tasks/main.yml b/test/integration/targets/win_become/tasks/main.yml index 0aab437471..9033e6af14 100644 --- a/test/integration/targets/win_become/tasks/main.yml +++ b/test/integration/targets/win_become/tasks/main.yml @@ -1,7 +1,7 @@ - set_fact: become_test_username: ansible_become_test become_test_admin_username: ansible_become_admin - gen_pw: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }} + gen_pw: "{{ 'password123!' + lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}" - name: create unprivileged user win_user: @@ -29,6 +29,10 @@ - SeInteractiveLogonRight - SeBatchLogonRight +- name: fetch current target date/time for log filtering + raw: '[datetime]::now | Out-String' + register: test_starttime + - name: execute tests and ensure that test user is deleted regardless of success/failure block: - name: ensure current user is not the become user @@ -82,7 +86,7 @@ vars: *admin_become_vars win_whoami: register: whoami_out - + - name: verify output assert: that: @@ -121,7 +125,7 @@ - whoami_out.label.account_name == 'Medium Mandatory Level' - whoami_out.label.sid == 'S-1-16-8192' - whoami_out.logon_type == 'Interactive' - + - name: test with module that will return non-zero exit code (https://github.com/ansible/ansible/issues/30468) vars: *become_vars setup: @@ -138,14 +142,14 @@ - '"Failed to become user " + become_test_username not in become_invalid_pass.msg' - '"LogonUser failed" not in become_invalid_pass.msg' - '"Win32ErrorCode 1326)" not in become_invalid_pass.msg' - + - name: test become with SYSTEM account win_whoami: become: yes become_method: runas become_user: SYSTEM register: whoami_out - + - name: verify output assert: that: @@ -162,7 +166,7 @@ become_method: runas become_user: NetworkService register: whoami_out - + - name: verify output assert: that: @@ -179,7 +183,7 @@ become_method: runas become_user: LocalService register: whoami_out - + - name: verify output assert: that: @@ -195,11 +199,12 @@ win_command: whoami async: 10 register: whoami_out - + - name: verify become + async worked assert: that: - whoami_out is successful + - become_test_username in whoami_out.stdout - name: test failure with string become invalid key vars: *become_vars @@ -313,6 +318,18 @@ - nonascii_output.stdout_lines[0] == 'über den Fußgängerübergang gehen' - nonascii_output.stderr == '' + - name: get PS events containing password or module args created since test start + raw: | + $dt=[datetime]"{{ test_starttime.stdout|trim }}" + (Get-WinEvent -LogName Microsoft-Windows-Powershell/Operational | + ? { $_.TimeCreated -ge $dt -and $_.Message -match "{{ gen_pw }}|whoami" }).Count + register: ps_log_count + + - name: assert no PS events contain password or module args + assert: + that: + - ps_log_count.stdout | int == 0 + # FUTURE: test raw + script become behavior once they're running under the exec wrapper again # FUTURE: add standalone playbook tests to include password prompting and play become keywords diff --git a/test/integration/targets/win_exec_wrapper/tasks/main.yml b/test/integration/targets/win_exec_wrapper/tasks/main.yml index b067168b80..75d2dad1ce 100644 --- a/test/integration/targets/win_exec_wrapper/tasks/main.yml +++ b/test/integration/targets/win_exec_wrapper/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: fetch current target date/time for log filtering + raw: '[datetime]::now | Out-String' + register: test_starttime + - name: test normal module execution test_fail: register: normal @@ -180,7 +184,7 @@ - set_fact: become_test_username: ansible_become_test - gen_pw: password123! + {{ lookup('password', '/dev/null chars=ascii_letters,digits length=8') }} + gen_pw: "{{ 'password123!' + lookup('password', '/dev/null chars=ascii_letters,digits length=8') }}" - name: create unprivileged user win_user: @@ -248,3 +252,15 @@ that: - not common_functions_res is failed - common_functions_res.msg == "good" + +- name: get PS events containing module args or envvars created since test start + raw: | + $dt=[datetime]"{{ test_starttime.stdout|trim }}" + (Get-WinEvent -LogName Microsoft-Windows-Powershell/Operational | + ? { $_.TimeCreated -ge $dt -and $_.Message -match "test_fail|fail_module|hyphen-var" }).Count + register: ps_log_count + +- name: assert no PS events contain module args or envvars + assert: + that: + - ps_log_count.stdout | int == 0 -- cgit v1.2.1