Windows unquoted service path enumeration vulnerability-Is this still a concern?

A bit of background:

‘Windows Unquoted Path Enumeration vulnerability’ was identified few years ago and most applications have released multiple versions after identifying this issue however, this is still worth verifying regularly which apparently where this article comes from.

vuln-scanning

In simple terms, when a service is created whose executable path contains spaces and isn’t enclosed within quotes, leads to a potential vulnerability called ‘Unquoted Service Path’ which allows a general user to gain SYSTEM privileges (only if the vulnerable service is running with SYSTEM privilege level which most of the time is the case). In Microsoft Windows, if the service is not enclosed within quotes (“”) and is having spaces, it would handle the space as a break and pass the rest of the service path as an argument. Apparently, this vulnerability allows an attacker to escalate the privilege for NT AUTHORITY/SYSTEM for a low-level privilege user account which is extremely dangerous.

How to replicate/test this vulnerability:

<

p align=”justify”>You can easily recognize this by running a script that I have pointed out below but additionally, if you’re keen to try this in a test environment, you can download one of the applications listed in the CWE ID 428.

https://www.cvedetails.com/vulnerability-list/cweid-428/vulnerabilities.html

image

One of the sample app we can use to test this in a test (isolated) environment is, ‘BitComet’. BitComet Service for Windows before version 1.8.6 contains an unquoted service path vulnerability which allows attackers to escalate privileges to the system level.

After Installing BitComet v.1.7 for test in my test lab:

As you can see below, the ImagePath in the registry (run “regedit” from the run command) is clearly unquoted and it means this app makes the device/environment vulnerable to a potential hacker.

clip_image002Actions/Recommendations: As there is no simple patch/fix from Microsoft to fix these kind of vulnerabilities, the best way is to regularly analyse the devices (or asses every 3rd party application before onboard them in to the corporate environment) to ensure they’re not compromised. A group of Github contributors have done a fantastic job putting together a PowerShell script that analyse, detect and fix these paths in your Windows devices if there’s any.

https://github.com/VectorBCO/windows-path-enumerate/

After applying the fix: I simply ran the script above and voila ! the path got fixed and is now appears quoted.

clip_image004

Enabling Teams Meeting report download capability

Meetings in Teams is one of the most popular functionality that being used by millions across the world. The ability to download reports for meeting attendance would be very useful for meeting organizers to view the attendance of the meeting/s. In the recent Teams update, Microsoft added this functionality to Teams, but it is disabled by default, and you will not be able to use it out-of-the-box unless you enable it (for everyone or a specific target group). This post will guide you to get this done.

meetingatt

Note: There’s a still a limitation to this where you can’t download the report after the meeting ended. You will have to download it while participants are still in the meeting.

Steps:

  1. Log in to Teams admin centre meeting policies blade and create a new policy using the ‘+’ sign – https://admin.teams.microsoft.com/policies/meetings

Policy Title – MeetingPolicy_ReportsEnabled

Description – Meeting policy with reports download feature enabled

General

Allow Meet now in channels – On

Allow the Outlook add-in – On

Allow channel meeting scheduling – On

Allow scheduling private meetings – On

Audio Video

Allow transcription – On

Allow cloud recording – On

Mode for IP audio – Outgoing and incoming audio enabled

Mode for IP video – Outgoing and incoming video enabled

Allow IP video – On

Allow NDI streaming – Off

Media bit rate (Kbs) – 50000

Content sharing

Screen sharing mode – Entire Screen

Allow a participant to give or request control – On

Allow an external participant to give or request control – On

Allow PowerPoint sharing – On

Allow whiteboard – On

Allow shared notes – On

Participants and Guests

Let anonymous people start a meeting – off

Roles that have presenter rights in meetings – Everyone, but user can override

Automatically admit people – Everyone

Allow dial-in users to bypass the lobby – On

Allow Meet now in private meetings – On

Enable live captions – Disabled but the user can override

Allow chat in meetings – Enabled

Hit save to apply the changes

  1. Then enable the Meeting reports feature, run the following commands in PowerShell (this requires admin access)

$sfbSession = New-CsOnlineSession

Import-PSSession $sfbSession

Set-CsTeamsMeetingPolicy -Identity “MeetingPolicy_ReportsEnabled” -AllowEngagementReport Enabled

Use this command to verify the settings. Ensure the AllowEngagementReport parameter value is “Enabled”

Get-CsTeamsMeetingPolicy -Identity “MeetingPolicy_ReportsEnabled”

  1. Finally set this policy to the intended users manually by going to each users Teams profile –> Edit the Meeting Policy for the user –> Change the policy asignment to the new Policy just created (MeetingPolicy_ReportsEnabled) and hit “Save”

Edit user policies 
Meeting policy 
Meeting Policy_ReportsEnabled

During the meeting, you’ll see the following option to download under the “People” section.

image

Provisioning bulk distribution lists

Its ideal to avoid distribution lists wherever possible and adopt Microsoft 365 groups instead however, we can’t apply it for every scenario as DLs are still very useful and in some cases the only option you have. This post will showcase the steps to provision DLs in bulk (in Exchange Online)

Steps:

1. Create a 3 column simple CSV file as shown below and save it locally in your PC as “DL_Pilot.csv”

Name 
Incidents 
Incidents 
Incidents 
Incidents 
AU_Group1 
AU_Group2 
AU_Group3 
AU 
Group4 
Type 
Distribution 
Distribution 
Distribution 
Distribution 
Email 
Incidents 
Incidents 
Incidents 
Incidents 
AU 
AU 
AU 
AU 
Groupl@mantasa.live 
Graup2@mantasa.live 
Graupa@mantasa.live 
Graup4@mantasa.live

2. Login to Exchange online PowerShell module

Connect-ExchangeOnline

3. Run the following command (set the location to match yours) and point the path to your previously created CSV file.

Import-CSV “C:\Official\Mantoso\DL_Pilot.csv” | foreach {New-DistributionGroup -Name $.name -Type $.Type -PrimarySmtpAddress $_.email}

That’s it. It’ll simply provision the DLs defined in the the CSV (sample below)

DL-Result

Fixed: Outlook desktop unable to render SharePoint hosted images embedded in to mail body through PowerAutomate send email action

This post comes out from a recent support experience to one of my clients. He was trying to use Microsoft PowerAutomate flow to embed a SharePoint library hosted image in to an email notification which sent regularly across the organization for all users. Usual way for doing this is using the <img src tag in the send email action but interestingly, these behaviors was a showstopper until I figured out the solution after several hours (described at the end of the article).

111

Behaviors:

  1. Embedded images from a SharePoint URL did not render in Outlook desktop App
  2. Same image renders in OWA (Outlook Web App) however, there was a slight delay in loading the image.
  3. Same image hosted in public hosting locations rendered nicely as well (e.g – https://www.w3schools.com/, Google etc..)

SharePoint hosted image in Outlook Desktop App: Strange enough !

3

External hosted image in Outlook Desktop App:

4

Tried and did not work for my case:

  • Change the text format to HTMLOutlook client application (File -> Options -> Mail -> Compose message in HTML format). This was already in place for my scenario.
  • Add the domain to safe/trusted sites in the browser settings
  • Plethora of other solutions from Microsoft articles and forums

clip_image002[6]

The real solution:

To overcome this issue, you simply have to use these additional lines in your email step. Add a compose action and point it to ‘Get file content using path’ SharePoint action (or you can directly add this line to the mail body HTML)

Add a new Compose action in to the PowerAutomate flow 

Set the Expression as below (you can copy and paste this)

dataUri(outputs('Get_file_content_using_path')?['body'])

67

Amend the Mailbody to reflect the following or add the above mentioned expression directly to the HTML body. Either way should work.

<p><br>
File content using path<br> 

<img src="@{outputs('Compose_2')}"></img>
</p>

8

Full flow: Tested and working perfectly across web client and desktop client of Outlook

9

Result: SharePoint hosted image is now rendered perfectly in Outlook desktop App.

10

Root cause analysis:

The key point is the use of dataUri() to convert the file content to the right format that HTML can understand. An image or a file in general from a SharePoint link is not public link. Only authenticated users can view the image which is the root cause of this issue.

If a user logs in into Outlook on the web from  a browser, their Microsoft identification data are stored locally within the browser context as cookies. As a result, when opening an email that contains a SharePoint link in HTML image tags, a request will be sent to SharePoint servers with the same identification and the image can be downloaded if the user has enough privilege.

It’s the same way that if you have already logged in into one of the google services, you won’t have to login again when accessing other Google services in deferent tabs.

On the other hand, Outlook client is simply an email application which does not share the same architecture as a browser. Outlook account credentials are stored differently and Outlook does not have mechanism to detect and pass credentials to other Microsoft services. Hence, when it sees a SharePoint link in HTML image tags, a request without any authorization data will be sent to the SharePoint servers and of course, it will be refused. If a hyperlink added to the email, clicking on the link will open a browser and you will need to sign in.  In the end, the main purpose of Outlook client is for email-related tasks and it will not handle authentication for other services.

Remove orphaned delegation permissions of a deleted user in Exchange Online mailbox

You might think that a user’s delegate permissions for other mailboxes will be removed up on deleting the account in the Azure Active Directory, apparently it wasn’t in my case.

access20delegation-01_thumb

Scenario:

Location – Calendar folder of ‘manoj@mantoso.live:\Calendar’

Delegated editor permissions to – ‘Marie Jonas’ (Abandoned identity after AD account deletion)

Even though this particular account was permanently deleted from Azure AD after 30 days of marking deletion, the delegation access (editor) to other users’ Exchange mailboxes remained intact which caused the following strange behaviors that I had to get rid of.

  • Others can still spot this user’s name in the calendar invites
  • Possibly in other various occasions too based on the permissions the user had before deleted

Here’s the PowerShell command to fetch the permissions of a specific location. This will list down all the delegated permissions of ‘Manoj’s’ Exchange calendar. In my case, the abandoned user also popped up in the results.

Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar" 

e.g0.1

Now, to dig further down to be more specific to this mysterious user, let’s run this command

Get-EXOMailboxFolderPermission "manoj@mantoso.live:\calendar" | where {$_.user.tostring() -like "Marie Jonas*"}

e.g0

This means the permission thumbprint is intact even after the account was permanently deleted which is a mystery. Now to get rid of this, we can use this command below. I tried several other approaches from various Microsoft articles and forum posts but none of them worked but the following.

Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False

After running that with no errors/warnings. I ran Get command again to verify if it really was a success. And Yes ! Nothing returned, which means the permissions are now cleared for this abandoned identity of ‘Marie Jonas’.

2

Allowed it a couple of hours, her name disappeared from the calendar invites as well.

Get-EXOMailboxFolderPermission "<user@domian.com:\calendar>" | where {$_.user.tostring() -like "<FirstName Last Name>*"} | Remove-MailboxFolderPermission -Confirm:$False

Enable Microsoft Whiteboard for Teams

Whiteboard in Teams is powered by Whiteboard for the web and this is a very useful feature for collaborating in group meetings. A shared canvas space allows meeting participants to collaborate. In Office 365, Whiteboard feature is enabled by default unless you disabled it manually (mostly customers disable it due to data residency concerns).

Microsoft Note: The ability to start a new whiteboard is currently limited to the Microsoft Teams clients on Windows 10, macOS, and for the web. The Teams apps for iOS and Android cannot initiate sharing a whiteboard, but they can collaborate once a whiteboard is shared.

Now let’s get this configured. Login to Office 365 Admin center using admin credentials and type ‘Whiteboard’ in the global search field. You will get the Whiteboard global settings option in a search result dropdown.

image

Check the ‘Turn on’’ tick box to enable it globally in your Tenancy. Diagnostic data collection by Microsoft is disclosed via three options here.

image

Connected experiences and sharing from Surface Hub are two optional settings depending on the organizational requirements. Finally hit ‘Save’ to complete it.

image

Now the global setting is enabled, we need to ensure the Whiteboard capability is also enabled in the Meeting policies. If you have multiple policies, make sure this is enabled for all of them to affect it to the desired target audiences.

From the Teams admin center, navigate to Meetings –> Meeting policies

image

Then click on the desired policy (in my case, the ‘Default’ as it affects to all users)

image

Toggle the ‘Allow Whiteboard’ switch to ‘On’ state to enable it and hit ‘Save’

image

Notes: This might take a couple of ours to reflect to all users (in my case it took 7+ hours).

Testing the feature.

  1. Now to try this out, you can create a test meeting with another user and ensure the Whiteboard is appearing once ‘Share’ option is clicked.

image

  1. Also, if you login to office.com, you should be able to see the ‘Whiteboard’ App under the Apps list.

clip_image001[4]

clip_image002[4]

Troubleshooting:

If you still don’t see the feature in Teams meetings, try to toggle ‘Off’ the Whiteboard feature from Teams meeting policy. Then turn in it on again and try it in a couple of hours.