From 520a3b81554551e06c3c9d62cd3a0e02f671dfce Mon Sep 17 00:00:00 2001 From: Ana Maria Martinez Gomez Date: Tue, 5 Nov 2024 18:23:39 +0100 Subject: [PATCH 1/2] Improve VM-Assert-Signature The current implementation of `VM-Assert-Signature` uses `Get-AuthenticodeSignature` status, that only checks that the file has a syntactically syntactically valid signature. Verify the signing authority using `signtool.exe`. --- packages/common.vm/common.vm.nuspec | 2 +- .../common.vm/tools/vm.common/vm.common.psm1 | 18 +++++++++--------- .../googlechrome.vm/googlechrome.vm.nuspec | 5 +++-- packages/metasploit.vm/metasploit.vm.nuspec | 5 +++-- .../sysinternals.vm/sysinternals.vm.nuspec | 5 +++-- 5 files changed, 19 insertions(+), 16 deletions(-) diff --git a/packages/common.vm/common.vm.nuspec b/packages/common.vm/common.vm.nuspec index 8ce9e3214..79076e2e5 100755 --- a/packages/common.vm/common.vm.nuspec +++ b/packages/common.vm/common.vm.nuspec @@ -2,7 +2,7 @@ common.vm - 0.0.0.20241029 + 0.0.0.20241106 Common libraries for VM-packages Mandiant diff --git a/packages/common.vm/tools/vm.common/vm.common.psm1 b/packages/common.vm/tools/vm.common/vm.common.psm1 index f976e6e06..6a54eb2a1 100755 --- a/packages/common.vm/tools/vm.common/vm.common.psm1 +++ b/packages/common.vm/tools/vm.common/vm.common.psm1 @@ -128,20 +128,20 @@ function VM-Assert-Path { } } -# Raise an exception if the Signature of $file_path is invalid +# Raise an exception if the signtool.exe is not found or if the signature of $filePath is invalid +# vcbuildtools.vm installs signtool.exe function VM-Assert-Signature { [CmdletBinding()] Param( [Parameter(Mandatory=$true)] - [String] $file_path + [String] $filePath ) - $signature_status = (Get-AuthenticodeSignature -FilePath $file_path).Status - if ($signature_status -eq 'Valid') { - VM-Write-Log "INFO" "Valid signature: $file_path" - } else { - $err_msg = "Invalid signature: $file_path" - VM-Write-Log "ERROR" $err_msg - throw $err_msg + $signtoolPath = Get-ChildItem -Path "C:\Program Files*\Windows Kits\10\bin\*\x86\signtool.exe" | Select-Object -Last 1 + if (-Not $signtoolPath) { throw "signtool.exe not found" } + + & $signtoolPath verify /pa /all /tw /q $filePath + if ($LASTEXITCODE) { + throw "INVALID SIGNATURE: $filePath" } } diff --git a/packages/googlechrome.vm/googlechrome.vm.nuspec b/packages/googlechrome.vm/googlechrome.vm.nuspec index 9226cd9d1..71fe31c62 100644 --- a/packages/googlechrome.vm/googlechrome.vm.nuspec +++ b/packages/googlechrome.vm/googlechrome.vm.nuspec @@ -2,11 +2,12 @@ googlechrome.vm - 0.0.0.20241002 + 0.0.0.20241106 Google LLC. Chrome is a popular web browser. - + + diff --git a/packages/metasploit.vm/metasploit.vm.nuspec b/packages/metasploit.vm/metasploit.vm.nuspec index e14ef5de4..40b6cda4c 100644 --- a/packages/metasploit.vm/metasploit.vm.nuspec +++ b/packages/metasploit.vm/metasploit.vm.nuspec @@ -2,11 +2,12 @@ metasploit.vm - 6.4.13.20240614 + 6.4.13.20241106 Rapid7 A computer security project that provides information about security vulnerabilities, aids in penetration testing, and IDS signature development. - + + diff --git a/packages/sysinternals.vm/sysinternals.vm.nuspec b/packages/sysinternals.vm/sysinternals.vm.nuspec index f50d69e15..eb821024c 100644 --- a/packages/sysinternals.vm/sysinternals.vm.nuspec +++ b/packages/sysinternals.vm/sysinternals.vm.nuspec @@ -2,11 +2,12 @@ sysinternals.vm - 0.0.0.20240717 + 0.0.0.20241106 Mark Russinovich, Bryce Cogswell Sysinternals suite. - + + From ab05c629783a77ea9e5fe2e814835a5590bd4eb4 Mon Sep 17 00:00:00 2001 From: Ana Maria Martinez Gomez Date: Wed, 6 Nov 2024 12:37:02 +0100 Subject: [PATCH 2/2] [regcool.vm] Restore hash installation The new signature verification in `CM-Assert-Signature` using `signtool.exe` does not work for RegCool. Restore the previous installation checking the SHA256. As the tool is using a URL that does not include the version, the hash will change with every update, breaking the package. If the package is updated often, we will need to remove it from the default configuration (replacing it total-registry) or researching if it is possible to use `signtool.exe` to verify the package. Note that the previous package implementation being replaced here had an important bug: `VM-Assert-Signature` was not called at all, as `Get-ChildItem -Path "$toolDir\*.{exe,dll}"` does not match any file. --- packages/regcool.vm/regcool.vm.nuspec | 2 +- .../regcool.vm/tools/chocolateyinstall.ps1 | 34 ++----------------- 2 files changed, 3 insertions(+), 33 deletions(-) diff --git a/packages/regcool.vm/regcool.vm.nuspec b/packages/regcool.vm/regcool.vm.nuspec index b0692cb21..21d30e9cf 100644 --- a/packages/regcool.vm/regcool.vm.nuspec +++ b/packages/regcool.vm/regcool.vm.nuspec @@ -2,7 +2,7 @@ regcool.vm - 0.0.0.20240411 + 2.015 Kurt Zimmermann In addition to all the features that you can find in RegEdit and RegEdt32, RegCool adds many powerful features that allow you to work faster and more efficiently with registry related tasks diff --git a/packages/regcool.vm/tools/chocolateyinstall.ps1 b/packages/regcool.vm/tools/chocolateyinstall.ps1 index 210c23a50..015d91be3 100644 --- a/packages/regcool.vm/tools/chocolateyinstall.ps1 +++ b/packages/regcool.vm/tools/chocolateyinstall.ps1 @@ -3,38 +3,8 @@ Import-Module vm.common -Force -DisableNameChecking $toolName = 'RegCool' $category = 'Registry' -$toolDir = Join-Path ${Env:RAW_TOOLS_DIR} $toolName $zipUrl = 'https://kurtzimmermann.com/files/RegCoolX64.zip' +$zipSha256 = '8fde37cf66024eb68be3c0e34125540f855626935f1cffc0fb7409f3ba343870' -try { - # Download zip - $packageArgs = @{ - packageName = $env:ChocolateyPackageName - file = Join-Path ${Env:TEMP} $toolName - url = $zipUrl - } - $filePath = Get-ChocolateyWebFile @packageArgs - - # Extract zip - Get-ChocolateyUnzip -FileFullPath $filePath -Destination $toolDir - - # Check signature of all unzip files - Get-ChildItem -Path "$toolDir\*.{exe,dll}" | ForEach-Object { - VM-Assert-Signature $_.FullName - } -} catch { - # Remove files with invalid signature - Remove-Item $toolDir -Recurse -Force -ea 0 | Out-Null - VM-Write-Log-Exception $_ -} - -try { - $shortcutDir = Join-Path ${Env:TOOL_LIST_DIR} $category - $shortcut = Join-Path $shortcutDir "$toolname.lnk" - $toolPath = Join-Path $toolDir "$toolName.exe" - Install-ChocolateyShortcut -shortcutFilePath $shortcut -targetPath $toolPath - VM-Assert-Path $shortcut -} catch { - VM-Write-Log-Exception $_ -} +VM-Install-From-Zip $toolName $category $zipUrl -zipSha256 $zipSha256 -consoleApp $false -innerFolder $false