Jira (PUP-11126) PowerShell Validity check

[Margaret Lee (Jira)]

Margaret Lee updated an issue

Puppet / PUP-11126 PowerShell Validity check Change By: Margaret Lee Team: Night's Watch Add Comment

This message was sent by Atlassian Jira (v8.13.2#813002-sha1:c495a97)

[Margaret Lee (Jira)]

Margaret Lee updated an issue

Puppet / PUP-11126 PowerShell Validity check Change By: Margaret Lee

It is possible for Puppet to run into error if the powershell.exe file is invalid.   Example error: 0x800700c1 ^ To my best understanding, this error indicates an OS integrity issue (some problem with some file flagged as a system file).   For example, if powershell.exe is a zero byte file along a valid PATH ($Env:Path), or along the first path specified in PATH, then the invalid powershell.exe file will be called by puppet or some module - even if a valid copy of powershell.exe exists along another or downstream path.   The proposed change would be in the agent, to verify by some mechanism, (file header, or signature) - that the powershell.exe file is valid.   If it's invalid: Catch the situation and log it   If valid: Proceed as normal component: pxp agent

Add Comment

[Margaret Lee (Jira)]

Margaret Lee moved an issue

Puppet / PUP-11126 PowerShell Validity check

Change By: Margaret Lee Component/s: pxp-agent Key: PE PUP - 32352 11126 Issue Type: New Feature Improvement Project: Puppet Enterprise [Internal]

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11126

Re: PowerShell Validity check I don't think this is a bug. If you have a corrupt executable that is in the PATH ahead of the real executable, then the OS will run the corrupt version. For example, the following C:\Users\josh> echo '' > powershell.exe C:\Users\josh> set PATH=C:\Users\josh;%PATH% C:\Users\josh> powershell.exe --version will generate an error message: Unsupported 16-Bit Application - The program of feature '??\c:\Users\josh\powershell.exe' cannot start or run due to incompatibility with 64-bit versions of Windows... Puppet's behavior is the same: C:\Users\josh>bundle exec puppet apply -e "exec { 'C:/Users/josh/powershell.exe': }" Notice: Compiled catalog for localhost in environment production in 0.27 seconds /Stage[main]/Main/Exec[C:/Users/josh/powershell.exe]/returns: change from 'notrun' to ['0'] failed: This version of %1 is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher. - CreateProcess Puppet should not try to second-guess the OS (such as skipping invalid entries in the PATH) as that could lead to security issues.

Add Comment

[Erwin Solis (Jira)]

Erwin Solis commented on PUP-11126

Re: PowerShell Validity check Josh Cooper I don't believe you replicated the scenario and instead created an entirely different outcome and subsequent error message with the steps you took. The request is not to second-guess the OS or its built-in security, the request is to catch and log the scenario provided with a descriptive error message, so that customers can identify the issue and correct it. It's also a good defensive coding practice to validate an external binary before attempting to have it execute code.

Add Comment

[Josh Cooper (Jira)]

Josh Cooper commented on PUP-11126

Re: PowerShell Validity check

Erwin Solis hmm, I'm confused, because you said: For example, if powershell.exe is a zero byte file along a valid PATH ($Env:Path), or along the first path specified in PATH, then the invalid powershell.exe file will be called by puppet

and that is exactly the scenario I reproduced. You also said: The proposed change would be in the agent, to verify by some mechanism, (file header, or signature) - that the powershell.exe file is valid.

That is something we can't/shouldn't do, because that is second guessing the OS. You also said: catch and log the scenario provided with a descriptive error message

which is something we already do as I showed in my comment above.

Add Comment