1

In this post: https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b the following powershell command is claimed to check for log4j vulnerabilities:

gci 'C:\' -rec -force -include *.jar -ea 0 | foreach {select-string "JndiLookup.class" $_} | select -exp Path

That results in access denied errors. Further checking reveals one has to run powershell as Administrator. https://learn.microsoft.com/en-us/answers/questions/32390/access-is-denied-while-i-am-running-a-command-in-p.html

Doing that still gives access denied errors. Further on in the above article it says to first issue:

Set-ExecutionPolicy AllSigned

That still gives Access Denied.

What is further required to get this to execute?

Gary Aitken
  • 233
  • 2
  • 12
  • 3
    The access denied error mean that your current user doesn't have permissions to read the file, the ExecutionPolicy is unrelated to that. – Santiago Squarzon Dec 16 '21 at 21:51
  • 1
    `-ea 0` is short for `-ErrorAction SilentlyContinue`, which normally suppresses error messages. Are you saying you're still getting them? Note that even when running _as admin_ there can be folders you're not allowed access to. – mklement0 Dec 16 '21 at 22:05
  • 1
    What you can do as of now is run the script you currently have, and get a list of those files that couldn't be read for later. – Santiago Squarzon Dec 16 '21 at 22:07
  • 1
    Note that there are system-defined junctions (links to other folders) that exist for backward compatibility only, whose content you're not permitted to enumerate even when running as admin - however, this isn't a problem, because they simply point to other folders whose enumeration _is_ permitted (only Windows PowerShell complains about these, PowerShell (Core) 7+ quietly skips them) - see [this answer](https://stackoverflow.com/a/63253342/45375). – mklement0 Dec 16 '21 at 22:22
  • 1
    As an aside: You can greatly speed up the command (which will still run for a long time) as follows: `gci C:\ -rec -force -filter *.jar -ea silentlycontinue | select-string "JndiLookup.class" | select -exp Path` – mklement0 Dec 16 '21 at 22:24
  • @mklement0 yes, I still get "Access is denied" errors. If I leave off the -ea 0, it says no access to path "C:\Doocuments and Settings", which seems strange. – Gary Aitken Dec 16 '21 at 22:58
  • The `C:\Documents and Settings` error is expected (in Windows PowerShell), as explained in answer I previously linked to. It's strange that you're still getting errors with `-ea 0` == `-ErrorAction SilentlyContinue`, however. As an aside: You can collect them all by using `-ErrorVariable errs` and inspecting `$errs` afterwards. – mklement0 Dec 16 '21 at 23:18
  • 1
    Thanks, it appears all of the complaints are about those hidden junctions. – Gary Aitken Dec 17 '21 at 00:10
  • There was a vulnerability in minecraft-launcher. It was found by the script checkjindi.ps1, found here: https://github.com/CERTCC/CVE-2021-44228_scanner – Gary Aitken Dec 19 '21 at 20:23

1 Answers1

2

tl;dr

Use the following, streamlined version of the command, which should also perform much better.

# Run WITH ELEVATION (as admin):
gci C:\ -rec -file -force -filter *.jar -ev errs 2>$null | # Use -filter, not -include
  select-string "JndiLookup.class" |  # Pipe directly to select-string
    select -exp Path

Note: -ea 0 - short for: -ErrorAction SilentlyContinue - should normally silence any error messages, but if that doesn't work for you for some reason, 2>$null should be effective.

-ev errs - short for: -ErrorVariable errs - collects all errors that occur in variable $errs, which you can examine after the fact to determine whether the errors are an indication of an actual permission problem.

Errors are expected in Windows PowerShell, even when running with elevation, namely relating to hidden system junctions, discussed below. However, you can ignore these errors.

In PowerShell (Core) 7+, where these errors no longer occur, you could omit -ev errs 2>$null above. Any errors that surface then would be indicative of a true permission problem.

Background information:

  • In general, even running with elevation (as admin) doesn't guarantee that all directories can be accessed. File-system ACLs at the directory level can prevent even elevated processes from enumerating the directory's files and subdirectories.

  • Notably, there are several hidden system junctions (links to other directories), defined for pre-Vista backward-compatibility only - such as C:\Documents and Settings and C:\Users\<username>\My Documents - that even elevated processes aren't permitted to enumerate the children of.

    • During file-system enumeration, this fact only becomes apparent in Windows PowerShell, which reports access-denied errors for these junctions. PowerShell (Core) 7+, by contrast, quietly skips them.
    • Even in Windows PowerShell the problem is only a cosmetic one, because these junctions merely point to directories that can be enumerated with elevation and therefore are with a -Recursive enumeration of the entire drive.

  • To find all these hidden system junctions:

     # Run WITH ELEVATION (as admin):
 cmd /c dir c:\ /s /b ashdl

Additional information is in this answer.

mklement0
  • 382,024
  • 64
  • 607
  • 775