search

diogo-fernan / ir-rescue

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Other
465 stars 95 forks source link

Improper User data collection lead to domain user passwords being overwritten #3

Closed rebrec closed 7 years ago

rebrec commented 7 years ago

It seems there is an error in the script on lines 701 and 705 which can lead to domain users' password being overwritten (if the user executing the script has admin rights)

701 : net user !users[%%i]! /domain %USERDOMAIN% > NUL 2>&1
[...]
705 : call:cmd %SYS%\acc "net user !users[%%i]! /domain %USERDOMAIN%"

According to net.exe documentation :

net user [<UserName> {<Password> | *} [<Options>]] [/domain]
...
/domain 
Performs the operation on the domain controller in the computer's primary domain.

The user's domain must not be provided after the /domainparameter.

As a consequence The %USERDOMAIN% variables should be removed on lines 701 and 705.

The impact is quite severe since it overwrite the domain user password with the password contained in the variable %USERDOMAIN% (overwriting domain admin password if you have this right...)

Tell me if you prefer a pull request

Appart from that, really useful tool ! Thanks for sharing

diogo-fernan commented 7 years ago

You are correct. The %USERDOMAIN% specification is not necessary for the /domain option. Never run into this issue because it never happened to run ir-rescue with a domain administrator account.

Feel free to make a pull request to remove the extra argument from the command.

Thanks.