WMI createProperties does not account for none type values in an object property type

[0xthirteen]

Configuration

impacket version: v0.12.0
Python version: Python 3.12.6
Target OS: Windows 10

It looks like when querying WMI if a property value returned is an object, the WMI library doesn't account for a none type. This can be demonstrated with the wmiquery.py example script

Debug Output With Command String

We run into this with the TaskScheduler name space and specifically the MSFT_ScheduledTask class
If we query something like TaskName we get the expected output

PS C:\Python312\Scripts> python .\wmiquery.py -debug -namespace "Root/Microsoft/Windows/TaskScheduler" [email protected]
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: C:\Python312\Lib\site-packages\impacket
Password:
[+] Target system is 10.10.10.16 and isFQDN is False
[+] StringBinding: WindowsHost[49931]
[+] StringBinding: 10.10.10.16[49931]
[+] StringBinding chosen: ncacn_ip_tcp:10.10.10.16[49931]
[!] Press help for extra shell commands
WQL> select taskname from msft_scheduledtask
| TaskName |
| MicrosoftEdgeUpdateTaskMachineCore |
| MicrosoftEdgeUpdateTaskMachineUA |
| npcapwatchdog |
| OneDrive Reporting Task-S-1-5-21-3537606232-385064675-3504449738-1002 |
| OneDrive Standalone Update Task-S-1-5-21-3537606232-385064675-3504449738-1000 |
| OneDrive Standalone Update Task-S-1-5-21-3537606232-385064675-3504449738-1002 |
| GoogleUpdaterTaskSystem132.0.6806.0{2A343586-06EA-4B6E-9002-D1ED6DF80C2C} |

~SNIP~

However if we query Settings we get this

WQL> select settings from msft_scheduledtask
Traceback (most recent call last):
  File "C:\Python312\Lib\cmd.py", line 214, in onecmd
    func = getattr(self, 'do_' + cmd)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'WMIQUERY' object has no attribute 'do_select'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Python312\Scripts\wmiquery.py", line 86, in printReply
    pEnum = iEnum.Next(0xffffffff,1)[0]
            ^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2952, in Next
    interfaces.append(IWbemClassObject(
                      ^^^^^^^^^^^^^^^^^
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2336, in __init__
    self.createProperties(self.getProperties())
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2624, in createProperties
    value = IWbemClassObject( INTERFACE(self.get_cinstance(), objRef.getData(), self.get_ipidRemUnknown(),
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2336, in __init__
    self.createProperties(self.getProperties())
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2622, in createProperties
    objRef['ObjectReferenceSize'] = len(properties[property]['value'].getData())
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'getData'
[-] 'NoneType' object has no attribute 'getData'

Additional context

The Settings property returns a value that's an object. There is a property inside of the Setting object that is called MaintenanceSetting that is not always present (depending on how the scheduled task is configured). When getProperties attempt to get the property information it throws the error on the function getData because the value doesn't exist as shown in the snippet below:

    def createProperties(self, properties):
        for property in properties:
            # Do we have an object property?
            if properties[property]['type'] == CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value:
                # Yes.. let's create an Object for it too
                objRef = OBJREF_CUSTOM()
                objRef['iid'] = self._iid
                objRef['clsid'] = CLSID_WbemClassObject
                objRef['cbExtension'] = 0
                objRef['ObjectReferenceSize'] = len(properties[property]['value'].getData())
                objRef['pObjectData'] = properties[property]['value']
                value = IWbemClassObject( INTERFACE(self.get_cinstance(), objRef.getData(), self.get_ipidRemUnknown(),
                      oxid=self.get_oxid(), target=self.get_target()))

if we check for a property value of none (when its an object) before attempting to retrieve the value we can account for properties that may sometimes not exist

    def createProperties(self, properties):
        for property in properties:
            # Do we have an object property?
            if properties[property]['type'] == CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value:
                if properties[property]['value'] is None:
                    value = None
                else:
                    # Yes.. let's create an Object for it too
                    objRef = OBJREF_CUSTOM()
                    objRef['iid'] = self._iid
                    objRef['clsid'] = CLSID_WbemClassObject
                    objRef['cbExtension'] = 0
                    objRef['ObjectReferenceSize'] = len(properties[property]['value'].getData())
                    objRef['pObjectData'] = properties[property]['value']
                    value = IWbemClassObject( INTERFACE(self.get_cinstance(), objRef.getData(), self.get_ipidRemUnknown(),
                        oxid=self.get_oxid(), target=self.get_target()))

WQL> select settings from MSFT_Scheduledtask
| Settings |
| 785634122c0e0000060057494e444f5753484f53540000524f4f545c4d6963726f736f66745c57696e646f77735c5461736b5363686564756c657200ac08000000000000 ~ SNIP ~