Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WMI createProperties does not account for none type values in an object property type #1845

Open
0xthirteen opened this issue Nov 7, 2024 · 0 comments · May be fixed by #1854
Open

WMI createProperties does not account for none type values in an object property type #1845

0xthirteen opened this issue Nov 7, 2024 · 0 comments · May be fixed by #1854
Assignees
Labels
bug Unexpected problem or unintended behavior

Comments

@0xthirteen
Copy link

0xthirteen commented Nov 7, 2024

Configuration

impacket version: v0.12.0
Python version: Python 3.12.6
Target OS: Windows 10

It looks like when querying WMI if a property value returned is an object, the WMI library doesn't account for a none type. This can be demonstrated with the wmiquery.py example script

Debug Output With Command String

We run into this with the TaskScheduler name space and specifically the MSFT_ScheduledTask class
If we query something like TaskName we get the expected output

PS C:\Python312\Scripts> python .\wmiquery.py -debug -namespace "Root/Microsoft/Windows/TaskScheduler" [email protected]
Impacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies

[+] Impacket Library Installation Path: C:\Python312\Lib\site-packages\impacket
Password:
[+] Target system is 10.10.10.16 and isFQDN is False
[+] StringBinding: WindowsHost[49931]
[+] StringBinding: 10.10.10.16[49931]
[+] StringBinding chosen: ncacn_ip_tcp:10.10.10.16[49931]
[!] Press help for extra shell commands
WQL> select taskname from msft_scheduledtask
| TaskName |
| MicrosoftEdgeUpdateTaskMachineCore |
| MicrosoftEdgeUpdateTaskMachineUA |
| npcapwatchdog |
| OneDrive Reporting Task-S-1-5-21-3537606232-385064675-3504449738-1002 |
| OneDrive Standalone Update Task-S-1-5-21-3537606232-385064675-3504449738-1000 |
| OneDrive Standalone Update Task-S-1-5-21-3537606232-385064675-3504449738-1002 |
| GoogleUpdaterTaskSystem132.0.6806.0{2A343586-06EA-4B6E-9002-D1ED6DF80C2C} |

~SNIP~

However if we query Settings we get this

WQL> select settings from msft_scheduledtask
Traceback (most recent call last):
  File "C:\Python312\Lib\cmd.py", line 214, in onecmd
    func = getattr(self, 'do_' + cmd)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'WMIQUERY' object has no attribute 'do_select'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "C:\Python312\Scripts\wmiquery.py", line 86, in printReply
    pEnum = iEnum.Next(0xffffffff,1)[0]
            ^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2952, in Next
    interfaces.append(IWbemClassObject(
                      ^^^^^^^^^^^^^^^^^
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2336, in __init__
    self.createProperties(self.getProperties())
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2624, in createProperties
    value = IWbemClassObject( INTERFACE(self.get_cinstance(), objRef.getData(), self.get_ipidRemUnknown(),
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2336, in __init__
    self.createProperties(self.getProperties())
  File "C:\Python312\Lib\site-packages\impacket\dcerpc\v5\dcom\wmi.py", line 2622, in createProperties
    objRef['ObjectReferenceSize'] = len(properties[property]['value'].getData())
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AttributeError: 'NoneType' object has no attribute 'getData'
[-] 'NoneType' object has no attribute 'getData'

Additional context

The Settings property returns a value that's an object. There is a property inside of the Setting object that is called MaintenanceSetting that is not always present (depending on how the scheduled task is configured). When getProperties attempt to get the property information it throws the error on the function getData because the value doesn't exist as shown in the snippet below:

    def createProperties(self, properties):
        for property in properties:
            # Do we have an object property?
            if properties[property]['type'] == CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value:
                # Yes.. let's create an Object for it too
                objRef = OBJREF_CUSTOM()
                objRef['iid'] = self._iid
                objRef['clsid'] = CLSID_WbemClassObject
                objRef['cbExtension'] = 0
                objRef['ObjectReferenceSize'] = len(properties[property]['value'].getData())
                objRef['pObjectData'] = properties[property]['value']
                value = IWbemClassObject( INTERFACE(self.get_cinstance(), objRef.getData(), self.get_ipidRemUnknown(),
                      oxid=self.get_oxid(), target=self.get_target()))

if we check for a property value of none (when its an object) before attempting to retrieve the value we can account for properties that may sometimes not exist

    def createProperties(self, properties):
        for property in properties:
            # Do we have an object property?
            if properties[property]['type'] == CIM_TYPE_ENUM.CIM_TYPE_OBJECT.value:
                if properties[property]['value'] is None:
                    value = None
                else:
                    # Yes.. let's create an Object for it too
                    objRef = OBJREF_CUSTOM()
                    objRef['iid'] = self._iid
                    objRef['clsid'] = CLSID_WbemClassObject
                    objRef['cbExtension'] = 0
                    objRef['ObjectReferenceSize'] = len(properties[property]['value'].getData())
                    objRef['pObjectData'] = properties[property]['value']
                    value = IWbemClassObject( INTERFACE(self.get_cinstance(), objRef.getData(), self.get_ipidRemUnknown(),
                        oxid=self.get_oxid(), target=self.get_target()))
WQL> select settings from MSFT_Scheduledtask
| Settings |
| 785634122c0e0000060057494e444f5753484f53540000524f4f545c4d6963726f736f66745c57696e646f77735c5461736b5363686564756c657200ac08000000000000 ~ SNIP ~
@anadrianmanrique anadrianmanrique added the in review This issue or pull request is being analyzed label Nov 22, 2024
@anadrianmanrique anadrianmanrique added bug Unexpected problem or unintended behavior and removed in review This issue or pull request is being analyzed labels Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Unexpected problem or unintended behavior
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants