From 72f6710a5de0e617c05fc85bfd143da077e89bc0 Mon Sep 17 00:00:00 2001 From: Ana Maria Martinez Gomez Date: Tue, 5 Nov 2024 18:23:39 +0100 Subject: [PATCH] Improve VM-Assert-Signature The current implementation of `VM-Assert-Signature` uses `Get-AuthenticodeSignature` status, that only checks that the file has a syntactically syntactically valid signature. Verify the signing authority using `signtool.exe`. --- packages/common.vm/common.vm.nuspec | 2 +- .../common.vm/tools/vm.common/vm.common.psm1 | 18 +++++++++--------- .../googlechrome.vm/googlechrome.vm.nuspec | 5 +++-- packages/metasploit.vm/metasploit.vm.nuspec | 5 +++-- .../sysinternals.vm/sysinternals.vm.nuspec | 5 +++-- 5 files changed, 19 insertions(+), 16 deletions(-) diff --git a/packages/common.vm/common.vm.nuspec b/packages/common.vm/common.vm.nuspec index 8ce9e3214..79076e2e5 100755 --- a/packages/common.vm/common.vm.nuspec +++ b/packages/common.vm/common.vm.nuspec @@ -2,7 +2,7 @@ common.vm - 0.0.0.20241029 + 0.0.0.20241106 Common libraries for VM-packages Mandiant diff --git a/packages/common.vm/tools/vm.common/vm.common.psm1 b/packages/common.vm/tools/vm.common/vm.common.psm1 index f976e6e06..039fa7e05 100755 --- a/packages/common.vm/tools/vm.common/vm.common.psm1 +++ b/packages/common.vm/tools/vm.common/vm.common.psm1 @@ -128,20 +128,20 @@ function VM-Assert-Path { } } -# Raise an exception if the Signature of $file_path is invalid +# Raise an exception if the signtool.exe is not found or if the signature of $filePath is invalid +# vcbuildtools.vm installs signtool.exe function VM-Assert-Signature { [CmdletBinding()] Param( [Parameter(Mandatory=$true)] - [String] $file_path + [String] $filePath ) - $signature_status = (Get-AuthenticodeSignature -FilePath $file_path).Status - if ($signature_status -eq 'Valid') { - VM-Write-Log "INFO" "Valid signature: $file_path" - } else { - $err_msg = "Invalid signature: $file_path" - VM-Write-Log "ERROR" $err_msg - throw $err_msg + $signtoolPath = Get-ChildItem -Path "C:\Program Files*\Windows Kits\10\bin\*\x86\signtool.exe" | Select -Last 1 + if (-Not $signtoolPath) { throw "signtool.exe not found" } + + & $signtoolPath verify /pa /all /tw /q $filePath + if ($LASTEXITCODE) { + throw "INVALID SIGNATURE: $filePath" } } diff --git a/packages/googlechrome.vm/googlechrome.vm.nuspec b/packages/googlechrome.vm/googlechrome.vm.nuspec index 9226cd9d1..71fe31c62 100644 --- a/packages/googlechrome.vm/googlechrome.vm.nuspec +++ b/packages/googlechrome.vm/googlechrome.vm.nuspec @@ -2,11 +2,12 @@ googlechrome.vm - 0.0.0.20241002 + 0.0.0.20241106 Google LLC. Chrome is a popular web browser. - + + diff --git a/packages/metasploit.vm/metasploit.vm.nuspec b/packages/metasploit.vm/metasploit.vm.nuspec index e14ef5de4..40b6cda4c 100644 --- a/packages/metasploit.vm/metasploit.vm.nuspec +++ b/packages/metasploit.vm/metasploit.vm.nuspec @@ -2,11 +2,12 @@ metasploit.vm - 6.4.13.20240614 + 6.4.13.20241106 Rapid7 A computer security project that provides information about security vulnerabilities, aids in penetration testing, and IDS signature development. - + + diff --git a/packages/sysinternals.vm/sysinternals.vm.nuspec b/packages/sysinternals.vm/sysinternals.vm.nuspec index f50d69e15..eb821024c 100644 --- a/packages/sysinternals.vm/sysinternals.vm.nuspec +++ b/packages/sysinternals.vm/sysinternals.vm.nuspec @@ -2,11 +2,12 @@ sysinternals.vm - 0.0.0.20240717 + 0.0.0.20241106 Mark Russinovich, Bryce Cogswell Sysinternals suite. - + +