vsociety

Scripting Recap: Issue No.6

Scripting returns with a double issue! And it packs a punch with vulnerabilities like PrintNightmare, Spectre, and Chrome’s latest sandbox escape. So much fun to be had!

x_detection

CVE-2021-34527 - PrintNightmare - Detection Script

PoC video

Description

CVE-2021-34527, also known as PrintNightmare, is a critical vulnerability in the Windows Print Spooler service that allows attackers to execute arbitrary code with SYSTEM privileges, including remote code execution in certain configurations.

This detection script evaluates whether a system is potentially vulnerable to PrintNightmare by checking:

Print Spooler Status:
- Confirms if the Print Spooler service is active. A running spooler service increases exposure.

Point and Print Restrictions:
- Analyzes registry settings to determine if driver installations are restricted to administrators.

ACLs on Printer Driver Directory:
- Verifies that unauthorized users (e.g. Everyone or Authenticated Users) do not have write/modify/full control access to sensitive directories.

If the Print Spooler is running and mitigations are not fully in place, the system could still be vulnerable even if some protections are present.

Running this detection script will enable you to quickly assess whether your system is potentially vulnerable to CVE-2021-34527.

CVE-2022-0001: Detect Specter Vulnerability

PoC video

Description

This script checks whether the system is vulnerable to CVE-2022-0001 by verifying specific registry keys.

CVE-2022-0001 is a security vulnerability affecting certain Windows systems. The script inspects the Windows Registry to determine if the necessary mitigations are in place. It checks specific registry keys under the memory management section and provides an output indicating whether the system is protected or potentially vulnerable.

Exploitation of this vulnerability could allow attackers to execute malicious code or bypass security measures on the system. Identifying and mitigating this vulnerability is crucial for ensuring the integrity and security of the system.

HOW TO USE

Open a PowerShell session with administrative privileges.
Run the script in the PowerShell terminal.
Review the output to determine if the system is protected or needs mitigation applied

CVE-2025-2783: Detect Chrome Vulnerability

Description

Detect CVE-2025-2783: Check for Vulnerable Chrome Versions on Windows

This script checks whether the installed version of Google Chrome is vulnerable to CVE-2025-2783, a high-severity sandbox escape vulnerability affecting the Mojo component.

How it works:

It defines the minimum secure version (134.0.6998.177).
Scans both standard install paths for Chrome (Program Files and Program Files (x86)).
Retrieves the installed version and compares it to the patched one.
Displays whether Chrome is vulnerable or already updated.
If Chrome is not installed, it reports that as well.

Why it matters:

CVE-2025-2783 allows remote attackers to escape the browser sandbox and potentially execute malicious code outside of Chrome's security boundaries. This was actively exploited in the wild as part of a cyber-espionage campaign. Detecting unpatched systems is crucial to prevent further exploitation and maintain system integrity. Use this script to quickly audit and harden your environment.

CVE-2025-2704: Detect Openvpn DoS Vuln

Description

CVE-2025-2704 – OpenVPN Vulnerability Detection Script

Detect if your system is vulnerable to CVE-2025-2704, a denial-of-service vulnerability affecting OpenVPN servers (v2.6.1 to v2.6.13) that use tls-crypt-v2. This script identifies whether the running version and configuration put your server at risk.

How it works:

The script:

Extracts the installed OpenVPN version.
Compares it against the known vulnerable range.
Scans all server configuration files in /etc/openvpn/server/ for the tls-crypt-v2 directive.
Clearly reports whether your system is vulnerable or not.

Why it matters:

CVE-2025-2704 allows remote, unauthenticated attackers to crash OpenVPN servers using a combination of legitimate and crafted handshake packets if tls-crypt-v2 is enabled. Identifying vulnerable systems is essential for proactive defense and operational continuity.

CVE-2025-29824 - Windows Common Log File System Driver Elevation of Privilege Vulnerability

PoC video

Description

CVE-2025-29824 is a significant vulnerability linked to the Common Log File System (CLFS) driver, potentially allowing attackers to exploit systems where the driver is active and gain access control over data and system functions.

This detection script helps identify possible exposure to CVE-2025-29824 by:

Detecting the CLFS Driver: Checks if the Common Log File System (CLFS) driver components are present on the system.
Checking Driver Status: Determines whether the CLFS driver is currently running, helping assess the system’s exposure risk.
Providing a Risk Assessment: Displays a clear advisory based on findings, recommending whether security hardening measures should be considered.

Running this detection script will quickly inform you if your system might be at risk for CVE-2025-29824. However, this detection should be treated as an initial check — applying the latest security updates from Microsoft remains essential for complete protection

CVE-2025-24970: Netty Vulnerability Detection

PoC video

Description

This script detects vulnerable versions of the Netty library (between 4.1.91 and 4.1.117) that may be affected by CVE-2025-24970. It also checks whether the recommended mitigation flag is present:

-Dio.netty.handler.ssl.noOpenSsl=true

The script performs two main tasks:

It searches the filesystem for .jar files related to Netty (netty-handler or netty-all) and checks if their version falls within the vulnerable range.
It scans .sh shell scripts that launch Java applications and reference Netty, verifying whether the mitigation flag is used.

The vulnerability CVE-2025-24970 in Netty can be exploited in environments using OpenSSL, potentially allowing remote code execution or the exposure of sensitive data through TLS channels.

Detecting vulnerable versions and ensuring mitigation is in place is crucial to:

Minimize exploitation risk on servers using Netty.
Maintain a secure environment for Java applications relying on this library.
Follow security best practices and protect infrastructure until the library can be upgraded.

HOW TO USE

Make the script executable: chmod +x detection.sh
Run the script as superuser to scan the entire filesystem: sudo ./detection.sh
The script will output:

The paths of any detected vulnerable Netty JARs.
Whether mitigation is present or missing in .sh scripts that launch Java with Netty.

CVE-2025-26633 - Security Feature Bypass in Microsoft Management Console

PoC video

Description

CVE-2025-26633 is a vulnerability within the Microsoft Management Console (MMC), potentially allowing attackers to bypass essential security features, resulting in unauthorized access and manipulation of critical system components.

This detection script provides a preliminary evaluation to identify potential exposure to CVE-2025-26633 by:

Assessing MMC Snap-in Restrictions: Checks if Group Policy restrictions on MMC snap-ins are configured, which can help limit abuse of MMC components.
Verifying User Access Control (UAC) Status: Evaluates if UAC is enabled, reducing the likelihood of privilege escalation via MMC.
Using Professional Handling: Implements try-catch logic to handle access errors gracefully, ensuring a reliable diagnostic without system disruption.

Running this detection script will help identify potential risk factors associated with CVE-2025-26633.

However, it does not guarantee a complete vulnerability assessment — installing the latest official security patches from Microsoft remains essential for full protection.

x_remediation

CVE-2021-34527 - PrintNightmare - Mitigation Script

PoC video

Description

PrintNightmare (CVE-2021-34527) is a critical Windows Print Spooler vulnerability that can allow attackers to gain SYSTEM-level privileges and execute arbitrary code, including remotely, depending on configuration.

This mitigation script applies protections against PrintNightmare, reducing the attack surface by:

Restricting Point and Print:

Forces driver installations to require administrative privileges.
Prevents elevation-free prompts and automatic updates of printer drivers.

Securing Driver Directory Permissions:

Removes dangerous write/modify/full access rights for low-privileged groups (e.g. Everyone, Authenticated Users).

Disabling Remote Printing:

Stops inbound remote printing via Group Policy settings.

Reconfiguring the Print Spooler Service:

Stops the Print Spooler and sets its startup type to manual (on-demand).
Prevents the service from running persistently unless explicitly started.

These mitigations are temporary and do not replace official patches. Apply Microsoft’s security updates when possible. Keep in mind these mitigations may interfere with printing operations.

Running this mitigation script will help harden your system against CVE-2021-34527, reducing the risk of exploitation.

CVE-2022-0001: Mitigate Specter Vulnerability

PoC video

Description

This PowerShell script mitigates the vulnerability CVE-2022-0001 (Branch Target Injection) by modifying specific Windows registry keys. It ensures that the required protections are enabled by setting the necessary registry values. The script checks for administrative privileges, verifies system requirements, and applies the registry changes, including error handling and status verification. A system reboot is required for the changes to take effect.

CVE-2022-0001 addresses a critical hardware vulnerability known as Branch Target Injection, which could allow an attacker to exploit speculative execution features in processors. By applying this mitigation, this script reduces the risk of exploitation, helping to protect the system against attacks that could lead to unauthorized access or information leakage. Enabling these mitigations is crucial for securing systems running vulnerable processors.

HOW TO USE

Open PowerShell as Administrator.
Run the script in the PowerShell window.

‍CVE-2025-2783: Mitigate Chrome Vulnerability

Description

Block Google Chrome Web Access via Windows Firewall

This script adds a Windows Firewall rule to block all outbound web traffic for Google Chrome, helping mitigate exploitation risks such as CVE-2025-2783 — a critical Chrome sandbox escape vulnerability.

How it works:

Scans for both 32-bit and 64-bit Chrome installations.
Validates that a firewall rule doesn’t already exist before creating it.
Automatically creates a new outbound blocking rule per detected Chrome binary.
Logs the actions to the console for auditability.

Why it matters:

CVE-2025-2783 was exploited in the wild to execute code outside Chrome’s sandbox, allowing full system compromise. While the ideal solution is to update Chrome, this firewall rule helps contain the threat by preventing Chrome from making outbound connections — effectively neutralizing payload delivery and communication with command-and-control servers. Use this mitigation when patching isn't immediately possible.

CVE-2025-2704: Mitigate OpenVPN DoS Vuln

Description

CVE-2025-2704 – OpenVPN Vulnerability Mitigation

This script mitigates CVE-2025-2704 by safely disabling the tls-crypt-v2 directive in OpenVPN server configurations, a feature linked to a DoS vulnerability in versions 2.6.1 through 2.6.13.

How it works:

The script:

Backs up the /etc/openvpn/server/server.conf file.
Comments out any line using tls-crypt-v2.
Advises the user to restart the OpenVPN service manually to apply the change.

Why it matters:

If immediate patching is not possible, disabling tls-crypt-v2 is a temporary mitigation to prevent attackers from crashing your OpenVPN server remotely. This simple change can help reduce downtime while buying time for a proper patch deployment.

CVE-2025-29824 - Windows Common Log File System Driver Elevation of Privilege Vulnerability - Mitigation Script

PoC video

Description

This mitigation script applies temporary security adjustments to help reduce potential exposure to CVE-2025-29824 by:

Modifying CLFS Driver Permissions: This allows the script to disable the CLFS driver.
Disabling the CLFS Driver at Startup: Reconfigures the CLFS driver to prevent it from automatically starting with the system, reducing the attack surface.
Recommending System Restart: Advises a system reboot to fully apply the configuration changes.

Running this mitigation script will configure your system with temporary defensive measures against CVE-2025-29824. However, these actions are not a substitute for proper patching — installing the latest official security updates from Microsoft remains crucial for complete protection.

When to use this script:

You cannot patch immediately and need temporary mitigation against a known exploit.
You have tested this mitigation in a staging environment.
You can roll back quickly if something breaks.

CVE-2025-24970: Netty Vulnerability Mitigation

PoC video

Description

This script automatically detects vulnerable versions of the Netty library (between 4.1.91 and 4.1.117) that are affected by CVE-2025-24970, and applies the recommended mitigation to shell scripts launching Java applications.

If a vulnerable JAR is found, the script locates all .sh files that execute Java processes and appends the following JVM flag if it's missing:

-Dio.netty.handler.ssl.noOpenSsl=true

This ensures that the application avoids unsafe interactions with OpenSSL, providing a temporary security layer until Netty is updated to a secure version.

CVE-2025-24970 is a serious vulnerability in Netty that can allow exploitation via unsafe OpenSSL usage, potentially leading to remote code execution or information leakage.

This script is valuable because:

It automates detection and mitigation, reducing manual effort and error.
It ensures consistent protection across all relevant Java applications using Netty.
It creates a backup before applying changes, preserving system stability and recoverability.
It's ideal for environments where immediate updates to Netty are not feasible.

Automating this process accelerates incident response and strengthens system hardening efforts.

HOW TO USE

Make the script executable: chmod +x mitigation.sh
Run the script as superuser: sudo ./mitigation.sh
The script will:

Search the system for Netty JAR files within the vulnerable version range.
Identify .sh scripts that run Java.
Append the mitigation flag -Dio.netty.handler.ssl.noOpenSsl=true to scripts that don't already include it.
Create a .bak backup of each modified script.

After execution:

Review modified files if necessary.
Restart any affected Java applications to ensure the mitigation takes effect.

CVE-2025-26633 - Security Feature Bypass in Microsoft Management Console

PoC video

Description

This mitigation script applies temporary hardening measures to help reduce the risk posed by CVE-2025-26633 by:

Enforcing MMC Snap-in Restrictions: Configures system policies to restrict permitted MMC snap-ins, limiting the available attack surface.
Ensuring UAC Enforcement: Verifies and enables User Access Control (UAC), reducing the possibility of unauthorized privilege escalation.

Running this mitigation script will strengthen your system's defenses against exploitation attempts targeting CVE-2025-26633.

However, these actions are only temporary safeguards — applying the official security updates from Microsoft is critical for complete and lasting protection.

When to use this script:

You cannot immediately apply patches but need urgent, temporary defenses.

You have tested these settings in a non-production environment.

You can monitor and revert configurations if any compatibility issues arise.

x_ops

MacOS Integrity Checker

Description

This script is designed to check for potential anomalies in a macOS system by inspecting specific directories, looking for recently modified files, and verifying the integrity of important system binaries. Here’s a breakdown of its functionality:

Checking LaunchAgents and LaunchDaemons:

The script examines four directories:

/Library/LaunchAgents

~/Library/LaunchAgents

/Library/LaunchDaemons

~/Library/LaunchDaemons

These directories typically contain files used for setting up services and background tasks. The script lists the contents of each directory and prints the details. If a directory does not exist, it logs a message stating so. This helps identify any suspicious or unexpected entries that could indicate malicious persistence mechanisms.

Looking for Recently Modified Files:

The script then searches the /usr and /usr/local directories for files that have been modified within the past seven days. It uses find with the -mtime -7 option to identify recently changed files, then prints out detailed information about each file. This helps spot unusual recent activity, such as files altered or added by unauthorized processes.

Verifying File Hashes of Known Binaries:

The final step involves checking the hashes of critical system binaries—specifically /bin/ls and /bin/bash. The script computes SHA checksums for these files using shasum and prints the results. By comparing these hashes to known good values, you can verify that the binaries have not been tampered with. If the files are missing, it logs that as well.

In summary, the script performs basic integrity checks and highlights potential signs of unauthorized modifications or suspicious persistence entries on a macOS system.

Get & List Edge Extensions

Description

Edge Extension Extractor – Identify Installed Extensions

This script automatically identifies the currently active interactive user on a Windows system, locates their Microsoft Edge profile directory, and lists all installed browser extensions by reading the manifest.json files. It displays both the extension ID and, when available, the human-readable name from the manifest.

‍Why this matters: Visibility into Edge Browser Extensions

Browser extensions can introduce serious security risks, especially when installed without user consent or by malicious actors. This tool helps system administrators, incident responders, and auditors identify which Edge extensions are present per user, enabling quicker threat hunting or digital forensic investigations.

By focusing on the actual manifest files, it ensures accuracy even when extensions are obfuscated or renamed at the folder level.

Block Execution of .lnk Files in Specified Folders

Description

Blocking .lnk Files Execution in Specific Folders

This script prevents the execution of .lnk (shortcut) files in specified folders for all active user accounts using Software Restriction Policies (SRP). The target directories include common user directories such as Downloads, Desktop, TEMP, and Public. It works by creating registry entries under:

HKLM:\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths

The script ensures that .lnk files within these directories are not executed, thereby improving security by blocking potentially malicious shortcuts that could be used in phishing attacks or malware propagation.

Why It Matters

This technique enhances security by blocking .lnk files in commonly exploited directories. Attackers often use .lnk files to deliver payloads or initiate malicious scripts. By preventing their execution in high-risk directories, this script reduces the attack surface on the system.

How To Use

Run the script with SYSTEM privileges for effective policy enforcement.

Edit the $BlockedFolders array to specify the directories where .lnk files should be blocked (e.g., Downloads, Desktop).

Monitor logs saved to the path defined in $LogFile to confirm proper execution and review detected profiles.