Capture result code by PS or at end?

Comments

10 comments

  • Colby Bouma

    I wrote a blog about doing that with the Intel SA-00086 Detection Tool a few years ago: https://www.pdq.com/blog/intel-sa-00086/

    However, that tool tattooed the registry itself, and that was before the PowerShell Scanner. You can capture exit codes in PowerShell like this:

    & cmd.exe /C 'tool.exe'
    $Result = $LASTEXITCODE

    I figured that out when I helped write the PowerShell example for GRC's InSpectre. I can't post the link because this forum doesn't like it for some reason.

    0
    Comment actions Permalink
  • Craig Mohr

    HA. Ok well this is for Intel's SA-00075 so.. yeah Intel :) Same deal they tattoo the registry but its very convoluted how to tell if its vulnerable or not. Wonder why it's not liking the link. Guess there is no way to PM either?

    The fun part after detection is there's like 20 different versions of patches depending on the model. Some are sharable some are not.

    0
    Comment actions Permalink
  • Colby Bouma

    Let's try this:

    https://www.grc.com/inspectre/InSpectre-Probe-Samples.zip
    0
    Comment actions Permalink
  • Craig Mohr

    Cool that worked. Trying out your 86 stuff as well since I think that's on my list. Wish we would just dump these ancient machines.

    0
    Comment actions Permalink
  • Colby Bouma

    Woo, that worked! :D

    its very convoluted how to tell if its vulnerable or not.

    I built a table in my blog for SA-00086. I think I got it from the PDF they included with the tool, but that was 4 years ago, so my memory's a little fuzzy. I sent PDQ an email letting them know the table is currently mangled, so hopefully it will be readable within a few days.

    0
    Comment actions Permalink
  • Craig Mohr

    Ah I noticed that looked a bit off. Thanks for your help.. I have been wondering if you worked for PDQ or not since your right on most of the answers here and in the live webinars. I guess that answers my question.

    0
    Comment actions Permalink
  • Colby Bouma

    Actually, I don't work for PDQ anymore.

    0
    Comment actions Permalink
  • Craig Mohr

    So the scanner from that blog post fails. You have a -d 0 switch in the scanner switches line which does not seem to be a valid switch from the output. Removing it produces results but I'm not sure if that breaks anything else. I am a bit concerned about them since it says hey we are not supporting this ME version in the scanner though.. I am wondering if maybe you had an older version of the scanner that was supporting the old ME versions and that switch.

    Based on the analysis performed by this tool: The system is not supported
    Explanation:
    Firmware versions of Intel(R) ME 3.x thru 10.x, Intel(R) TXE 1.x thru 2.x and Intel(R) Server Platform Services 1.x thru 2.x are no longer supported, thus were not assessed for the vulnerabilities/CVEs listed in these Security Advisories. There is no new release planned for these versions.  

    The more I poke around the more I feel fairly confident this is a new version of the tool. After running it and checking the registry. I found that the subkey results are stored in has changed from

    SOFTWARE\Intel\Setup and Configuration Software\INTEL-SA-00086 Discovery Tool\System Status\System Risk

    To

    SOFTWARE\Intel\CSME Version Detection Tool\System Status

    Which kind of sucks since the page linking to it on Intel's site still says its for Intel® Management Engine (Intel® ME 6.x/7.x/8.x/9.x/10.x/11.x)

    0
    Comment actions Permalink
  • Colby Bouma

    So the scanner from that blog post fails. You have a -d 0 switch in the scanner switches line which does not seem to be a valid switch from the output. Removing it produces results but I'm not sure if that breaks anything else.

    Oh yeah, I forgot that they changed the tool a while ago. It looks like it runs fine without any switches now.

    The new registry path is:

    HKLM\SOFTWARE\Intel\CSME Version Detection Tool

    I am a bit concerned about them since it says hey we are not supporting this ME version in the scanner though.

    I believe it still writes stuff like the ME version to the registry even if your ME is not supported, but I don't currently have an old system to test with. However, since they're unsupported, they won't be patched for any vulnerabilities discovered after their EOL date.

    0
    Comment actions Permalink
  • Craig Mohr

    Yeah the bane of companies trying to eek every little penny out of systems and run them into the ground. :D Still this was a ton of help and was very helpful to see how you did some things which is going to make me adjust how I do a few things. Still only had about 3-4 months with PDQ so far.

    0
    Comment actions Permalink

Please sign in to leave a comment.