Sunday, February 5, 2017

SCCM Inventory - Google Chrome Cisco WebEx Plugin


So I hope you are aware by now of the Cisco WebEx Zero-Day exploit that got identified in the previous weeks.  By now you might already have your Security Office knocking at your door to identify machines that have this extension installed and at what version.  Lets utilize SCCM to get them the answer.

Now Google Chrome likes to install plugins under a users profile.  The exact path the plugins are stored is:

"C:\Users\*PROFILENAME*\AppData\Local\Google\Chrome\User Data\Default\Extensions\"

Ok, so when we browse to this path we will see various folders with nonsense names.  Now an easy way to deduce which one of these folders is related to the WebEx extension is to simply install the plugin on a computer and then check the folder creation dates, newest folder is it.  Another way is to go inside the folders and open the ".PNG" files and you'll see the familiar logos.  The Cisco WebEx plugin is in a folder labeled "jlhmfgmfgeifomenelglieieghnjghma".  Inside that folder you will see additional folders with the plugins version number.  In the image below we can see its version 1.0.8_0, which is not vulnerable to the zero-day exploit.




Now we have been in IT long enough to recognize that where there is one exploit there will soon be another.  We are not going to only collect the Cisco WebEx plugin, we'll inventory all plugins in Google Chrome so we are prepared the next time the Security Office requests.  By looking inside each of the folders we know that all the plugins have a file named "Manifest.json" as an identifier.  We will plug this into SCCM's Software Inventory.

To modify the SCCM Software Inventory we will first go to "Administration - Overview - Client Settings" in the SCCM console.  From here, go to the properties of the "Default Client Settings" or the custom client settings that you have deployed to machines in your environment.




Now on the left hand side click on "Software Inventory".




Now under "Software Inventory" we are looking for "Inventory these file types".  We will click on "Set Types..." here.




On this screen we will now hit the yellow/orange colored starburst icon in the top-right to create a new entry.  We will give it the filename "Manifest.JSON" and we will tell it the path of "C:\Users".  Click OK, OK, and finally OK once more to save the changes.




Now that the changes are made we can force a test machine to kick off its Software Inventory so we can start to collect some data.  We can check the inventory by checking "Resource Explorer" on that test computer or opening SQL Management Studio and checking "V_GS_SoftwareFile".






From this we can see we are collecting data and we can also see the folder that identifies the Cisco WebEx plugin.  Below I have provided you with a custom SQL query that will narrow it down to just the Cisco WebEx plugin and helps make the result friendly for staff to read.  See below.


------------------------------------------------

select distinct 
v_R_System.Netbios_Name0, 
v_R_System.User_Name0,
v_GS_SoftwareFile.FileName, 
v_GS_SoftwareFile.FilePath,
Replace(right(v_gs_SoftwareFile.FilePath,8), '_0\', '') as Version,
v_GS_SoftwareFile.FileModifiedDate
from  
v_R_System 
inner join v_GS_SoftwareFile on v_GS_SoftwareFile.ResourceID = v_R_System .ResourceId 
where 
v_GS_SoftwareFile.FileName like '%.json%' and FilePath like '%jlhmfgmfgeifomenelglieieghnjghma%' 
Order by Netbios_Name0

------------------------------------------------




So this query will give you just the details that are important.  We have an extra column that just shows the version number, this will make it easier to read or sort in the report.  We've also added the Computer Name and UserName so it can help identify to the Security Office who they should contact to instruct to update their plugins.  You can now plug this into SSRS and have a nice report ready to give to your staff.

In the future if there is additional plugins you'd like to identify simply identify the folder name to the plugin and you can then modify the report as required to only show computers with that one specific folder or plugin installed.  Hopefully this helps get the Security Office out of your office for a little bit.


2 comments:

  1. This information was extremely helpful, thank you! Do you know if there is a way to update the extension using SCCM?

    ReplyDelete
    Replies
    1. Sure, you can utilize SCCM Application model to deploy an updated version. You should be able to get the updated version from Cisco.

      Delete