Hard Coded Path and AppLocker

Hard Coded Path and AppLocker

Postby romanf » 11.08.2017, 08:43

Hi everyone,

Did I notice correctly that WSUSOffline will ONLY run if

- it is executed from C:\WSUSOFFLINE *and*
- AppLocker is not active?

Would it be possible to change WSUSOffline in a way to get rid of these two restrictions? :)

Thanks
Roman
romanf
 

Re: Hard Coded Path and AppLocker

Postby aker » 11.08.2017, 11:08

You may store wsusou, where you want.
But remember, that there are no special characters such as "!" or similar in the path. Also the path must not be longer than 192 characters.

I never worked with AppLocker before, but wsusou has to be able to run all binaries and scripts inside its "bin"- and "cmd"-directories.
Also wsusou will create some executable scripts (%temp%\SetSystemEnvVars.cmd, %temp%\SetFileVersion.cmd, ...), it needs to execute.
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to keep or sell it.
aker

WSUS Offline Update „Community Edition“
https://gitlab.com/wsusoffline/wsusoffline/-/releases
aker
 
Posts: 3999
Joined: 02.03.2011, 15:32

Re: Hard Coded Path and AppLocker

Postby romanf » 11.08.2017, 11:16

Hi aker,

Thanks for your reply!

Does "no special characters in path" also include spaces? I tried to put it under c:\program files\ ... and there it didn't work. :(

AppLocker prevents execution of binaries and scripts outside of configured directories. It's one measure for in-depth security. Would it be possible to change WSUSOU so that the generated scripts are dropped in a subdir of it's working dir and only in %temp% if it doesn't have the permissions to write in it's working dir?

Rgds
Roman
romanf
 

Re: Hard Coded Path and AppLocker

Postby Dalai » 11.08.2017, 14:41

romanf wrote:Does "no special characters in path" also include spaces?

No, it doesn't. I've been having WSUS Offline in a path with spaces for years and it works just fine.

I tried to put it under c:\program files\ ... and there it didn't work. :(

"Didn't work" means what exactly? Which error messages did you get (if any)? Do you have write permissions in this directory (i.e. did you run WSUS Offline as admin)?

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Re: Hard Coded Path and AppLocker

Postby boco » 13.08.2017, 22:23

Using protected OS directories for such purposes (writing files into them) isn't recommended. Windows will prevent any write access to the directories unless the application is started as Administrator (also not recommended as it's a potential attack vector).
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: Hard Coded Path and AppLocker

Postby aker » 14.08.2017, 21:09

You may try this to redirect your TEMP-path:
- create a folder named "tmp" in your wsusou-dir
- rename .\cmd\custom\InitializationHook.cmdt to InitializationHook.cmd (just remove the "t" from the extension)
- open the file in an editor ans put this content inside
Code: Select all
cd "%~dp0..\.."
set WSUSOU_DIR=%cd%
cd "%~dp0"
if not exist "%WSUSOU_DIR%\tmp" (
   exit /b 1
)
set TEMP=%WSUSOU_DIR%\tmp


For UpdateInstaller do the same with .\client\cmd\custom\InitializationHook.cmdt
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to keep or sell it.
aker

WSUS Offline Update „Community Edition“
https://gitlab.com/wsusoffline/wsusoffline/-/releases
aker
 
Posts: 3999
Joined: 02.03.2011, 15:32


Return to Verschiedenes / Miscellaneous

Who is online

Users browsing this forum: Google [Bot] and 25 guests