漏洞描述
Ensure the "Password never expires" setting is disabled for all active user accounts so that password expiration policies can be enforced effectively.
password-never-expires: Password Expiry Setting Check
PoC代码[已公开]
id: password-never-expires
info:
name: Password Expiry Setting Check
author: nukunga[SungHyunJeon]
severity: medium
description:
Ensure the "Password never expires" setting is disabled for all active user accounts so that password expiration policies can be enforced effectively.
impact: |
Enabling the "Password never expires" setting overrides the maximum password age policy, preventing its enforcement and increasing the likelihood of credential compromise.
remediation: |
Disable the "Password never expires" setting using one of the following methods:
- Command Line: > wmic useraccount where name="USERNAME" set passwordexpires=true
- GUI: Use Local Security Policy to modify the user account settings accordingly.
reference:
- https://isms.kisa.or.kr/main/csap/notice/?boardId=bbs_0000000000000004&mode=view&cntId=85
tags: code,windows-audit,kisa,account-management,password-policy
self-contained: true
code:
- pre-condition: |
IsWindows();
engine:
- powershell
- powershell.exe
args:
- -ExecutionPolicy
- Bypass
pattern: "*.ps1"
source: |
# Check all local, active user accounts for the password expiry setting
$users = Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount=True and Disabled=False"
$vulnerable = $users | Where-Object { $_.PasswordExpires -eq $false }
if ($vulnerable) {
"PASSWORD_NEVER_EXPIRES_ENABLED"
} else {
"PASSWORD_NEVER_EXPIRES_DISABLED"
}
matchers:
- type: word
words:
- "PASSWORD_NEVER_EXPIRES_ENABLED"
# digest: 4a0a0047304502203a4e9f5693235c56c670435681254344148b0278f6a6eca57a8b7f5efd5391ff022100e4ea776f07c36b837213a54e95d5e4f3bcc8344ef8b382bf3875c45303b56a3d:922c64590222798bb761d5b6d8e72950