Active Directory Orchestration Bug - Account Creation

  • 21 April 2022
  • 0 replies
  • 357 views

I found some bugs in Freshservice’s “Microsoft Active Directory – Orch” app.
 

1. I found the account creation PowerShell Script isn’t sanitizing the -AccountPassword flag’s ConvertTo-SecureString value, so you’ll get the following errors if the password contains some special characters.

New-ADUser -Name "Test Account" -AccountPassword (ConvertTo-SecureString goo)Club19 -AsPlainText -Force) for example will generate error:

Unexpected token ')' in expression or statement.

Or

New-ADUser -Name "Test Account" -AccountPassword (ConvertTo-SecureString eUU9&k=wK -AsPlainText -Force) will generate:

The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation marks ("&") to pass it as part of a string.

ConvertTo-SecureString’s value needs to be in quotations to successfully run, or the value should be a variable.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/convertto-securestring?view=powershell-7.2#example-3-convert-a-plain-text-string-to-a-secure-string

These errors can be recreated by having a quotation or parenthesis in the password field.

After recreating the error, the logs can be found at:

"C:\Program Files\Freshworks\Orchestration Server\osr\embed\services\orchestrator-winrm-service-win.wrapper.log"

 

2. The logs also indicates that the account creation script will also return a success code if the above error occurs before the script is actually ran, which is counter-intuitive: “The script exited with exit code 0”. The error handling on this should be reviewed.

I’ve come to that conclusion because other successful actions have the same message whereas failures will output “The script exited with exit code 1”.

This false exit code will result in the workflow automation execution logs to state that a Create User node to have ran successfully when it in fact fails.

 

Please forward this to the respective engineering team that created the “Microsoft Active Directory – Orch” app so that they can triage/fix.

 

For anyone else using the Active Directory Orchestration App, make sure you don’t have quotations, parenthesis, ampersands, nor currency values in the password when using a Create Account/User node.


0 replies

Join the Community or User Group to Participate in this Discussion

Reply