vsociety

Scripting Recap: Issue No.5

It's here! Check out the latest bounty of scripts that were added to vsociety, from mitigating a malicious Python package to removing users from the Sudo group!

x_ops

List Installed Google Chrome Extensions (MacOS Script)

PoC video

Description

✅ This script scans and lists all installed Chrome extensions from default profile directories on macOS. You can also specify a custom extension path if your Chrome profiles are stored in non-standard locations.

ℹ️ How it works:

  • The script checks multiple Chrome profile paths (Default, Profile 1, Profile 2, etc.) and other Chromium-based browsers.
  • If a custom extension path is set via the CUSTOM_EXTENSION_PATH variable, it also checks that location.
  • It iterates through installed extensions, extracting names and versions from manifest.json.
  • If an extension's name is stored as a locale message (e.g., __MSG_extensionName__), it resolves it using the appropriate language file.
  • The script displays each extension's ID, name, version, and file path.
  • Special handling is included for default extensions like Google Wallet which are not labeled correctly otherwise.

Remove User from Sudo Group

Description

This script is designed to safely remove a user from the sudo group on a Linux system, ensuring that administrative privileges are properly revoked without risk of misconfiguration. It begins by verifying that the script is run with root privileges and that the correct username is provided. The script checks if the user exists and is part of the sudo group, then proceeds with removing the user from the sudo group.

If enabled, the script creates a backup of the sudoers file before making any changes, ensuring a fail-safe in case of errors. After removal, the script verifies that the user has been successfully removed from the sudo group, with a warning if the user still appears in the sudo group. Additionally, it can list all current sudo users for verification.

Update Date Format for All Active User Accounts

PoC video

Description

✅ This script updates the date format for all active user accounts on a Windows machine. It modifies the short date format in the system registry to a custom pattern, which can be adjusted by changing the $datePattern variable.

ℹ️ The script maps the HKEY_USERS registry hive to access user-specific settings. It retrieves all active user accounts by checking their status through Win32_UserAccount. For each user, the script checks if their registry path exists (Control Panel\International) and updates the sShortDate value. If a user's registry path is missing or invalid, the script will output a warning message. The $datePattern variable allows you to set the desired short date format (e.g., MM/dd/yyyy). The script handles errors gracefully, outputting any issues encountered during execution.

x_detection

CVE-2025-27607: Detect Python Malicious package

Description

🔒 CVE-2025-27607 Vulnerability Detection

This script checks whether the system is vulnerable to CVE-2025-27607 by detecting the presence of the malicious msgspec-python313-pre package in the Python environment. It is essential to know if your system is at risk to ensure appropriate mitigation steps are taken.

🔍 How it works:

  • The script first activates the specified Python virtual environment.
  • It then checks if the msgspec-python313-pre package is installed using pip list.
  • If the package is found, it outputs a message indicating that the system is vulnerable to CVE-2025-27607.
  • If the package is not installed, it confirms that the system is not vulnerable.

⚠️ Why it matters:

CVE-2025-27607 refers to a remote code execution vulnerability introduced due to the installation of a specific malicious package, msgspec-python313-pre. Attackers exploiting this vulnerability could execute arbitrary code on affected systems. Detecting this package is crucial to identify vulnerable systems and prevent potential exploits.

CVE-2025-25192: Detection GLPI Vulnerability

Description

This script detects the presence of the CVE-2025-25192 vulnerability in a GLPI installation. It verifies if the vulnerable file install/update.php exists and retrieves the installed GLPI version.

CVE-2025-25192 affects certain versions of GLPI where the file install/update.php remains accessible after installation. This can allow unauthorized users to execute actions that may compromise the system.

The script:

Checks if the vulnerable file exists in the current directory.

Detects the GLPI version from available sources (VERSION, composer.json, inc/define.php).

Outputs relevant details, helping administrators determine if their system is at risk.

Exploiting this vulnerability can lead to unauthorized access and system compromise.

By using this script, administrators can quickly verify if their GLPI installation is at risk and take appropriate mitigation actions.

🛠️ HOW TO USE

Ensure the script is inside the GLPI directory before running it.

Make the script executable (only needed once).

Run the script to check for the vulnerability.

Review the output to see if the vulnerable file exists and what GLPI version is detected.

This allows quick and efficient verification of GLPI installations.

x_remediation

CVE-2025-27607: Mitigate Vulnerable Python Package

Description

🔒 CVE-2025-27607 Vulnerability Mitigation 

This script uninstalls the malicious msgspec-python313-pre package to mitigate CVE-2025-27607. It is vital to remove any vulnerable components that could allow an attacker to exploit the system, and this script provides a quick and automated way to do so.

🔍 How it works:

  • The script activates the specified Python virtual environment.
  • It checks if the msgspec-python313-pre package is installed.
  • If the package is found, it is uninstalled automatically using pip uninstall -y.
  • The script also reminds users to avoid installing development dependencies in production environments to reduce security risks.

⚠️ Why it matters:

By removing the malicious package, this script directly addresses CVE-2025-27607, which could allow attackers to execute arbitrary code. Mitigating this vulnerability is crucial to protect systems from unauthorized access and ensure the integrity and security of your Python environments. This script also encourages best practices in dependency management to avoid future vulnerabilities.

That's it for now! See you next week for Issue No.6

Nahuel Benitez

Security Analyst at the Wolfpack

Subscribe for more

Get more infosec news and insights.

By submitting this form, you agree that Vicarius will save your contact information to contact you about our products and services. Check out our Privacy Policy to learn about our privacy practices, commitments and how to unsubscribe.

Related Posts

vsociety

Scripting Recap: Issue No.4

The Captain of Cool returns from his script sourcing quest! This week he found some for Exchange Server, SharePoint Server, and many other Windows vulnerabilities.
vsociety

Scripting Recap: Issue No.3

Captain Nahuel is back with another vsociety recap! From checking if your OpenSSH setup is vulnerable to locking down Windows and MSMQ, plus some bonus tools for log management and tracking failed sudo attempts, Nahuel guides you on a journey you won't forget!
vsociety

Scripting Recap: Issue No.2

From managing execution policies in PowerShell to extracting Linux System Logs to configuration-based mitigations for CVEs, this week's roundup is sure to hit all the right notes!
1000+ members

Turn security converstains into remediation actions

Request a demo
SOC for service organizations
Copyright © Vicarius. All rights reserved 2025.
Linkedin
X
Youtube
Instagram
Privacy Policyterms of use