Module dependencies

lib/helpers/constants.rb

@@ -11,6 +11,7 @@ SCENARIO_SCHEMA_FILE = "#{ROOT_DIR}/lib/schemas/scenario_schema.xsd"
 VULNERABILITY_SCHEMA_FILE = "#{ROOT_DIR}/lib/schemas/vulnerability_metadata_schema.xsd"
 SERVICE_SCHEMA_FILE = "#{ROOT_DIR}/lib/schemas/service_metadata_schema.xsd"
 UTILITY_SCHEMA_FILE = "#{ROOT_DIR}/lib/schemas/utility_metadata_schema.xsd"
+GENERATOR_SCHEMA_FILE = "#{ROOT_DIR}/lib/schemas/generator_metadata_schema.xsd"
 NETWORK_SCHEMA_FILE = "#{ROOT_DIR}/lib/schemas/network_metadata_schema.xsd"
 BASE_SCHEMA_FILE = "#{ROOT_DIR}/lib/schemas/base_metadata_schema.xsd"
 
@@ -28,6 +29,7 @@ MODULES_PATH = "#{ROOT_DIR}/modules/"
 VULNERABILITIES_PATH = "#{MODULES_PATH}vulnerabilities/"
 SERVICES_PATH = "#{MODULES_PATH}services/"
 UTILITIES_PATH = "#{MODULES_PATH}utilities/"
+GENERATORS_PATH = "#{MODULES_PATH}generators/"
 NETWORKS_PATH = "#{MODULES_PATH}networks/"
 BASES_PATH = "#{MODULES_PATH}bases/"
 

lib/objects/module.rb

@@ -11,7 +11,8 @@ class Module
   # Module *selectors*, store filters in the attributes hash.
   # XML validity ensures valid and complete information.
 
-  attr_accessor :inputs
+  attr_accessor :write_outputs_to
+  attr_accessor :unique_id
 
   attr_accessor :conflicts
   attr_accessor :requires
@@ -21,7 +22,6 @@ class Module
   # @param [Object] module_type: such as 'vulnerability', 'base', 'service', 'network'
   def initialize(module_type)
     self.module_type = module_type
-    self.inputs = []
     self.conflicts = []
     self.requires = []
     self.attributes = {}

lib/readers/module_reader.rb

@@ -25,6 +25,11 @@ class ModuleReader
     return read_modules('utility', UTILITIES_PATH, UTILITY_SCHEMA_FILE, true)
   end
 
+  # reads in all utilities
+  def self.read_generators
+    return read_modules('generator', GENERATORS_PATH, GENERATOR_SCHEMA_FILE, true)
+  end
+
   # reads in all networks
   def self.read_networks
     return read_modules('network', NETWORKS_PATH, NETWORK_SCHEMA_FILE, false)

lib/readers/system_reader.rb

@@ -1,4 +1,5 @@
 require 'nokogiri'
+require 'digest'
 
 require_relative '../objects/system'
 require_relative '../objects/module'
@@ -50,18 +51,36 @@ class SystemReader
       end
 
       # for each module selection
-      system_node.xpath('vulnerability | service | utility | network | base').each do |module_node|
+      system_node.xpath('//vulnerability | //service | //utility | //network | //base | //generator').each do |module_node|
         # create a selector module, which is a regular module instance used as a placeholder for matching requirements
         module_selector = Module.new(module_node.name)
+
+        # create a unique id for tracking variables between modules
+        module_selector.unique_id = module_node.path.gsub(/[^a-zA-Z0-9]/, '')
+        # check if we need to be sending the module output to another module
+        module_node.xpath('parent::input').each do |input|
+          # Parent is input -- needs to send write value somewhere
+          input.xpath('..').each do |input_parent|
+            # Print.verbose "  -- Sends output to " + input_parent.path.gsub(/[^a-zA-Z0-9]/, '')
+
+            #TODO propagate unique ids and writes to to selected modules
+
+            module_selector.write_outputs_to = input_parent.path.gsub(/[^a-zA-Z0-9]/, '') + '_' + input.xpath('@into').to_s
+          end
+        end
+
         module_node.xpath('@*').each do |attr|
           module_selector.attributes["#{attr.name}"] = [attr.text] unless attr.text.nil? || attr.text == ''
         end
-        Print.verbose " #{module_node.name}, selecting based on:"
+        Print.verbose " #{module_node.name} (#{module_selector.unique_id}), selecting based on:"
         module_selector.attributes.each do |attr|
           if attr[0] && attr[1] && attr[0].to_s != "module_type"
             Print.verbose "  - #{attr[0].to_s} ~= #{attr[1].to_s}"
           end
         end
+        if module_selector.write_outputs_to
+          Print.verbose "  -- writes to: " + module_selector.write_outputs_to
+        end
 
         module_selectors << module_selector
       end

lib/schemas/scenario_schema.xsd

@@ -11,6 +11,19 @@
     </xs:complexType>
   </xs:element>
 
+  <xs:complexType name="InputElements">
+    <xs:sequence>
+      <xs:choice minOccurs="0" maxOccurs="unbounded">
+        <xs:element name='vulnerability' type='VulnerabilityType' minOccurs='0' maxOccurs='unbounded' />
+        <xs:element name='service' type='ServiceUtilityGeneratorType' minOccurs='0' maxOccurs='unbounded' />
+        <xs:element name='utility' type='ServiceUtilityGeneratorType' minOccurs='0' maxOccurs='unbounded' />
+        <xs:element name='network' type='NetworkType' minOccurs='0' maxOccurs='unbounded' />
+        <xs:element name='generator' type='ServiceUtilityGeneratorType' minOccurs='0' maxOccurs='unbounded' />
+      </xs:choice>
+    </xs:sequence>
+    <xs:attribute name='into' type='xs:string'/>
+
+  </xs:complexType>
   <xs:complexType name="SystemType">
     <xs:sequence>
       <xs:element name="system_name" minOccurs="1" maxOccurs="1">
@@ -23,8 +36,8 @@
       <xs:element name='base' type='BaseType' minOccurs='1' maxOccurs='1' />
       <xs:choice minOccurs="0" maxOccurs="unbounded">
         <xs:element name='vulnerability' type='VulnerabilityType' minOccurs='0' maxOccurs='unbounded' />
-        <xs:element name='service' type='ServiceType' minOccurs='0' maxOccurs='unbounded' />
-        <xs:element name='utility' type='UtilityType' minOccurs='0' maxOccurs='unbounded' />
+        <xs:element name='service' type='ServiceUtilityGeneratorType' minOccurs='0' maxOccurs='unbounded' />
+        <xs:element name='utility' type='ServiceUtilityGeneratorType' minOccurs='0' maxOccurs='unbounded' />
         <xs:element name='network' type='NetworkType' minOccurs='0' maxOccurs='unbounded' />
       </xs:choice>
     </xs:sequence>
@@ -48,13 +61,9 @@
 
   <xs:complexType name="VulnerabilityType">
     <xs:sequence>
-      <xs:element name="input" type='xs:string' minOccurs="1" maxOccurs="unbounded">
-          <!--TODO<xs:attribute name="name" type="xs:string"/>-->
-
-      </xs:element>
+      <xs:element name="input" type="InputElements" minOccurs="0" maxOccurs="unbounded" />
     </xs:sequence>
 
-
     <xs:attribute name="module_path" type="xs:string"/>
 
     <xs:attribute name="name" type="xs:string"/>
@@ -67,6 +76,9 @@
     <xs:attribute name="access" type="xs:string"/>
     <xs:attribute name="platform" type="xs:string"/>
 
+    <!--optional vulnerability inputs-->
+    <xs:attribute name="read_fact" type="xs:string"/>
+
     <!--optional vulnerability details-->
     <xs:attribute name="difficulty" type="xs:string"/>
     <xs:attribute name="cve" type="xs:string"/>
@@ -85,23 +97,7 @@
     <xs:attribute name="solution" type="xs:string"/>
   </xs:complexType>
 
-  <xs:complexType name="ServiceType">
-    <xs:attribute name="module_path" type="xs:string"/>
-
-    <xs:attribute name="name" type="xs:string"/>
-    <xs:attribute name="author" type="xs:string"/>
-    <xs:attribute name="module_license" type="xs:string"/>
-    <xs:attribute name="description" type="xs:string"/>
-    <xs:attribute name="type" type="xs:string"/>
-    <xs:attribute name="platform" type="xs:string"/>
-
-    <xs:attribute name="reference" type="xs:string"/>
-    <xs:attribute name="software_name" type="xs:string"/>
-    <xs:attribute name="software_license" type="xs:string"/>
-
-  </xs:complexType>
-  
-  <xs:complexType name="UtilityType">
+  <xs:complexType name="ServiceUtilityGeneratorType">
     <xs:attribute name="module_path" type="xs:string"/>
 
     <xs:attribute name="name" type="xs:string"/>

lib/schemas/vulnerability_metadata_schema.xsd

@@ -6,6 +6,7 @@
 
   <xs:simpleType name="privlegeOptions">
     <xs:restriction base="xs:string">
+      <xs:enumeration value="info_leak"/>
       <xs:enumeration value="user"/>
       <xs:enumeration value="root"/>
     </xs:restriction>
@@ -92,6 +93,9 @@
         <xs:element name="access" type="accessOptions" minOccurs="1" maxOccurs="1"/>
         <xs:element name="platform" type="platformOptions" minOccurs="1" maxOccurs="1"/>
 
+        <!--optional input values-->
+        <xs:element name="read_fact" type="xs:string" minOccurs="0" maxOccurs="unbounded"/>
+
         <!--optional vulnerability details-->
         <xs:element name="difficulty" type="difficultyOptions" minOccurs="0" maxOccurs="1"/>
         <xs:element name="cve" type="CVEregexp" minOccurs="0" maxOccurs="unbounded"/>

modules/vulnerabilities/unix/nfs/nfs_overshare/manifests/config.pp

@@ -1,25 +1,12 @@
 class nfs_overshare::config {
 
-  package { ['nfs-kernel-server', 'nfs-common', 'portmap']:
-      ensure => installed
-  }
-
-
-  file { '/etc/exports':
+  file { '/export_nfs/something':
     require => Package['nfs-common'],
     ensure  => present,
     owner   => 'root',
     group   => 'root',
     mode    => '0777',
-    content  => template('nfs_overshare/exports.erb')
+    content  => template('nfs_overshare/overshare.erb')
   }
 
-  exec { "exportfs":
-      require => Package['nfs-common'],
-      command => "exportfs -a",
-      path    => "/usr/sbin",
-      # path    => [ "/usr/local/bin/", "/bin/" ],  # alternative syntax
-  }
 }
-
-

modules/vulnerabilities/unix/nfs/nfs_overshare/secgen_metadata.xml

@@ -3,21 +3,24 @@
 <vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
-  <name>NFS write access to FS</name>
-  <author>Lewis Ardern</author>
+  <name>NFS Share Leak</name>
+  <author>Z. Cliffe Schreuders</author>
   <module_license>MIT</module_license>
-  <description>NFS misconfigured to be mountable from anyone that can interact with it.</description>
+  <description>NFS misconfigured to be mountable from anyone that can interact with it, sharing something extra.</description>
 
   <type>nfs</type>
-  <privilege>user</privilege>
+  <privilege>info_leak</privilege>
   <access>remote</access>
   <platform>linux</platform>
 
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>files_to_leak</read_fact>
+
   <!--optional vulnerability details-->
   <difficulty>low</difficulty>
   <!--<cve></cve>-->
-  <cvss_base_score>6.6</cvss_base_score>
-  <cvss_vector>AV:L/AC:M/Au:S/C:C/I:C/A:C</cvss_vector>
+  <cvss_base_score>4.3</cvss_base_score>
+  <cvss_vector>AV:N/AC:M/Au:N/C:P/I:N/A:N</cvss_vector>
   <reference>http://nfs.sourceforge.net/#section_c</reference>
   <software_name>nfsd</software_name>
   <software_license>GPLv2</software_license>

modules/vulnerabilities/unix/nfs/nfs_overshare/templates/exports.erb

@@ -1,11 +0,0 @@
-# /etc/exports: the access control list for filesystems which may be exported
-#               to NFS clients.  See exports(5).
-#
-# Example for NFSv2 and NFSv3:
- /       172.0.0.0/8(rw,sync,no_subtree_check)
- /       192.0.0.0/8(rw,sync,no_subtree_check)
-#
-# Example for NFSv4:
-# /srv/nfs4        gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
-# /srv/nfs4/homes  gss/krb5i(rw,sync,no_subtree_check)
-#

secgen.rb

@@ -54,13 +54,17 @@ def build_config(scenario, out_dir)
   all_available_utilities = ModuleReader.read_utilities
   Print.std "#{all_available_utilities.size} utility modules loaded"
 
+  Print.info 'Reading available generator modules...'
+  all_available_generators = ModuleReader.read_generators
+  Print.std "#{all_available_generators.size} generator modules loaded"
+
   Print.info 'Reading available network modules...'
   all_available_networks = ModuleReader.read_networks
   Print.std "#{all_available_networks.size} network modules loaded"
 
   Print.info 'Resolving systems: randomising scenario...'
   # for each system, select modules
-  all_available_modules = all_available_bases + all_available_vulnerabilties + all_available_services + all_available_utilities + all_available_networks
+  all_available_modules = all_available_bases + all_available_vulnerabilties + all_available_services + all_available_utilities + all_available_generators + all_available_networks
   # update systems with module selections
   systems.map! {|system|
     system.module_selections = system.resolve_module_selection(all_available_modules)