access control misconfiguration: writable_passwd -- enforced the order in accounts::users w/ multiple ac misconfigs at same time

2026-02-22 19:58:03 +00:00 · 2017-05-23 17:51:27 +01:00
parent c39ec63434
commit 48385db779
6 changed files with 84 additions and 16 deletions
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/writable_groups/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_groups/secgen_metadata.xml
@@ -9,7 +9,7 @@
  <description>Changes permissions on /etc/group file to 0777, local users can escalate to root by adding account to
    sudo. </description>

-  <type>access_controls</type>
+  <type>access_control_misconfiguration</type>
  <privilege>root_rw</privilege>
  <access>local</access>
  <platform>linux</platform>
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/manifests/config.pp
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/manifests/config.pp
@@ -0,0 +1,6 @@
+class writable_passwd::config {
+  file { '/etc/passwd':
+    ensure  => present,
+    mode    => '0777',
+  }
+}
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/secgen_metadata.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>Writable Passwd File</name>
+  <author>Thomas Shaw</author>
+  <module_license>MIT</module_license>
+  <description>Changes permissions on passwd file to 777, open to account tampering to local users.
+    This is not a common misconfiguration, and not particularly subtle.</description>
+
+  <type>access_control_misconfiguration</type>
+  <privilege>root_rw</privilege>
+  <access>local</access>
+  <platform>linux</platform>
+
+  <!--optional vulnerability details-->
+  <difficulty>medium</difficulty>
+  <cvss_base_score>6.6</cvss_base_score>
+  <cvss_vector>AV:L/AC:M/Au:S/C:C/I:C/A:C</cvss_vector>
+
+  <!--<solution>TODO:</solution>-->
+
+</vulnerability>
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/writable_passwd.pp
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/writable_passwd/writable_passwd.pp
@@ -0,0 +1 @@
+include writable_passwd::config
--- a/modules/vulnerabilities/unix/system/parameterised_accounts/manifests/account.pp
+++ b/modules/vulnerabilities/unix/system/parameterised_accounts/manifests/account.pp
@@ -1,20 +1,28 @@
 define parameterised_accounts::account($username, $password, $super_user, $strings_to_leak, $leaked_filenames) {
-
-  # condition because ::accounts::user changes permissions on /etc/group so needs to run before vulns/writable_groups
-  if defined('writable_groups::config'){
+  # ::accounts::user changes permissions on group, passwd, shadow etc. so needs to run before
+  if defined('writable_groups::config') {
    include ::writable_groups::config
-    ::accounts::user { $username:
-      shell      => '/bin/bash',
-      password   => pw_hash($password, 'SHA-512', 'mysalt'),
-      managehome => true,
-      before     => File['/etc/group']
-    }
-  } else {
-    ::accounts::user { $username:
-      shell      => '/bin/bash',
-      password   => pw_hash($password, 'SHA-512', 'mysalt'),
-      managehome => true,
-    }
+    $writable_groups = [File['/etc/group']]
+  } else { $writable_groups = [] }
+
+  if defined('writable_passwd::config') {
+    include ::writable_passwd::config
+    $writable_passwd = [File['/etc/passwd']]
+  } else { $writable_passwd = [] }
+
+  if defined('writable_shadow::config') {
+    include ::writable_shadow::config
+    $writable_shadow = [File['/etc/shadow']]
+  } else { $writable_shadow = [] }
+
+  $misconfigurations = concat($writable_groups, $writable_passwd, $writable_shadow)
+
+  # Add user account
+  ::accounts::user { $username:
+    shell      => '/bin/bash',
+    password   => pw_hash($password, 'SHA-512', 'mysalt'),
+    managehome => true,
+    before     => $misconfigurations,
  }

  # sort groups if sudo add to conf
--- a/scenarios/examples/vulnerability_examples/access_control_misconfiguration_examples/writable_passwd.xml
+++ b/scenarios/examples/vulnerability_examples/access_control_misconfiguration_examples/writable_passwd.xml
@@ -0,0 +1,29 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+	   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	   xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+	<system>
+		<system_name>server</system_name>
+		<base platform="linux"/>
+
+		<vulnerability module_path=".*writable_passwd" type="access_control_misconfiguration"/>
+
+		<vulnerability module_path=".*parameterised_accounts">
+			<input into="accounts">
+				<generator type="account">
+					<input into="username">
+						<value>test</value>
+					</input>
+					<input into="password">
+						<value>test</value>
+					</input>
+				</generator>
+			</input>
+		</vulnerability>
+
+		<network type="private_network" range="dhcp"/>
+	</system>
+
+</scenario>