nostromo module

Co-Authored-By: Anaas Naveed <Anaas@Naveed>

modules/vulnerabilities/unix/http/nostromo_code_exec/files/nhttpd.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Nostromo 1.9.6 Web Server
+After=network.target
+StartLimitIntervalSec=0
+
+[Service]
+Type=forking
+PIDFile=/var/nostromo/logs/nhttpd.pid
+Restart=on-abort
+RestartSec=1
+User=root
+ExecStart=/home/nostromousr/nostromo-1.9.6/src/nhttpd/nhttpd
+WorkingDirectory=/home/nostromousr/nostromo-1.9.6/src/nhttpd
+
+[Install]
+WantedBy=multi-user.target

modules/vulnerabilities/unix/http/nostromo_code_exec/manifests/config.pp

@@ -0,0 +1,41 @@
+#
+class nostromo_code_exec::config {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ]}
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $port = $secgen_parameters['port'][0]
+  $strings_to_leak = $secgen_parameters['strings_to_leak']
+  $leaked_filenames = $secgen_parameters['leaked_filenames']
+  $strings_to_pre_leak = $secgen_parameters['strings_to_pre_leak']
+
+  $user = 'nostromousr'#$secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+  $nostromo_root_var_dir = '/var/nostromo/'
+
+
+  # Copy the config file to /var/nostromo/conf/
+  file { "${nostromo_root_var_dir}/conf/nhttpd.conf":
+    content  => template('nostromo_code_exec/nhttpd.conf.erb'),
+    owner   => $user,
+    require => Exec['make-nostromo-install'],
+  } ->
+
+  file { "${nostromo_root_var_dir}/htdocs/index.html":
+    content  => template('nostromo_code_exec/pre_leak.html.erb'),
+    owner   => $user,
+  } ->
+
+  # Set /var/nostromo/logs to 777
+  exec { 'set-log-dir-perms':
+    command => 'sudo chmod 777 /var/nostromo/logs',
+  }
+
+  ::secgen_functions::leak_files { 'nostromo-file-leak':
+    storage_directory => $user_home,
+    leaked_filenames  => $leaked_filenames,
+    strings_to_leak   => $strings_to_leak,
+    owner             => $user,
+    leaked_from       => "nostromo",
+    mode              => '0600'
+  }
+  # Next steps in Service file
+}

modules/vulnerabilities/unix/http/nostromo_code_exec/manifests/install.pp

@@ -0,0 +1,47 @@
+class nostromo_code_exec::install {
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ] }
+  #$secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $user = 'nostromousr'#$secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+
+
+  # Install dependancies - make, gcc libssl-dev
+  ensure_packages(['make','gcc','libssl-dev'])
+
+  user { "${user}":
+    ensure     => present,
+    uid        => '666',
+    gid        => 'root',#
+    home       => "${user_home}/",
+    managehome => true,
+    password   => 'toor', # Temp, remove in final.
+    require    => Package['libssl-dev'],
+  } ->
+
+  # TODO: install into /opt/ rather than user home
+  # Move tar ball to /home/nostromo/
+  file { "${user_home}/nostromo_1_9_6.tar.gz":
+    source  => 'puppet:///modules/nostromo_code_exec/nostromo_1_9_6.tar.gz',
+    owner   => $user,
+    mode    => '0777',
+  } ->
+
+  # Extract the tar ball
+  exec { 'mellow-file':
+    cwd     => "${user_home}/",
+    command => 'tar -xzvf nostromo_1_9_6.tar.gz',
+    creates => "${user_home}/nostromo-1.9.6/",
+  } ->
+
+  # Make the application
+  exec { 'make-nostromo':
+    cwd     => "${user_home}/nostromo-1.9.6/",
+    command => 'sudo make',
+  } ->
+
+  # Install the application
+  exec { 'make-nostromo-install':
+    cwd     => "${user_home}/nostromo-1.9.6/",
+    command => 'sudo make install',
+  }
+}

modules/vulnerabilities/unix/http/nostromo_code_exec/manifests/service.pp

@@ -0,0 +1,33 @@
+#
+class nostromo_code_exec::service {
+  require nostromo_code_exec::config
+  Exec { path => [ '/bin/', '/sbin/' , '/usr/bin/', '/usr/sbin/' ]}
+  $user = 'nostromousr'#$secgen_parameters['leaked_username'][0]
+  $user_home = "/home/${user}"
+  $release_dir = '/home/nostromousr/nostromo-1.9.6/src/nhttpd'
+  $service_file_dir = '/etc/systemd/system'
+
+  # Move service file to /home/nostromousr/nostromo-1.9.6/src/nhttpd
+  file { "${release_dir}/nhttpd.service":
+    source  => 'puppet:///modules/nostromo_code_exec/nhttpd.service',
+    owner   => $user,
+    mode    => '0777',
+    require => Exec['set-log-dir-perms'],
+  } ->
+
+  # Service file in /etc/systemd/system/
+  file { "${service_file_dir}/nhttpd.service":
+    source  => 'puppet:///modules/nostromo_code_exec/nhttpd.service',
+    owner   => $user,
+    mode    => '0777',
+  } ->
+
+  # exec { 'run-nhttpd':
+  #   command => "sudo /home/${user}/nostromo-1.9.6/src/nhttpd/nhttpd",
+  # } ->
+  #
+  service { 'nhttpd':
+    ensure  => running,
+    enable  => true,
+  }
+}

modules/vulnerabilities/unix/http/nostromo_code_exec/nostromo_code_exec.pp

@@ -0,0 +1,3 @@
+include nostromo_code_exec::install
+include nostromo_code_exec::config
+include nostromo_code_exec::service

modules/vulnerabilities/unix/http/nostromo_code_exec/secgen_metadata.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0"?>
+
+<vulnerability xmlns="http://www.github/cliffe/SecGen/vulnerability"
+               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xsi:schemaLocation="http://www.github/cliffe/SecGen/vulnerability">
+  <name>Nostromo Directory Traversal Remote Command Execution</name>
+  <author>Anaas Naveed</author>
+  <author>Z. Cliffe Schreuders</author>
+  <module_license>MIT</module_license>
+  <description>There is a remote command execution vulnerability in
+    Nostromo <= 1.9.6. This issue is caused by a directory traversal
+    in the function `http_verify` in nostromo nhttpd allowing an attacker
+    to achieve remote code execution via a crafted HTTP request.
+
+    Note that Nostromo requires LF (not CRLF line endings),
+    so be careful not to edit these files from Windows.
+  </description>
+
+  <type>http</type>
+  <privilege>root_rwx</privilege>
+  <access>remote</access>
+  <platform>linux</platform>
+  <difficulty>low</difficulty>
+
+  <read_fact>port</read_fact>
+  <read_fact>strings_to_leak</read_fact>
+  <read_fact>leaked_filenames</read_fact>
+  <read_fact>strings_to_pre_leak</read_fact>
+
+  <!-- on a random port by default -->
+  <default_input into="port">
+    <generator module_path=".*/random_unregistered_port"/>
+  </default_input>
+  <default_input into="strings_to_leak">
+    <generator type="message_generator"/>
+  </default_input>
+  <default_input into="leaked_filenames">
+    <generator type="filename_generator"/>
+  </default_input>
+
+  <!-- pre-leaked, these details are leaked before the main vuln is exploited, for example hidden content or hosted files -->
+  <default_input into="strings_to_pre_leak">
+    <generator type="message_generator"/>
+  </default_input>
+
+  <!--optional vulnerability details-->
+  <cve>2019-16278</cve>
+  <cvss_base_score>10</cvss_base_score>
+  <cvss_vector>AV:N/AC:L/Au:N/C:C/I:C/A:C</cvss_vector>
+  <reference>https://www.exploit-db.com/exploits/47573</reference>
+  <software_name>nostromo</software_name>
+  <software_license>GPLv2</software_license>
+
+
+  <requires>
+    <type>update</type>
+  </requires>
+</vulnerability>

modules/vulnerabilities/unix/http/nostromo_code_exec/templates/nhttpd.conf.erb

@@ -0,0 +1,57 @@
+#	$nostromo: nhttpd.conf-dist,v 1.22 2016/04/12 18:54:16 hacki Exp $
+
+# MAIN [MANDATORY]
+
+#servername		www.test.ch
+servername		127.0.0.1:<%= @port %>
+serverlisten		*
+#serverlisten		81.221.21.250 127.0.0.1 ::1
+serveradmin		webmaster@nazgul.ch
+serverroot		/var/nostromo
+servermimes		conf/mimes
+docroot			/var/nostromo/htdocs
+docindex		index.html
+
+# LOGS [OPTIONAL]
+
+logpid			logs/nhttpd.pid
+logaccess		logs/access_log
+
+# SETUID [RECOMMENDED]
+
+user			nostromousr
+
+# BASIC AUTHENTICATION [OPTIONAL]
+
+#htaccess		.htaccess
+#htpasswd		/var/nostromo/conf/.htpasswd
+#htpasswd		+bsdauth
+#htpasswd		+bsdauthnossl
+
+# SSL [OPTIONAL]
+
+#sslport		443
+#sslcert		/etc/ssl/server.crt
+#sslcertkey		/etc/ssl/private/server.key
+
+# CUSTOM RESPONSES [OPTIONAL]
+#
+# The custom responses are searched in the corresponding document root.
+
+#custom_401		custom_401.html
+#custom_403		custom_403.html
+#custom_404		custom_404.html
+
+# ALIASES [OPTIONAL]
+
+/icons			/var/nostromo/icons
+
+# VIRTUAL HOSTS [OPTIONAL]
+
+#www.rahel.ch		/var/nostromo/htdocs/www.rahel.ch
+#www.rahel.ch:8080	/var/nostromo/htdocs/www.rahel.ch
+
+# HOMEDIRS [OPTIONAL]
+
+#homedirs		/home
+#homedirs_public	public_www

modules/vulnerabilities/unix/http/nostromo_code_exec/templates/pre_leak.html.erb

@@ -0,0 +1,9 @@
+<html>
+<body>
+<pre>
+<% @strings_to_pre_leak.each { |string_to_pre_leak| -%>
+  <%= string_to_pre_leak %>
+<% } -%>
+</pre>
+</body>
+</html>

scenarios/examples/vulnerability_examples/nostromo_vulnerability.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <system>
+    <system_name>web_server</system_name>
+		<base distro="Debian 10" type="desktop" name="KDE"/>
+
+    <vulnerability module_path=".*/nostromo_code_exec"/>
+
+    <network type="private_network" range="dhcp"/>
+  </system>
+
+</scenario>