minor improvements to leaked_file permissions, metadata, and scenarios

2026-02-21 11:18:06 +00:00 · 2017-09-20 22:08:40 +01:00
parent c70263a8e0
commit b5bb17ee59
7 changed files with 6 additions and 9 deletions
--- a/modules/build/puppet/secgen_functions/manifests/leak_file.pp
+++ b/modules/build/puppet/secgen_functions/manifests/leak_file.pp
@@ -1,4 +1,4 @@
-define secgen_functions::leak_file($leaked_filename, $storage_directory, $strings_to_leak, $owner = 'root', $group = 'root', $mode = '0777', $leaked_from = '' ) {
+define secgen_functions::leak_file($leaked_filename, $storage_directory, $strings_to_leak, $owner = 'root', $group = 'root', $mode = '0660', $leaked_from = '' ) {
  if ($leaked_filename != ''){
    $path_to_leak = "$storage_directory/$leaked_filename"

--- a/modules/build/puppet/secgen_functions/manifests/leak_files.pp
+++ b/modules/build/puppet/secgen_functions/manifests/leak_files.pp
@@ -1,4 +1,4 @@
-define secgen_functions::leak_files($leaked_filenames=[], $storage_directory, $strings_to_leak=[], $images_to_leak=[], $owner = 'root', $group = 'root', $mode = '0777', $leaked_from) {
+define secgen_functions::leak_files($leaked_filenames=[], $storage_directory, $strings_to_leak=[], $images_to_leak=[], $owner = 'root', $group = 'root', $mode = '0660', $leaked_from) {

  # $leaked_from is a mandatory resource specifying where the file was being leaked (i.e. which module / user leaked it.)
  # This is to avoid resource clashes if two users get the same 'leaked_filenames' results
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/secgen_metadata.xml
@@ -9,7 +9,7 @@
  <description>Mis-configure nano file permissions to run with root privileges</description>

  <type>access_control_misconfiguration</type>
-  <privilege>user_rw</privilege>
+  <privilege>root_rw</privilege>
  <access>local</access>
  <platform>unix</platform>

--- a/modules/vulnerabilities/unix/access_control_misconfigurations/uid_bash_root/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/uid_bash_root/secgen_metadata.xml
@@ -9,7 +9,7 @@
  <description>Mis-configure /bin/bash with 4777 (suid, rwxrwxrwx) to enable root privileges</description>

  <type>access_control_mis-configurations</type>
-  <privilege>user_rw</privilege>
+  <privilege>root_rw</privilege>
  <access>local</access>
  <platform>unix</platform>

--- a/modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml
@@ -47,8 +47,4 @@
    <module_path>utilities/unix/system/accounts</module_path>
  </requires>

-  <!--to exploit the attacker needs user write access-->
-  <requires>
-    <privilege>user_rw</privilege>
-  </requires>
 </vulnerability>
--- a/scenarios/ctf/basic_narrative.xml
+++ b/scenarios/ctf/basic_narrative.xml
@@ -24,7 +24,7 @@
          <value>If you find any more evidence, such as the name of a suspect, use the format flag{Firstname Lastname}</value>
        </input>
        <input into="password">
-          <generator type="^((?!strong_password_generator).)*$"/>
+          <generator type="medium_password_generator"/>
        </input>
      </generator>

--- a/scenarios/examples/vulnerability_examples/ssh_leaked_keys.xml
+++ b/scenarios/examples/vulnerability_examples/ssh_leaked_keys.xml
@@ -8,6 +8,7 @@
    <system_name>ssh_leaked_keys</system_name>
    <base platform="linux" type="server"/>

+    <vulnerability access="remote" privilege="user_rwx" />
    <vulnerability module_path="modules/vulnerabilities/unix/system/ssh_leaked_keys"/>

    <network type="private_network" range="dhcp"/>