From b5bb17ee59a55197b149c12d208de3c7e6c780ca Mon Sep 17 00:00:00 2001
From: thomashaw <thomashaw@gmail.com>
Date: Wed, 20 Sep 2017 22:08:40 +0100
Subject: [PATCH] minor improvements to leaked_file permissions, metadata, and
 scenarios

---
 modules/build/puppet/secgen_functions/manifests/leak_file.pp  | 2 +-
 modules/build/puppet/secgen_functions/manifests/leak_files.pp | 2 +-
 .../suid_root_nano/secgen_metadata.xml                        | 2 +-
 .../uid_bash_root/secgen_metadata.xml                         | 2 +-
 .../unix/system/ssh_leaked_keys/secgen_metadata.xml           | 4 ----
 scenarios/ctf/basic_narrative.xml                             | 2 +-
 scenarios/examples/vulnerability_examples/ssh_leaked_keys.xml | 1 +
 7 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/modules/build/puppet/secgen_functions/manifests/leak_file.pp b/modules/build/puppet/secgen_functions/manifests/leak_file.pp
index 1cd68c39a..082d36a87 100644
--- a/modules/build/puppet/secgen_functions/manifests/leak_file.pp
+++ b/modules/build/puppet/secgen_functions/manifests/leak_file.pp
@@ -1,4 +1,4 @@
-define secgen_functions::leak_file($leaked_filename, $storage_directory, $strings_to_leak, $owner = 'root', $group = 'root', $mode = '0777', $leaked_from = '' ) {
+define secgen_functions::leak_file($leaked_filename, $storage_directory, $strings_to_leak, $owner = 'root', $group = 'root', $mode = '0660', $leaked_from = '' ) {
   if ($leaked_filename != ''){
     $path_to_leak = "$storage_directory/$leaked_filename"
 
diff --git a/modules/build/puppet/secgen_functions/manifests/leak_files.pp b/modules/build/puppet/secgen_functions/manifests/leak_files.pp
index 5e25294fc..fef69b944 100644
--- a/modules/build/puppet/secgen_functions/manifests/leak_files.pp
+++ b/modules/build/puppet/secgen_functions/manifests/leak_files.pp
@@ -1,4 +1,4 @@
-define secgen_functions::leak_files($leaked_filenames=[], $storage_directory, $strings_to_leak=[], $images_to_leak=[], $owner = 'root', $group = 'root', $mode = '0777', $leaked_from) {
+define secgen_functions::leak_files($leaked_filenames=[], $storage_directory, $strings_to_leak=[], $images_to_leak=[], $owner = 'root', $group = 'root', $mode = '0660', $leaked_from) {
 
   # $leaked_from is a mandatory resource specifying where the file was being leaked (i.e. which module / user leaked it.)
   # This is to avoid resource clashes if two users get the same 'leaked_filenames' results
diff --git a/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/secgen_metadata.xml b/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/secgen_metadata.xml
index a35ccc825..3eb093098 100644
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/suid_root_nano/secgen_metadata.xml
@@ -9,7 +9,7 @@
   <description>Mis-configure nano file permissions to run with root privileges</description>
 
   <type>access_control_misconfiguration</type>
-  <privilege>user_rw</privilege>
+  <privilege>root_rw</privilege>
   <access>local</access>
   <platform>unix</platform>
 
diff --git a/modules/vulnerabilities/unix/access_control_misconfigurations/uid_bash_root/secgen_metadata.xml b/modules/vulnerabilities/unix/access_control_misconfigurations/uid_bash_root/secgen_metadata.xml
index 495a43f84..8e4f18057 100644
--- a/modules/vulnerabilities/unix/access_control_misconfigurations/uid_bash_root/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/access_control_misconfigurations/uid_bash_root/secgen_metadata.xml
@@ -9,7 +9,7 @@
   <description>Mis-configure /bin/bash with 4777 (suid, rwxrwxrwx) to enable root privileges</description>
 
   <type>access_control_mis-configurations</type>
-  <privilege>user_rw</privilege>
+  <privilege>root_rw</privilege>
   <access>local</access>
   <platform>unix</platform>
 
diff --git a/modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml b/modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml
index 40a7cd561..814bb5a10 100644
--- a/modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml
+++ b/modules/vulnerabilities/unix/system/ssh_leaked_keys/secgen_metadata.xml
@@ -47,8 +47,4 @@
     <module_path>utilities/unix/system/accounts</module_path>
   </requires>
 
-  <!--to exploit the attacker needs user write access-->
-  <requires>
-    <privilege>user_rw</privilege>
-  </requires>
 </vulnerability>
\ No newline at end of file
diff --git a/scenarios/ctf/basic_narrative.xml b/scenarios/ctf/basic_narrative.xml
index 9c8fae049..dfcd23f7e 100644
--- a/scenarios/ctf/basic_narrative.xml
+++ b/scenarios/ctf/basic_narrative.xml
@@ -24,7 +24,7 @@
           <value>If you find any more evidence, such as the name of a suspect, use the format flag{Firstname Lastname}</value>
         </input>
         <input into="password">
-          <generator type="^((?!strong_password_generator).)*$"/>
+          <generator type="medium_password_generator"/>
         </input>
       </generator>
 
diff --git a/scenarios/examples/vulnerability_examples/ssh_leaked_keys.xml b/scenarios/examples/vulnerability_examples/ssh_leaked_keys.xml
index 5612ca3c3..046f4e47b 100644
--- a/scenarios/examples/vulnerability_examples/ssh_leaked_keys.xml
+++ b/scenarios/examples/vulnerability_examples/ssh_leaked_keys.xml
@@ -8,6 +8,7 @@
     <system_name>ssh_leaked_keys</system_name>
     <base platform="linux" type="server"/>
 
+    <vulnerability access="remote" privilege="user_rwx" />
     <vulnerability module_path="modules/vulnerabilities/unix/system/ssh_leaked_keys"/>
 
     <network type="private_network" range="dhcp"/>