diff --git a/CHANGELOG.md b/CHANGELOG.md index 72eadb615..fd6a83469 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -56,6 +56,9 @@ Changelog](https://keepachangelog.com/en/1.0.0/). ### Security +- Change SSH exploiter so that it does not set the permissions of the agent + binary in /tmp on the target system to 777, as this could allow a malicious + actor with local access to escalate their privileges. #1750 ## [1.13.0] - 2022-01-25 ### Added - A new exploiter that allows propagation via the Log4Shell vulnerability diff --git a/monkey/infection_monkey/exploit/sshexec.py b/monkey/infection_monkey/exploit/sshexec.py index 5f14ce25b..39544a93c 100644 --- a/monkey/infection_monkey/exploit/sshexec.py +++ b/monkey/infection_monkey/exploit/sshexec.py @@ -170,15 +170,8 @@ class SSHExploiter(HostExploiter): file_size=monkeyfs.getsize(src_path), callback=self.log_transfer, ) - ftp.chmod(self.options["dropper_target_path_linux"], 0o777) + self._make_agent_executable(ftp) status = ScanStatus.USED - self.telemetry_messenger.send_telemetry( - T1222Telem( - ScanStatus.USED, - "chmod 0777 %s" % self.options["dropper_target_path_linux"], - self.host, - ) - ) ftp.close() except Exception as exc: self.exploit_result.error_message = ( @@ -221,3 +214,13 @@ class SSHExploiter(HostExploiter): logger.error(self.exploit_result.error_message) return self.exploit_result + + def _make_agent_executable(self, ftp: paramiko.sftp_client.SFTPClient): + ftp.chmod(self.options["dropper_target_path_linux"], 0o700) + self.telemetry_messenger.send_telemetry( + T1222Telem( + ScanStatus.USED, + "chmod 0700 %s" % self.options["dropper_target_path_linux"], + self.host, + ) + )