Agent: Change agent permissions to 700 in SSH exploiter

Changing the permissions to 777 introduces a security risk into the
target host. A malicious attacker with local access can potentially
modify the binary, resulting in code execution and privilege escalation
when the attacking agent launches the agent on the victim.

Issue #1750
This commit is contained in:
Mike Salvatore 2022-02-28 11:51:34 -05:00
parent eea07461c5
commit caa6405315
2 changed files with 14 additions and 8 deletions

View File

@ -56,6 +56,9 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
### Security
- Change SSH exploiter so that it does not set the permissions of the agent
binary in /tmp on the target system to 777, as this could allow a malicious
actor with local access to escalate their privileges. #1750
## [1.13.0] - 2022-01-25
### Added
- A new exploiter that allows propagation via the Log4Shell vulnerability

View File

@ -170,15 +170,8 @@ class SSHExploiter(HostExploiter):
file_size=monkeyfs.getsize(src_path),
callback=self.log_transfer,
)
ftp.chmod(self.options["dropper_target_path_linux"], 0o777)
self._make_agent_executable(ftp)
status = ScanStatus.USED
self.telemetry_messenger.send_telemetry(
T1222Telem(
ScanStatus.USED,
"chmod 0777 %s" % self.options["dropper_target_path_linux"],
self.host,
)
)
ftp.close()
except Exception as exc:
self.exploit_result.error_message = (
@ -221,3 +214,13 @@ class SSHExploiter(HostExploiter):
logger.error(self.exploit_result.error_message)
return self.exploit_result
def _make_agent_executable(self, ftp: paramiko.sftp_client.SFTPClient):
ftp.chmod(self.options["dropper_target_path_linux"], 0o700)
self.telemetry_messenger.send_telemetry(
T1222Telem(
ScanStatus.USED,
"chmod 0700 %s" % self.options["dropper_target_path_linux"],
self.host,
)
)