From aa5398ffcc81417a7d8c0f974b55c1a31d5e99c7 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 26 Jan 2023 15:01:29 +0100 Subject: [PATCH 1/6] refactor --- README.md | 1 + check_project.sh | 2 - config/bin_version_strings.cfg | 2 +- config/distri_id.cfg | 2 +- config/trickest_blacklist.txt | 1 + emba.sh | 54 +++++++++------------ helpers/helpers_emba_dependency_check.sh | 13 ++--- helpers/helpers_emba_helpers.sh | 17 ++++--- helpers/helpers_emba_internet_access.sh | 2 +- helpers/helpers_emba_print.sh | 33 ++++++------- installer/I120_cwe_checker.sh | 12 ++--- installer/IP12_avm_freetz_ng_extract.sh | 1 + modules/F10_license_summary.sh | 12 ++--- modules/F20_vul_aggregator.sh | 16 ++----- modules/F50_base_aggregator.sh | 17 ++----- modules/P05_patools_init.sh | 10 +--- modules/P10_vmdk_extractor.sh | 2 +- modules/P15_ubi_extractor.sh | 4 +- modules/P59_binwalk_extractor.sh | 2 +- modules/P60_firmware_bin_extractor.sh | 4 +- modules/P65_package_extractor.sh | 4 +- modules/P99_prepare_analyzer.sh | 6 +-- modules/S02_UEFI_FwHunt.sh | 12 ++--- modules/S03_firmware_bin_base_analyzer.sh | 39 ++++++--------- modules/S05_firmware_details.sh | 4 +- modules/S06_distribution_identification.sh | 55 +++++++++++----------- modules/S08_package_mgmt_extractor.sh | 26 +++++----- modules/S09_firmware_base_version_check.sh | 28 +++++------ modules/S109_jtr_local_pw_cracking.sh | 8 +--- modules/S110_yara_check.sh | 14 ++---- modules/S115_usermode_emulator.sh | 40 ++++------------ modules/S116_qemu_version_detection.sh | 5 +- modules/S120_cwe_checker.sh | 24 ++++------ modules/S13_weak_func_check.sh | 26 ++++++---- modules/S14_weak_func_radare_check.sh | 23 +++++---- modules/S20_shell_check.sh | 22 +++------ modules/S21_python_check.sh | 8 +--- modules/S22_php_check.sh | 8 +--- modules/S24_kernel_bin_identifier.sh | 40 ++++------------ modules/S25_kernel_check.sh | 10 ++-- modules/S26_kernel_vuln_verifier.sh | 12 ++--- modules/S40_weak_perm_check.sh | 2 +- modules/S50_authentication_check.sh | 48 +++++-------------- modules/S65_config_file_check.sh | 1 - modules/S75_network_check.sh | 16 ++----- modules/S80_cronjob_check.sh | 3 +- modules/S85_ssh_check.sh | 8 +--- modules/S95_interesting_binaries_check.sh | 5 +- modules/S99_grepit.sh | 4 +- 49 files changed, 264 insertions(+), 444 deletions(-) diff --git a/README.md b/README.md index 74acb13f4..13d59bb19 100644 --- a/README.md +++ b/README.md @@ -73,4 +73,5 @@ We welcome [pull requests](https://github.com/e-m-b-a/emba/pulls) and [issues](h ## Team [The core EMBA Team](https://github.com/orgs/e-m-b-a/people) + [Contributors](https://github.com/e-m-b-a/emba/blob/master/CONTRIBUTORS.md) diff --git a/check_project.sh b/check_project.sh index f62aff9e8..863c65dc8 100755 --- a/check_project.sh +++ b/check_project.sh @@ -257,8 +257,6 @@ summary() { done echo -e "$ORANGE""WARNING: Fix the errors before pushing to the EMBA repository!" fi - - } # check that all tools are installed diff --git a/config/bin_version_strings.cfg b/config/bin_version_strings.cfg index a62c6601c..217fb7f97 100644 --- a/config/bin_version_strings.cfg +++ b/config/bin_version_strings.cfg @@ -336,7 +336,7 @@ libpcap;;bsd;"^libpcap\ version\ [0-9](\.[0-9]+)+?$";"sed -r 's/libpcap\ version libpcre;;bsd;"libpcre\.so\.[0-9]\.[0-9](\.[0-9]+)+?$";"sed -r 's/libpcre\.so\.([0-9](\.[0-9]+)+?)$/pcre:\1/'"; libpng;;libpng;"libpng\ version\ [0-9](\.[0-9]+)+?\ ";"sed -r 's/libpng\ version\ ([0-9](\.[0-9]+)+?)\ .*/libpng:\1/'"; libreswan;;gplv2;"^Libreswan\ [\.0-9]+";"sed -r 's/Libreswan\ ([0-9](\.[0-9]+)+?).*/libreswan:\1/'"; -libsensors;;unknown;"libsensors\ version\ [.\0-9]+$";"sed -r 's/libsensors\ version\ ([0-9](\.[0-9]+)+?)$/libsensors:\1/'"; +libsensors;;unknown;"libsensors\ version\ [\.0-9]+$";"sed -r 's/libsensors\ version\ ([0-9](\.[0-9]+)+?)$/libsensors:\1/'"; libtiff;;unknown;"^LIBTIFF,\ Version\ [0-9](\.[0-9]+)+?$";"sed -r 's/LIBTIFF,\ Version\ ([0-9](\.[0-9]+)+?)$/libtiff:libtiff:\1/'"; lighttpd;;bsd;"^lighttpd\/[0-9](\.[0-9]+)+?\ .*\ -\ a\ light\ and\ fast\ webserver$";"sed -r 's/lighttpd\/([0-9](\.[0-9]+)+?)\ .*/lighttpd:\1/'"; lighttpd;live;bsd;"^lighttpd\/[0-9](\.[0-9]+)+?(-devel-[0-9]+[A-Z])?$";"sed -r 's/lighttpd\/([0-9](\.[0-9]+)+?).*/lighttpd:\1/'"; diff --git a/config/distri_id.cfg b/config/distri_id.cfg index 09fbe57ba..2540681da 100644 --- a/config/distri_id.cfg +++ b/config/distri_id.cfg @@ -18,4 +18,4 @@ D-Link;/image_sign;grep -a -o -E ".*_d.*_.*";sort -u | cut -d_ -f3 | sed -r 's/( VERSION.LTM;/VERSION.LTM;grep -a -o -E -e "^Product:.*" -a -o -E -e "^Version:.*";sort -u | tr -d '\n' | sed 's/Product: BIG-IP/BIG-IP LTM/g' | sed 's/Version://g' | sed 's/^\ //' # F5 BigIP - application security manager VERSION.ASM;/VERSION.ASM;grep -a -o -E -e "^Product:.*" -a -o -E -e "^Version:.*";sort -u | tr -d '\n' | sed 's/Product: BIG-IP/BIG-IP ASM/g' | sed 's/Version://g' | sed 's/^\ //' -Mikrotik-router;/nova/lib/console/logo.txt;grep -a -o -E -e "MikroTik\ routerOS\ V[0-9]\.[0-9]+\ \(c\) [0-9]+-[0-9].*";sed -r 's/.*MikroTik\ routerOS\ V([0-9]\.[0-9]+)\ .*/MikroTik\ routerOS\ V\1/' +Mikrotik-router;/nova/lib/console/logo.txt;grep -a -o -E -e "MikroTik\ routerOS\ V[0-9]\.[0-9]+\ \(c\) [0-9]+-[0-9].*";sed -r 's/.*MikroTik\ routerOS\ V([0-9]\.[0-9]+).*/MikroTik\ routerOS\ V\1/' diff --git a/config/trickest_blacklist.txt b/config/trickest_blacklist.txt index dd267af39..269305a9e 100644 --- a/config/trickest_blacklist.txt +++ b/config/trickest_blacklist.txt @@ -39,3 +39,4 @@ andir/nixos-issue-db-example andrewwebber/kate jenkinsci-cert/nvd-cwe xaviermerino/ECE1552 +evdenis/cvehound diff --git a/emba.sh b/emba.sh index a5a197ca9..22b944e10 100755 --- a/emba.sh +++ b/emba.sh @@ -135,6 +135,7 @@ run_modules() mapfile -t MODULES_LOCAL < <(find "${MOD_DIR_LOCAL}" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) fi MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) + MODULES_EXPORTED+=("${MODULES[@]}") if [[ $THREADING_SET -eq 1 && "${MODULE_GROUP^^}" != "P" ]] ; then sort_modules fi @@ -203,6 +204,8 @@ run_modules() if [[ "$SELECT_NUM" =~ ^["${MODULE_GROUP,,}","${MODULE_GROUP^^}"]{1}[0-9]+ ]]; then local MODULE="" MODULE=$(find "$MOD_DIR" -name "${MODULE_GROUP^^}""${SELECT_NUM:1}""_*.sh" | sort -V 2> /dev/null) + # we need the whole module name including path in our array for later checks on it + export MODULES_EXPORTED+=("${MODULE}") if ( file "$MODULE" | grep -q "shell script" ) && ! [[ "$MODULE" =~ \ |\' ]] ; then MODULE_BN=$(basename "$MODULE") MODULE_MAIN=${MODULE_BN%.*} @@ -246,9 +249,9 @@ run_modules() mapfile -t MODULES_LOCAL < <(find "${MOD_DIR_LOCAL}" -name "${MODULE_GROUP^^}""*.sh" 2>/dev/null | sort -V 2> /dev/null) fi MODULES=( "${MODULES_EMBA[@]}" "${MODULES_LOCAL[@]}" ) - if [[ $THREADING_SET -eq 1 ]] ; then - sort_modules - fi + + [[ $THREADING_SET -eq 1 ]] && sort_modules + for MODULE_FILE in "${MODULES[@]}" ; do # check if "$MODULE_NAME" is in blacklist from config directory and skip it MODULE_NAME=$(basename -s .sh "$MODULE_FILE") @@ -346,6 +349,7 @@ main() export ARCH="" export EXLUDE=() export SELECT_MODULES=() + export MODULES_EXPORTED=() export ROOT_PATH=() export FILE_ARR=() export LOG_GREP=0 @@ -594,9 +598,7 @@ main() fi # print it only once per EMBA run - not again from started container - if [[ $IN_DOCKER -eq 0 ]]; then - banner_printer - fi + [[ $IN_DOCKER -eq 0 ]] && banner_printer if [[ $IN_DOCKER -eq 1 ]] ; then # set external path new for docker @@ -621,7 +623,7 @@ main() print_bar "no_log" fi - enable_strict_mode "$STRICT_MODE" + enable_strict_mode "$STRICT_MODE" 1 # profile handling if [[ -n "${PROFILE:-}" ]]; then @@ -661,16 +663,12 @@ main() fi fi - if [[ $IN_DOCKER -eq 0 ]]; then - # check if LOG_DIR exists and prompt to terminal to delete its content (Y/n) - log_folder - fi + # check if LOG_DIR exists and prompt to terminal to delete its content (Y/n) + [[ $IN_DOCKER -eq 0 ]] && log_folder + # create log directory, if not exists and needed subdirectories # do not create a log dir for dep check - if [[ "$ONLY_DEP" -eq 0 ]]; then - # create log directory, if not exists and needed subdirectories - create_log_dir - fi + [[ "$ONLY_DEP" -eq 0 ]] && create_log_dir # kernel downloader runs on the host and waits for an identified kernel version. Afterwards # it tries to download the kernel sources for further analysis @@ -890,6 +888,7 @@ main() if [[ "$STRICT_MODE" -eq 1 ]]; then set +e fi + disable_strict_mode "$STRICT_MODE" 0 EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /logs -f /firmware -i "$@"' _ "${ARGUMENTS[@]}" D_RETURN=$? @@ -907,9 +906,7 @@ main() cleaner 0 else # we do not need the log dir from dependency checker - if [[ -d "$LOG_DIR" ]]; then - rm -r "$LOG_DIR" - fi + [[ -d "$LOG_DIR" ]] && rm -r "$LOG_DIR" fi exit 0 else @@ -947,9 +944,7 @@ main() run_modules "P" "$THREADED" "0" # if we running threaded we ware going to wait for the slow guys here - if [[ $THREADED -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS[@]}" - fi + [[ $THREADED -eq 1 ]] && wait_for_pid "${WAIT_PIDS[@]}" print_ln "no_log" @@ -985,9 +980,7 @@ main() run_modules "S" "$THREADED" "$HTML" - if [[ $THREADED -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS[@]}" - fi + [[ $THREADED -eq 1 ]] && wait_for_pid "${WAIT_PIDS[@]}" print_ln "no_log" @@ -1065,17 +1058,16 @@ main() print_output "$(indent "Try using binwalk or something else to extract the firmware")" exit 1 fi - if [[ "$HTML" -eq 1 ]]; then - update_index - fi + + [[ "$HTML" -eq 1 ]] && update_index + if [[ -f "$HTML_PATH"/index.html ]] && [[ "$IN_DOCKER" -eq 0 ]]; then print_output "[*] Web report created HTML report in $ORANGE$LOG_DIR/html-report$NC\\n" "main" print_output "[*] Open the web-report with$ORANGE firefox $(abs_path "$HTML_PATH/index.html")$NC\\n" "main" fi - if [[ "$IN_DOCKER" -eq 1 ]]; then - # we need to change the permissions of the LOG_DIR to the orig. user from the host - restore_permissions - fi + + # we need to change the permissions of the LOG_DIR to the orig. user from the host + [[ "$IN_DOCKER" -eq 1 ]] && restore_permissions cleaner 0 exit 0 } diff --git a/helpers/helpers_emba_dependency_check.sh b/helpers/helpers_emba_dependency_check.sh index 1db3853e6..da2bf65aa 100755 --- a/helpers/helpers_emba_dependency_check.sh +++ b/helpers/helpers_emba_dependency_check.sh @@ -231,15 +231,11 @@ setup_unblob() { fi print_output " ""sasquatch"" - \\c" "no_log" if [[ -f /usr/local/bin/sasquatch_binwalk ]]; then - if [[ -L "$UNBLOB_PATH"/sasquatch ]]; then - rm "$UNBLOB_PATH"/sasquatch - fi + [[ -L "$UNBLOB_PATH"/sasquatch ]] && rm "$UNBLOB_PATH"/sasquatch ln -s /usr/local/bin/sasquatch_binwalk "$UNBLOB_PATH"/sasquatch echo -e "$GREEN""ok""$NC" elif [[ -f /usr/local/bin/sasquatch_unblob ]]; then - if [[ -L "$UNBLOB_PATH"/sasquatch ]]; then - rm "$UNBLOB_PATH"/sasquatch - fi + [[ -L "$UNBLOB_PATH"/sasquatch ]] && rm "$UNBLOB_PATH"/sasquatch ln -s /usr/local/bin/sasquatch_unblob "$UNBLOB_PATH"/sasquatch echo -e "$ORANGE""warning""$NC" DEP_EXIT=1 @@ -328,7 +324,6 @@ dependency_check() fi fi - print_ln "no_log" print_output "[*] Necessary utils on system:" "no_log" @@ -470,9 +465,7 @@ dependency_check() # TODO change to portcheck and write one for external hosts check_dep_file "cve-search script" "$EXT_DIR""/cve-search/bin/search.py" # we have already checked it outside the docker - do not need it again - if [[ "$IN_DOCKER" -eq 0 ]]; then - check_cve_search - fi + [[ "$IN_DOCKER" -eq 0 ]] && check_cve_search if [[ "$IN_DOCKER" -eq 0 ]]; then # really basic check, if cve-search database is running - no check, if populated and also no check, if EMBA in docker check_dep_tool "mongo database" "mongod" diff --git a/helpers/helpers_emba_helpers.sh b/helpers/helpers_emba_helpers.sh index 95db7bab0..63629255b 100755 --- a/helpers/helpers_emba_helpers.sh +++ b/helpers/helpers_emba_helpers.sh @@ -62,9 +62,7 @@ max_pids_protection() { # check for really running PIDs and re-create the array for PID in "${WAIT_PIDS[@]}"; do # print_output "[*] max pid protection: ${#WAIT_PIDS[@]}" - if [[ -e /proc/"$PID" ]]; then - TEMP_PIDS+=( "$PID" ) - fi + [[ -e /proc/"$PID" ]] && TEMP_PIDS+=( "$PID" ) done # if S115 is running we have to kill old qemu processes if [[ -f "$LOG_DIR"/"$MAIN_LOG_FILE" ]] && [[ $(grep -i -c S115_ "$LOG_DIR"/"$MAIN_LOG_FILE" || true) -eq 1 && -n "$QRUNTIME" ]]; then @@ -96,9 +94,7 @@ cleaner() { fi # Remove status bar and reset screen - if [[ "$DISABLE_STATUS_BAR" -eq 0 ]]; then - remove_status_bar - fi + [[ "$DISABLE_STATUS_BAR" -eq 0 ]] && remove_status_bar # if S115 is found only once in main.log the module was started and we have to clean it up # additionally we need to check some variable from a running EMBA instance @@ -132,9 +128,7 @@ cleaner() { reset_network_emulation 2 fi fi - if [[ "$IN_DOCKER" -eq 1 ]]; then - restore_permissions - fi + [[ "$IN_DOCKER" -eq 1 ]] && restore_permissions if [[ "$IN_DOCKER" -eq 0 ]] && [[ -v K_DOWN_PID ]]; then if ps -p "$K_DOWN_PID" > /dev/null; then @@ -293,6 +287,11 @@ backup_var() { module_wait() { local MODULE_TO_WAIT="${1:-}" + # if the module we should wait is not in our module array we return without waiting + if ! [[ " ${MODULES_EXPORTED[*]} " == *"${MODULE_TO_WAIT}"* ]]; then + print_output "[-] Module $ORANGE$MODULE_TO_WAIT$NC not in module array - this will result in unexpected behavior" "main" + return + fi while ! [[ -f "$MAIN_LOG" ]]; do sleep 1 diff --git a/helpers/helpers_emba_internet_access.sh b/helpers/helpers_emba_internet_access.sh index 5dc9f3f45..be394741e 100755 --- a/helpers/helpers_emba_internet_access.sh +++ b/helpers/helpers_emba_internet_access.sh @@ -82,7 +82,7 @@ kernel_downloader() { print_output "$OUTPUTTER" "no_log" write_log "$OUTPUTTER" "$LOG_DIR/kernel_downloader.log" - if ! [[ -d "$TMP_DIR" ]]; then + if [[ -d "$TMP_DIR" ]]; then mkdir "$TMP_DIR" fi diff --git a/helpers/helpers_emba_print.sh b/helpers/helpers_emba_print.sh index d60e1ea36..48f58332e 100755 --- a/helpers/helpers_emba_print.sh +++ b/helpers/helpers_emba_print.sh @@ -143,12 +143,12 @@ print_output() fi fi fi - if [[ "$LOG_SETTING" != "no_log" ]] ; then + if [[ "$LOG_SETTING" != "no_log" ]]; then write_grep_log "$OUTPUT" fi } -# echo untrusted data in a secure way: +# echo unknown data in a consistent way: safe_echo() { STRING_TO_ECHO="${1:-}" @@ -169,8 +169,10 @@ escape_echo() { if [[ -v 2 ]]; then local LOG_TO_FILE="${2:-}" printf -- "%q" "$STRING_TO_ECHO" | tee -a "$LOG_TO_FILE" >/dev/null || true + # printf -- "%b" "\r\n" | tee -a "$LOG_TO_FILE" >/dev/null || true else printf -- "%q" "$STRING_TO_ECHO" || true + # printf -- "%b" "\r\n" || true fi } @@ -182,7 +184,7 @@ print_ln() print_dot() { - echo "." | tr -d "\n" 2>/dev/null ||true + echo -n "." 2>/dev/null ||true } write_log() @@ -564,8 +566,7 @@ print_etc() fi } -print_excluded() -{ +print_excluded() { readarray -t EXCLUDE_PATHS_ARR < <(printf '%s' "$EXCLUDE_PATHS") if [[ ${#EXCLUDE_PATHS_ARR[@]} -gt 0 ]] ; then print_ln "no_log" @@ -599,7 +600,7 @@ module_start_log() { print_output "[*] Found old module log path for $ORANGE$MODULE_MAIN_NAME$NC ... creating a backup" "no_log" mv "$LOG_PATH_MODULE" "$LOG_PATH_MODULE".bak."$RANDOM" || true fi - if ! [[ -d "$LOG_PATH_MODULE" ]] ; then + if ! [[ -d "$LOG_PATH_MODULE" ]]; then mkdir "$LOG_PATH_MODULE" || true fi } @@ -644,9 +645,7 @@ module_end_log() { print_bar "" fi fi - if [[ "$HTML" -eq 1 ]]; then - run_web_reporter_mod_name "$MODULE_MAIN_NAME" - fi + [[ "$HTML" -eq 1 ]] && run_web_reporter_mod_name "$MODULE_MAIN_NAME" if [[ -v LOG_PATH_MODULE ]]; then if [[ -d "$LOG_PATH_MODULE" ]]; then if [[ "$(find "$LOG_PATH_MODULE" -type f | wc -l)" -eq 0 ]]; then @@ -690,12 +689,10 @@ banner_printer() { # write notfication is the central notification area # if you want to print a notification via the notification system # call this function with the message as parameter -write_notification(){ - if [[ "$DISABLE_NOTIFICATIONS" -eq 1 ]]; then - return - fi +write_notification() { + [[ "$DISABLE_NOTIFICATIONS" -eq 1 ]] && return + # in case DISPLAY is not set we are not able to show notifications if ! [[ -v DISPLAY ]]; then - # in case DISPLAY is not set we are not able to show notifications return fi @@ -716,12 +713,10 @@ write_notification(){ # print_notification handles the monitoring of the notification tmp file # from the docker container. If someone prints something into this file # this function will handle it and generate a desktop notification -print_notification(){ - if [[ "$DISABLE_NOTIFICATIONS" -eq 1 ]]; then - return - fi +print_notification() { + [[ "$DISABLE_NOTIFICATIONS" -eq 1 ]] && return + # in case DISPLAY is not set we are not able to show notifications if ! [[ -v DISPLAY ]]; then - # in case DISPLAY is not set we are not able to show notifications return fi local NOTIFICATION_LOCATION="$TMP_DIR"/notifications.log diff --git a/installer/I120_cwe_checker.sh b/installer/I120_cwe_checker.sh index ac649dddc..7c399c360 100755 --- a/installer/I120_cwe_checker.sh +++ b/installer/I120_cwe_checker.sh @@ -33,7 +33,7 @@ I120_cwe_checker() { print_git_info "cwe-checker" "EMBA-support-repos/cwe_checker" "cwe_checker is a suite of checks to detect common bug classes such as use of dangerous functions and simple integer overflows." echo -e "$ORANGE""cwe-checker will be downloaded.""$NC" print_file_info "OpenJDK" "OpenJDK for cwe-checker" "https://github.com/adoptium/temurin11-binaries/releases/download/jdk-11.0.12%2B7/OpenJDK11U-jdk_x64_linux_hotspot_11.0.12_7.tar.gz" "external/jdk.tar.gz" - print_file_info "GHIDRA" "Ghidra for cwe-checker" "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.1.5_build/ghidra_10.1.5_PUBLIC_20220726.zip" "external/ghidra.zip" + print_file_info "GHIDRA" "Ghidra for cwe-checker" "https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.2_build/ghidra_10.2.2_PUBLIC_20221115.zip" "external/ghidra.zip" if [[ "$LIST_DEP" -eq 1 ]] || [[ $DOCKER_SETUP -eq 1 ]] ; then ANSWER=("n") @@ -62,13 +62,13 @@ I120_cwe_checker() { # Ghidra if [[ -d ./external/ghidra ]] ; then rm -R ./external/ghidra ; fi - curl -L https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.1.5_build/ghidra_10.1.5_PUBLIC_20220726.zip -Sf -o external/ghidra.zip + curl -L https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_10.2.2_build/ghidra_10.2.2_PUBLIC_20221115.zip -Sf -o external/ghidra.zip mkdir external/ghidra 2>/dev/null unzip -qo external/ghidra.zip -d external/ghidra if [[ "$IN_DOCKER" -eq 1 ]]; then - sed -i s@JAVA_HOME_OVERRIDE=@JAVA_HOME_OVERRIDE=/external/jdk@g external/ghidra/ghidra_10.1.5_PUBLIC/support/launch.properties + sed -i s@JAVA_HOME_OVERRIDE=@JAVA_HOME_OVERRIDE=/external/jdk@g external/ghidra/ghidra_10.2.2_PUBLIC/support/launch.properties else - sed -i s@JAVA_HOME_OVERRIDE=@JAVA_HOME_OVERRIDE=external/jdk@g external/ghidra/ghidra_10.1.5_PUBLIC/support/launch.properties + sed -i s@JAVA_HOME_OVERRIDE=@JAVA_HOME_OVERRIDE=external/jdk@g external/ghidra/ghidra_10.2.2_PUBLIC/support/launch.properties fi rm external/ghidra.zip @@ -76,12 +76,12 @@ I120_cwe_checker() { mkdir ./external/cwe_checker 2>/dev/null git clone https://github.com/EMBA-support-repos/cwe_checker.git external/cwe_checker cd external/cwe_checker || ( echo "Could not install EMBA component cwe_checker" && exit 1 ) - make all GHIDRA_PATH="$HOME_PATH""/external/ghidra/ghidra_10.1.5_PUBLIC" + make all GHIDRA_PATH="$HOME_PATH""/external/ghidra/ghidra_10.2.2_PUBLIC" cd "$HOME_PATH" || ( echo "Could not install EMBA component cwe_checker" && exit 1 ) if [[ "$IN_DOCKER" -eq 1 ]]; then cp -pr "$HOME""/.cargo/bin" "external/cwe_checker/bin" - echo '{"ghidra_path":"/external/ghidra/ghidra_10.1.5_PUBLIC"}' > /root/.config/cwe_checker/ghidra.json + echo '{"ghidra_path":"/external/ghidra/ghidra_10.2.2_PUBLIC"}' > /root/.config/cwe_checker/ghidra.json # save .config as we remount /root with tempfs -> now we can restore it in the module cp -pr /root/.config ./external/cwe_checker/ diff --git a/installer/IP12_avm_freetz_ng_extract.sh b/installer/IP12_avm_freetz_ng_extract.sh index dabb0dc3e..8773b6fc8 100755 --- a/installer/IP12_avm_freetz_ng_extract.sh +++ b/installer/IP12_avm_freetz_ng_extract.sh @@ -51,6 +51,7 @@ IP12_avm_freetz_ng_extract() { print_tool_info "rsync" 1 print_tool_info "kmod" 1 print_tool_info "libelf1" 1 + print_tool_info "libelf-dev" 1 print_tool_info "uuid-dev" 1 print_tool_info "libssl-dev" 1 print_tool_info "libgnutls28-dev" 1 diff --git a/modules/F10_license_summary.sh b/modules/F10_license_summary.sh index 623884a5a..f22c148af 100755 --- a/modules/F10_license_summary.sh +++ b/modules/F10_license_summary.sh @@ -48,9 +48,9 @@ F10_license_summary() { continue fi - BINARY="$(echo "$ENTRY" | cut -d\; -f1)" - VERSION="$(echo "$ENTRY" | cut -d\; -f2 | cut -d: -f2-)" - LICENSE="$(echo "$ENTRY" | cut -d\; -f3)" + BINARY="$(safe_echo "$ENTRY" | cut -d\; -f1)" + VERSION="$(safe_echo "$ENTRY" | cut -d\; -f2 | cut -d: -f2-)" + LICENSE="$(safe_echo "$ENTRY" | cut -d\; -f3)" print_output "[+] Binary: $ORANGE$(basename "$BINARY" | cut -d\ -f1)$GREEN / Version: $ORANGE$VERSION$GREEN / License: $ORANGE$LICENSE$NC" write_csv_log "$BINARY" "$VERSION_RULE" "$VERSION" "$CSV_RULE" "$LICENSE" "$TYPE" @@ -66,9 +66,9 @@ F10_license_summary() { continue fi - BINARY="$(echo "$ENTRY" | cut -d\; -f1)" - VERSION="$(echo "$ENTRY" | cut -d\; -f2 | cut -d: -f2-)" - LICENSE="$(echo "$ENTRY" | cut -d\; -f3)" + BINARY="$(safe_echo "$ENTRY" | cut -d\; -f1)" + VERSION="$(safe_echo "$ENTRY" | cut -d\; -f2 | cut -d: -f2-)" + LICENSE="$(safe_echo "$ENTRY" | cut -d\; -f3)" print_output "[+] Binary: $ORANGE$(basename "$BINARY")$GREEN / Version: $ORANGE$VERSION$GREEN / License: $ORANGE$LICENSE$NC" write_csv_log "$BINARY" "$VERSION_RULE" "$VERSION" "$CSV_RULE" "$LICENSE" "$TYPE" diff --git a/modules/F20_vul_aggregator.sh b/modules/F20_vul_aggregator.sh index 5a7c3243b..2b85e7ba1 100755 --- a/modules/F20_vul_aggregator.sh +++ b/modules/F20_vul_aggregator.sh @@ -464,9 +464,7 @@ generate_cve_details_cves() { fi done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_F19[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_F19[@]}" } generate_cve_details_versions() { @@ -490,9 +488,7 @@ generate_cve_details_versions() { fi done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_F19[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_F19[@]}" } cve_db_lookup_cve () { @@ -520,9 +516,7 @@ cve_db_lookup_cve () { cve_extractor "$CVE_ENTRY" fi - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_F19_2[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_F19_2[@]}" } cve_db_lookup_version() { @@ -558,9 +552,7 @@ cve_db_lookup_version() { cve_extractor "$BIN_VERSION_" fi - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_F19_2[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_F19_2[@]}" } cve_extractor() { diff --git a/modules/F50_base_aggregator.sh b/modules/F50_base_aggregator.sh index 6bbcce9df..4987be123 100755 --- a/modules/F50_base_aggregator.sh +++ b/modules/F50_base_aggregator.sh @@ -73,7 +73,6 @@ F50_base_aggregator() { } output_overview() { - if [[ -n "$FW_VENDOR" ]]; then print_output "[+] Tested Firmware vendor: ""$ORANGE""$FW_VENDOR""$NC" write_csv_log "Firmware_vendor" "$FW_VENDOR" "NA" @@ -473,7 +472,7 @@ output_binaries() { readarray -t RESULTS_SYSTEM < <( find "$LOG_DIR"/s1[34]*/ -xdev -iname "vul_func_*_system-*.txt" 2> /dev/null | sed "s/.*vul_func_//" | sort -g -r | head -10 | sed "s/_system-/ system /" | sed "s/\.txt//" 2> /dev/null || true) # strcpy: - if [[ "${#RESULTS_STRCPY[@]}" -gt 0 ]]; then + if [[ "${#RESULTS_STRCPY[@]}" -gt 0 ]] && [[ $(echo "${RESULTS_STRCPY[0]}" | awk '{print $1}') -gt 0 ]]; then print_ln print_output "[+] STRCPY - top 10 results:" if [[ -d "$LOG_DIR""/s13_weak_func_check/" ]]; then @@ -490,7 +489,7 @@ output_binaries() { fi # system: - if [[ "${#RESULTS_SYSTEM[@]}" -gt 0 ]]; then + if [[ "${#RESULTS_SYSTEM[@]}" -gt 0 ]] && [[ $(echo "${RESULTS_SYSTEM[0]}" | awk '{print $1}') -gt 0 ]]; then print_ln print_output "[+] SYSTEM - top 10 results:" if [[ -d "$LOG_DIR""/s13_weak_func_check/" ]]; then @@ -880,21 +879,15 @@ get_data() { CVE_SEARCH=$(grep -a "\[\*\]\ Statistics:" "$LOG_DIR"/"$CVE_AGGREGATOR_LOG" | sort -u | cut -d: -f2 || true) fi if [[ -f "$TMP_DIR"/HIGH_CVE_COUNTER.tmp ]]; then - while read -r COUNTING; do - (( HIGH_CVE_COUNTER="$HIGH_CVE_COUNTER"+"$COUNTING" )) - done < "$TMP_DIR"/HIGH_CVE_COUNTER.tmp + HIGH_CVE_COUNTER=$(awk '{ sum += $1 } END { print sum }' "$TMP_DIR"/HIGH_CVE_COUNTER.tmp) (( CVE_COUNTER="$CVE_COUNTER"+"$HIGH_CVE_COUNTER" )) fi if [[ -f "$TMP_DIR"/MEDIUM_CVE_COUNTER.tmp ]]; then - while read -r COUNTING; do - (( MEDIUM_CVE_COUNTER="$MEDIUM_CVE_COUNTER"+"$COUNTING" )) - done < "$TMP_DIR"/MEDIUM_CVE_COUNTER.tmp + MEDIUM_CVE_COUNTER=$(awk '{ sum += $1 } END { print sum }' "$TMP_DIR"/MEDIUM_CVE_COUNTER.tmp) (( CVE_COUNTER="$CVE_COUNTER"+"$MEDIUM_CVE_COUNTER" )) fi if [[ -f "$TMP_DIR"/LOW_CVE_COUNTER.tmp ]]; then - while read -r COUNTING; do - (( LOW_CVE_COUNTER="$LOW_CVE_COUNTER"+"$COUNTING" )) - done < "$TMP_DIR"/LOW_CVE_COUNTER.tmp + LOW_CVE_COUNTER=$(awk '{ sum += $1 } END { print sum }' "$TMP_DIR"/LOW_CVE_COUNTER.tmp) (( CVE_COUNTER="$CVE_COUNTER"+"$LOW_CVE_COUNTER" )) fi if [[ -f "$TMP_DIR"/KNOWN_EXPLOITED_COUNTER.tmp ]]; then diff --git a/modules/P05_patools_init.sh b/modules/P05_patools_init.sh index e8e80f7e4..fe28ac7b2 100755 --- a/modules/P05_patools_init.sh +++ b/modules/P05_patools_init.sh @@ -55,15 +55,11 @@ patools_extractor() { FIRMWARE_NAME_="$(basename "$FIRMWARE_PATH_")" - if [[ "$STRICT_MODE" -eq 1 ]]; then - set +e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set +e patool -v test "$FIRMWARE_PATH_" | tee -a "$LOG_PATH_MODULE"/paextract_test_"$FIRMWARE_NAME_".log - if [[ "$STRICT_MODE" -eq 1 ]]; then - set -e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set -e cat "$LOG_PATH_MODULE"/paextract_test_"$FIRMWARE_NAME_".log >> "$LOG_FILE" @@ -85,7 +81,6 @@ patools_extractor() { print_output "[*] No valid compressed file detected - extraction process via binwalk started" binwalk_deep_extract_helper 0 "$FIRMWARE_PATH_" "$EXTRACTION_DIR_" - fi print_ln @@ -99,5 +94,4 @@ patools_extractor() { write_csv_log "Extractor module" "Original file" "extracted file/dir" "file counter" "directory counter" "further details" write_csv_log "Patool extractor" "$FIRMWARE_PATH_" "$EXTRACTION_DIR_" "$FILES_PATOOLS" "$DIRS_PATOOLS" "NA" print_ln - } diff --git a/modules/P10_vmdk_extractor.sh b/modules/P10_vmdk_extractor.sh index d4cc49307..64fea0b7c 100755 --- a/modules/P10_vmdk_extractor.sh +++ b/modules/P10_vmdk_extractor.sh @@ -101,7 +101,7 @@ vmdk_extractor() { write_csv_log "Extractor module" "Original file" "extracted file/dir" "file counter" "directory counter" "further details" write_csv_log "VMDK extractor" "$VMDK_PATH_" "$EXTRACTION_DIR_" "$VMDK_FILES" "$VMDK_DIRS" "NA" # currently unblob has issues with VMDKs. We need to disable it for this extraction process - echo 0 > "$TMP_DIR"/unblob_disable.cfg + safe_echo 0 > "$TMP_DIR"/unblob_disable.cfg fi rm -r "$TMP_VMDK_MNT" || true } diff --git a/modules/P15_ubi_extractor.sh b/modules/P15_ubi_extractor.sh index 3b747a9e8..8c2445f5f 100755 --- a/modules/P15_ubi_extractor.sh +++ b/modules/P15_ubi_extractor.sh @@ -71,8 +71,8 @@ ubi_extractor() { mapfile -t UBI_1st_ROUND < <(find "$EXTRACTION_DIR_" -type f -exec file {} \; | grep "UBI image" || true) for UBI_DATA in "${UBI_1st_ROUND[@]}"; do - UBI_FILE=$(echo "$UBI_DATA" | cut -d: -f1) - UBI_INFO=$(echo "$UBI_DATA" | cut -d: -f2) + UBI_FILE=$(safe_echo "$UBI_DATA" | cut -d: -f1) + UBI_INFO=$(safe_echo "$UBI_DATA" | cut -d: -f2) if [[ "$UBI_INFO" == *"UBIfs image"* ]]; then sub_module_title "UBIfs deep extraction" print_output "[*] Extracts UBIfs firmware image $ORANGE$UBI_PATH_$NC with ${ORANGE}ubireader_extract_files$NC." diff --git a/modules/P59_binwalk_extractor.sh b/modules/P59_binwalk_extractor.sh index 497209c31..a72b826d4 100755 --- a/modules/P59_binwalk_extractor.sh +++ b/modules/P59_binwalk_extractor.sh @@ -76,7 +76,7 @@ wait_for_extractor() { # this is not solid and we probably have to adjust it in the future # but for now it works - SEARCHER="$(echo "$SEARCHER" | tr "(" "." | tr ")" ".")" + SEARCHER="$(safe_echo "$SEARCHER" | tr "(" "." | tr ")" ".")" for PID in "${WAIT_PIDS[@]}"; do local running=1 diff --git a/modules/P60_firmware_bin_extractor.sh b/modules/P60_firmware_bin_extractor.sh index b7b07027b..029fd2db4 100755 --- a/modules/P60_firmware_bin_extractor.sh +++ b/modules/P60_firmware_bin_extractor.sh @@ -276,9 +276,7 @@ deeper_extractor_helper() { fi done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_P20[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_P20[@]}" } binwalk_deep_extract_helper() { diff --git a/modules/P65_package_extractor.sh b/modules/P65_package_extractor.sh index ba9448ef0..d9ae33348 100755 --- a/modules/P65_package_extractor.sh +++ b/modules/P65_package_extractor.sh @@ -164,9 +164,7 @@ deb_extractor() { done < "$TMP_DIR"/deb_db.txt done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_P20[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_P20[@]}" FILES_AFTER_DEB=$(find "$FIRMWARE_PATH_CP" -xdev -type f | wc -l ) print_ln "no_log" diff --git a/modules/P99_prepare_analyzer.sh b/modules/P99_prepare_analyzer.sh index 854a2aa2d..c9b57708a 100755 --- a/modules/P99_prepare_analyzer.sh +++ b/modules/P99_prepare_analyzer.sh @@ -25,10 +25,8 @@ export PRE_THREAD_ENA=0 P99_prepare_analyzer() { - if [[ $THREADED -eq 1 ]]; then - # this module is the latest in the preparation phase. So, wait for all the others - wait_for_pid "${WAIT_PIDS[@]}" - fi + # this module is the latest in the preparation phase. So, wait for all the others + [[ $THREADED -eq 1 ]] && wait_for_pid "${WAIT_PIDS[@]}" module_log_init "${FUNCNAME[0]}" module_title "Analysis preparation" diff --git a/modules/S02_UEFI_FwHunt.sh b/modules/S02_UEFI_FwHunt.sh index 50a810bf7..90f0a336e 100755 --- a/modules/S02_UEFI_FwHunt.sh +++ b/modules/S02_UEFI_FwHunt.sh @@ -42,15 +42,11 @@ S02_UEFI_FwHunt() { done fi - if [[ $THREADED -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S02[@]}" - fi + [[ $THREADED -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S02[@]}" fwhunter_logging - if [[ "${#FWHUNTER_RESULTS[@]}" -gt 0 ]]; then - NEG_LOG=1 - fi + [[ "${#FWHUNTER_RESULTS[@]}" -gt 0 ]] && NEG_LOG=1 module_end_log "${FUNCNAME[0]}" "$NEG_LOG" } @@ -120,8 +116,8 @@ fwhunter_logging() { fi done - mapfile -t FWHUNTER_CVEs < <(grep "CVE" "$LOG_FILE" | cut -d: -f4 | sort -u) - mapfile -t FWHUNTER_BINARLY_IDs < <(grep "FwHunt rule has been triggered and threat detected" "$LOG_PATH_MODULE"/* | sed 's/.*BRLY-/BRLY-/' | sed 's/\ .variant:\ .*//g' | sort -u) + mapfile -t FWHUNTER_CVEs < <(grep "CVE" "$LOG_FILE" | cut -d: -f4 | sort -u || true) + mapfile -t FWHUNTER_BINARLY_IDs < <(grep "FwHunt rule has been triggered and threat detected" "$LOG_PATH_MODULE"/* | sed 's/.*BRLY-/BRLY-/' | sed 's/\ .variant:\ .*//g' | sort -u || true) print_ln print_ln diff --git a/modules/S03_firmware_bin_base_analyzer.sh b/modules/S03_firmware_bin_base_analyzer.sh index fe210f305..d05bcb0da 100755 --- a/modules/S03_firmware_bin_base_analyzer.sh +++ b/modules/S03_firmware_bin_base_analyzer.sh @@ -54,17 +54,11 @@ S03_firmware_bin_base_analyzer() { fi fi - if [[ $THREADED -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S03[@]}" - fi + [[ $THREADED -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S03[@]}" - if [[ -f "$TMP_DIR"/s03_arch.tmp ]]; then - binary_architecture_reporter - fi + [[ -f "$TMP_DIR"/s03_arch.tmp ]] && binary_architecture_reporter - if [[ "$(wc -l "$TMP_DIR"/s03.tmp | awk '{print $1}')" -gt 0 ]] ; then - NEG_LOG=1 - fi + [[ "$(wc -l "$TMP_DIR"/s03.tmp | awk '{print $1}')" -gt 0 ]] && NEG_LOG=1 module_end_log "${FUNCNAME[0]}" "$NEG_LOG" } @@ -85,8 +79,8 @@ os_identification() { local WAIT_PIDS_S03_1=() if [[ ${#ROOT_PATH[@]} -gt 1 || $LINUX_PATH_COUNTER -gt 2 ]] ; then - echo "${#ROOT_PATH[@]}" >> "$TMP_DIR"/s03.tmp - echo "$LINUX_PATH_COUNTER" >> "$TMP_DIR"/s03.tmp + escape_echo "${#ROOT_PATH[@]}" >> "$TMP_DIR"/s03.tmp + escape_echo "$LINUX_PATH_COUNTER" >> "$TMP_DIR"/s03.tmp fi print_ln @@ -101,10 +95,7 @@ os_identification() { fi done - if [[ $THREADED -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S03_1[@]}" - fi - + [[ $THREADED -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S03_1[@]}" } os_detection_thread_per_os() { @@ -175,9 +166,7 @@ os_detection_thread_per_os() { fi fi - if [[ "${OS_COUNTER[$OS]}" -gt 0 ]]; then - echo "${OS_COUNTER[$OS]}" >> "$TMP_DIR"/s03.tmp - fi + [[ "${OS_COUNTER[$OS]}" -gt 0 ]] && escape_echo "${OS_COUNTER[$OS]}" >> "$TMP_DIR"/s03.tmp } binary_architecture_detection() { @@ -196,19 +185,21 @@ binary_architecture_detection() { awk '{print $3}' | sort -u || true) mapfile -t PRE_ARCH_A < <(binwalk -A "$FILE_TO_CHECK" | grep "\ instructions," | awk '{print $3}' | \ uniq -c | sort -n | tail -1 | awk '{print $2}' || true) + if [[ -f "$HOME"/.config/binwalk/modules/cpu_rec.py ]]; then # entropy=0.9xxx is typically encrypted or compressed -> we just remove these entries: PRE_ARCH_CPU_REC=$(binwalk -% "$FILE_TO_CHECK" | grep -v "DESCRIPTION\|None\|-----------" | grep -v "entropy=0.9" \ | awk '{print $3}' | grep -v -e "^$" | sort | uniq -c | head -1 | awk '{print $2}' || true) fi + for PRE_ARCH_ in "${PRE_ARCH_Y[@]}"; do - echo "binwalk -Y;$PRE_ARCH_" >> "$TMP_DIR"/s03_arch.tmp + safe_echo "binwalk -Y;$PRE_ARCH_" >> "$TMP_DIR"/s03_arch.tmp done for PRE_ARCH_ in "${PRE_ARCH_A[@]}"; do - echo "binwalk -A;$PRE_ARCH_" >> "$TMP_DIR"/s03_arch.tmp + safe_echo "binwalk -A;$PRE_ARCH_" >> "$TMP_DIR"/s03_arch.tmp done if [[ -n "$PRE_ARCH_CPU_REC" ]]; then - echo "cpu_rec;$PRE_ARCH_CPU_REC" >> "$TMP_DIR"/s03_arch.tmp + safe_echo "cpu_rec;$PRE_ARCH_CPU_REC" >> "$TMP_DIR"/s03_arch.tmp fi } @@ -216,10 +207,10 @@ binary_architecture_reporter() { sub_module_title "Architecture detection for RTOS based systems" local PRE_ARCH_="" while read -r PRE_ARCH_; do - SOURCE=$(echo "$PRE_ARCH_" | cut -d\; -f1) - PRE_ARCH_=$(echo "$PRE_ARCH_" | cut -d\; -f2) + SOURCE=$(safe_echo "$PRE_ARCH_" | cut -d\; -f1) + PRE_ARCH_=$(safe_echo "$PRE_ARCH_" | cut -d\; -f2) print_ln print_output "[+] Possible architecture details found ($ORANGE$SOURCE$GREEN): $ORANGE$PRE_ARCH_$NC" - echo "$PRE_ARCH_" >> "$TMP_DIR"/s03.tmp + escape_echo "$PRE_ARCH_" >> "$TMP_DIR"/s03.tmp done < "$TMP_DIR"/s03_arch.tmp } diff --git a/modules/S05_firmware_details.sh b/modules/S05_firmware_details.sh index 2b042946c..dbce1c094 100755 --- a/modules/S05_firmware_details.sh +++ b/modules/S05_firmware_details.sh @@ -67,12 +67,10 @@ filesystem_tree() { ls -laR --color=never "$LPATH" >> "$LOG_FILE" fi fi - } # Test source: http://linuxmafia.com/faq/Admin/release-files.html -release_info() -{ +release_info() { sub_module_title "Release/Version information" local R_INFO="" local RELEASE="" diff --git a/modules/S06_distribution_identification.sh b/modules/S06_distribution_identification.sh index 5f2423152..efe7846b7 100755 --- a/modules/S06_distribution_identification.sh +++ b/modules/S06_distribution_identification.sh @@ -18,7 +18,7 @@ S06_distribution_identification() { module_log_init "${FUNCNAME[0]}" - module_title "Linux identification" + module_title "System identification" pre_module_reporter "${FUNCNAME[0]}" export DLINK_FW_VER="" @@ -37,12 +37,13 @@ S06_distribution_identification() write_csv_log "file" "type" "identifier" "csv_rule" while read -r CONFIG; do - if echo "$CONFIG" | grep -q "^[^#*/;]"; then - SEARCH_FILE="$(echo "$CONFIG" | cut -d\; -f2)" + if safe_echo "$CONFIG" | grep -q "^[^#*/;]"; then + SEARCH_FILE="$(safe_echo "$CONFIG" | cut -d\; -f2)" mapfile -t FOUND_FILES < <(find "$FIRMWARE_PATH" -xdev -iwholename "*$SEARCH_FILE" || true) for FILE in "${FOUND_FILES[@]}"; do if [[ -f "$FILE" ]]; then - PATTERN="$(echo "$CONFIG" | cut -d\; -f3)" + PATTERN="$(safe_echo "$CONFIG" | cut -d\; -f3)" + # do not use safe_echo for SED_COMMAND SED_COMMAND="$(echo "$CONFIG" | cut -d\; -f4)" FILE_QUOTED=$(escape_echo "$FILE") OUT1="$(eval "$PATTERN" "$FILE_QUOTED" || true)" @@ -50,7 +51,7 @@ S06_distribution_identification() # echo "SED command: $SED_COMMAND" # echo "identified: $OUT1" # echo "FILE: $FILE_QUOTED" - IDENTIFIER=$(echo -e "$OUT1" | eval "$SED_COMMAND" | sed 's/ \+/ /g' | sed 's/ $//' || true) + IDENTIFIER=$(echo "$OUT1" | eval "$SED_COMMAND" | sed 's/ \+/ /g' | sed 's/ $//' || true) if [[ $(basename "$FILE") == "image_sign" ]]; then # dlink image_sign file handling @@ -112,44 +113,44 @@ dlink_image_sign() { get_csv_rule_distri() { # this is a temp solution. If this list grows we are going to solve it via a configuration file local VERSION_IDENTIFIER="${1:-}" - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | tr '[:upper:]' '[:lower:]')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | tr '[:upper:]' '[:lower:]' | tr -dc '[[:print:]]')" ### handle versions of linux distributions: # debian 9 (stretch) - installer build 20170615+deb9u5 - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/(debian) [0-9]+\ \([a-z]+\)\ -\ installer\ build\ [0-9]+\+deb([0-9]+)u([0-9])/\1:\1_linux:\2\.\3/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/(debian) [0-9]+\ \([a-z]+\)\ -\ installer\ build\ [0-9]+\+deb([0-9]+)u([0-9])/\1:\1_linux:\2\.\3/')" # Fedora 17 (Beefy Miracle) - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/(fedora)\ ([0-9]+).*/\1project:\1:\2/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/(fedora)\ ([0-9]+).*/\1project:\1:\2/')" # CentOS - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/centos\ linux\ ([0-9]+(\.[0-9]+)+?).*/centos:centos:\1/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/centos\ linux\ ([0-9]+(\.[0-9]+)+?).*/centos:centos:\1/')" # Ubuntu - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/(ubuntu)\ ([0-9]+\,[0-9]+).*/\1_linux:\1:\2/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/(ubuntu)\ ([0-9]+\,[0-9]+).*/\1_linux:\1:\2/')" # OpenWRT KAMIKAZE r18* -> 8.09.2 # see also: https://openwrt.org/about/history - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/(openwrt)\ (kamikaze)\ r1[4-8][0-9][0-9][0-9].*/\1:\2:8.09/')" - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/(openwrt)\ (backfire)\ r2[0-9][0-9][0-9][0-9].*/\1:\2:10.03/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/(openwrt)\ (kamikaze)\ r1[4-8][0-9][0-9][0-9].*/\1:\2:8.09/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/(openwrt)\ (backfire)\ r2[0-9][0-9][0-9][0-9].*/\1:\2:10.03/')" # OpenWrt 18.06.2 r7676-cddd7b4c77 - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/(openwrt)\ ([0-9]+\.[0-9]+\.[0-9]+)\ (r[0-9]+\-[a-z0-9]+).*/openwrt:\2:\3/')" - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/lede\ ([0-9]+\.[0-9]+\.[0-9]+)(-)?(rc[0-9])?.*/openwrt:\1:\3/')" - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/openwrt\ ([0-9]+\.[0-9]+)/openwrt:\1/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/(openwrt)\ ([0-9]+\.[0-9]+\.[0-9]+)\ (r[0-9]+\-[a-z0-9]+).*/openwrt:\2:\3/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/lede\ ([0-9]+\.[0-9]+\.[0-9]+)(-)?(rc[0-9])?.*/openwrt:\1:\3/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/openwrt\ ([0-9]+\.[0-9]+)/openwrt:\1/')" # OpenWrt Attitude Adjustment r7549 -> 12.09 - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/openwrt\ attitude\ adjustment\ r([0-9]+).*/openwrt:12\.09/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/openwrt\ attitude\ adjustment\ r([0-9]+).*/openwrt:12\.09/')" # d-link dir-300 v2.14b01 - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/d-link\ (.*)\ v([0-9].[0-9]+[a-z][0-9]+)/dlink:\1_firmware:\2/')" - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/d-link\ (.*)\ v([0-9].[0-9]+)/dlink:\1_firmware:\2/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/d-link\ (.*)\ v([0-9].[0-9]+[a-z][0-9]+)/dlink:\1_firmware:\2/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/d-link\ (.*)\ v([0-9].[0-9]+)/dlink:\1_firmware:\2/')" # dd-wrt v24-sp2 - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/dd-wrt\ v([0-9]+)-?(sp[0-9])?/dd-wrt:dd-wrt:\1:\2/')" - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/dd-wrt\ \#([0-9]+)/dd-wrt:dd-wrt:\1/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/dd-wrt\ v([0-9]+)-?(sp[0-9])?.*/dd-wrt:dd-wrt:\1:\2/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/dd-wrt\ \#([0-9]+).*/dd-wrt:dd-wrt:\1/')" # iotgoat v1.0 - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/iotgoat\ v([0-9]\.[0-9]+)/iotgoat:\1/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/iotgoat\ v([0-9]\.[0-9]+)/iotgoat:\1/')" # F5 BigIP - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/big-ip\ ltm\ ([0-9]+(\.[0-9]+)+?)/f5:big-ip_local_traffic_manager:\1/')" - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/big-ip\ asm\ ([0-9]+(\.[0-9]+)+?)/f5:big-ip_application_security_manager:\1/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/big-ip\ ltm\ ([0-9]+(\.[0-9]+)+?)/f5:big-ip_local_traffic_manager:\1/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/big-ip\ asm\ ([0-9]+(\.[0-9]+)+?)/f5:big-ip_application_security_manager:\1/')" # Yocto linux - e.g.: poky:(yocto:project:reference:distro):2.2:(morty) - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/.*\(yocto:project:reference:distro\):([0-9]+(\.[0-9]+)+?):\(.*\)$/yoctoproject:yocto:\1/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/.*\(yocto:project:reference:distro\):([0-9]+(\.[0-9]+)+?):\(.*\)$/yoctoproject:yocto:\1/')" # Buildroot 2022.01.01 - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/buildroot\ ([0-9]+(\.[0-9]+)+?)/buildroot:\1/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/buildroot\ ([0-9]+(\.[0-9]+)+?)/buildroot:\1/')" # MikroTik routerOS V2.4 (c) 1999-2001 http://mikrotik.com/ - VERSION_IDENTIFIER="$(echo "$VERSION_IDENTIFIER" | sed -r 's/.*mikrotik\ routeros\ v([0-9]\.[0-9]+).*/mikrotik:routeros:\1/')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/.*mikrotik\ routeros\ v([0-9]\.[0-9]+).*/mikrotik:routeros:\1/')" VERSION_IDENTIFIER="${VERSION_IDENTIFIER// /:}" - CSV_RULE="$VERSION_IDENTIFIER" + CSV_RULE="$(safe_echo "$VERSION_IDENTIFIER" | tr -dc '[[:print:]]')" } diff --git a/modules/S08_package_mgmt_extractor.sh b/modules/S08_package_mgmt_extractor.sh index a08ab8ce5..b7fa9ab75 100755 --- a/modules/S08_package_mgmt_extractor.sh +++ b/modules/S08_package_mgmt_extractor.sh @@ -29,9 +29,7 @@ S08_package_mgmt_extractor() # Future work: rpm, ... # rpm_package_files_search - if [[ "${#DEBIAN_MGMT_STATUS[@]}" -gt 0 || "${#OPENWRT_MGMT_CONTROL[@]}" -gt 0 ]]; then - NEG_LOG=1 - fi + [[ "${#DEBIAN_MGMT_STATUS[@]}" -gt 0 || "${#OPENWRT_MGMT_CONTROL[@]}" -gt 0 ]] && NEG_LOG=1 module_end_log "${FUNCNAME[0]}" "$NEG_LOG" } @@ -60,7 +58,7 @@ debian_status_files_search() { print_output "[*] Found debian package details:" for PACKAGE_VERSION in "${DEBIAN_PACKAGES[@]}" ; do # Package: xxd - Status: install ok installed - 2:8.2.3995-1+b3 - PACKAGE=$(echo "$PACKAGE_VERSION" | awk '{print $2}') + PACKAGE=$(safe_echo "$PACKAGE_VERSION" | awk '{print $2}') VERSION=${PACKAGE_VERSION/*Version:\ /} # What is the state in an offline firmware image? Is it installed or not? # Futher investigation needed! @@ -99,7 +97,7 @@ openwrt_control_files_search() { mapfile -t OPENWRT_PACKAGES < <(grep "^Package: \|^Version: " "$PACKAGE_FILE" | sed -z 's/\nVersion: / - Version: /g') print_ln for PACKAGE_VERSION in "${OPENWRT_PACKAGES[@]}" ; do - PACKAGE=$(echo "$PACKAGE_VERSION" | awk '{print $2}') + PACKAGE=$(safe_echo "$PACKAGE_VERSION" | awk '{print $2}') VERSION=${PACKAGE_VERSION/*Version:\ /} # What is the state in an offline firmware image? Is it installed or not? # Futher investigation needed! @@ -121,13 +119,13 @@ clean_package_versions() { # usually we get a version like 1.2.3-4 or 1.2.3-0kali1bla or 1.2.3-unknown # this is a quick approach to clean this version identifier # there is a lot of room for future improvement - STRIPPED_VERSION=$(echo "$VERSION_" | sed -r 's/-[0-9]+$//g') - STRIPPED_VERSION=$(echo "$STRIPPED_VERSION" | sed -r 's/-unknown$//g') - STRIPPED_VERSION=$(echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+kali[0-9]+.*$//g') - STRIPPED_VERSION=$(echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+ubuntu[0-9]+.*$//g') - STRIPPED_VERSION=$(echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+build[0-9]+$//g') - STRIPPED_VERSION=$(echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+\.[0-9]+$//g') - STRIPPED_VERSION=$(echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+\.[a-d][0-9]+$//g') - STRIPPED_VERSION=$(echo "$STRIPPED_VERSION" | sed -r 's/:[0-9]:/:/g') - STRIPPED_VERSION=$(echo "$STRIPPED_VERSION" | sed -r 's/^[0-9]://g') + STRIPPED_VERSION=$(safe_echo "$VERSION_" | sed -r 's/-[0-9]+$//g') + STRIPPED_VERSION=$(safe_echo "$STRIPPED_VERSION" | sed -r 's/-unknown$//g') + STRIPPED_VERSION=$(safe_echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+kali[0-9]+.*$//g') + STRIPPED_VERSION=$(safe_echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+ubuntu[0-9]+.*$//g') + STRIPPED_VERSION=$(safe_echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+build[0-9]+$//g') + STRIPPED_VERSION=$(safe_echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+\.[0-9]+$//g') + STRIPPED_VERSION=$(safe_echo "$STRIPPED_VERSION" | sed -r 's/-[0-9]+\.[a-d][0-9]+$//g') + STRIPPED_VERSION=$(safe_echo "$STRIPPED_VERSION" | sed -r 's/:[0-9]:/:/g') + STRIPPED_VERSION=$(safe_echo "$STRIPPED_VERSION" | sed -r 's/^[0-9]://g') } diff --git a/modules/S09_firmware_base_version_check.sh b/modules/S09_firmware_base_version_check.sh index 5d06a85ca..1cffcbced 100755 --- a/modules/S09_firmware_base_version_check.sh +++ b/modules/S09_firmware_base_version_check.sh @@ -36,25 +36,25 @@ S09_firmware_base_version_check() { TYPE="static" while read -r VERSION_LINE; do - if echo "$VERSION_LINE" | grep -v -q "^[^#*/;]"; then + if safe_echo "$VERSION_LINE" | grep -v -q "^[^#*/;]"; then continue fi - if echo "$VERSION_LINE" | grep -q ";no_static;"; then + if safe_echo "$VERSION_LINE" | grep -q ";no_static;"; then continue fi - if echo "$VERSION_LINE" | grep -q ";live;"; then + if safe_echo "$VERSION_LINE" | grep -q ";live;"; then continue fi print_dot - STRICT="$(echo "$VERSION_LINE" | cut -d\; -f2)" - LIC="$(echo "$VERSION_LINE" | cut -d\; -f3)" - BIN_NAME="$(echo "$VERSION_LINE" | cut -d\; -f1)" + STRICT="$(safe_echo "$VERSION_LINE" | cut -d\; -f2)" + LIC="$(safe_echo "$VERSION_LINE" | cut -d\; -f3)" + BIN_NAME="$(safe_echo "$VERSION_LINE" | cut -d\; -f1)" CSV_REGEX="$(echo "$VERSION_LINE" | cut -d\; -f5)" # VERSION_IDENTIFIER="$(echo "$VERSION_LINE" | cut -d\; -f4 | sed s/^\"// | sed s/\"$//)" - VERSION_IDENTIFIER="$(echo "$VERSION_LINE" | cut -d\; -f4)" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_LINE" | cut -d\; -f4)" VERSION_IDENTIFIER="${VERSION_IDENTIFIER/\"}" VERSION_IDENTIFIER="${VERSION_IDENTIFIER%\"}" @@ -63,9 +63,7 @@ S09_firmware_base_version_check() { # strict mode # use the defined regex only on a binary called BIN_NAME (field 1) - if [[ "$RTOS" -eq 1 ]]; then - continue - fi + [[ "$RTOS" -eq 1 ]] && continue mapfile -t STRICT_BINS < <(find "$OUTPUT_DIR" -xdev -executable -type f -name "$BIN_NAME" -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3) for BIN in "${STRICT_BINS[@]}"; do @@ -92,13 +90,13 @@ S09_firmware_base_version_check() { mapfile -t SPECIAL_FINDS < <(find "$FIRMWARE_PATH" -xdev -type f -name "$BIN_NAME" -exec zgrep -H "$VERSION_IDENTIFIER" {} \; || true) for SFILE in "${SPECIAL_FINDS[@]}"; do - BIN_PATH=$(echo "$SFILE" | cut -d ":" -f1) - BIN_NAME="$(basename "$(echo "$SFILE" | cut -d ":" -f1)")" + BIN_PATH=$(safe_echo "$SFILE" | cut -d ":" -f1) + BIN_NAME="$(basename "$(safe_echo "$SFILE" | cut -d ":" -f1)")" # CSV_REGEX=$(echo "$VERSION_LINE" | cut -d\; -f5 | sed s/^\"// | sed s/\"$//) CSV_REGEX="$(echo "$VERSION_LINE" | cut -d\; -f5)" CSV_REGEX="${CSV_REGEX/\"}" CSV_REGEX="${CSV_REGEX%\"}" - VERSION_FINDER=$(echo "$SFILE" | cut -d ":" -f2-3 | tr -dc '[:print:]') + VERSION_FINDER=$(safe_echo "$SFILE" | cut -d ":" -f2-3 | tr -dc '[:print:]') get_csv_rule "$VERSION_FINDER" "$CSV_REGEX" print_output "[+] Version information found ${RED}""$VERSION_FINDER""${NC}${GREEN} in binary $ORANGE$(print_path "$BIN_PATH")$GREEN (license: $ORANGE$LIC$GREEN) (${ORANGE}static - zgrep$GREEN)." write_csv_log "$BIN_PATH" "$BIN_NAME" "$VERSION_FINDER" "$CSV_RULE" "$LIC" "$TYPE" @@ -158,9 +156,7 @@ S09_firmware_base_version_check() { print_dot - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S09[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S09[@]}" VERSIONS_DETECTED=$(grep -c "Version information found" "$LOG_FILE" || true) diff --git a/modules/S109_jtr_local_pw_cracking.sh b/modules/S109_jtr_local_pw_cracking.sh index caec36ce2..d5bdb8777 100755 --- a/modules/S109_jtr_local_pw_cracking.sh +++ b/modules/S109_jtr_local_pw_cracking.sh @@ -45,12 +45,8 @@ S109_jtr_local_pw_cracking() HASH_SOURCE=$(basename "$(echo "$HASH" | cut -d\; -f2)") HASH=$(echo "$HASH" | cut -d\; -f3 | tr -d \") - if [[ "$HASH" == *"BEGIN"*"KEY"* ]]; then - continue - fi - if [[ "$HASH_DESCRIPTION" == *"private key found"* ]]; then - continue - fi + [[ "$HASH" == *"BEGIN"*"KEY"* ]] && continue + [[ "$HASH_DESCRIPTION" == *"private key found"* ]] && continue if echo "$HASH" | cut -d: -f1-3 | grep -q "::[0-9]"; then # nosemgrep diff --git a/modules/S110_yara_check.sh b/modules/S110_yara_check.sh index 7764aaf3a..036a8442b 100755 --- a/modules/S110_yara_check.sh +++ b/modules/S110_yara_check.sh @@ -47,10 +47,8 @@ S110_yara_check() YRULE=$(echo "$YARA_OUT_LINE" | awk '{print $1}') MATCH_FILE=$(echo "$YARA_OUT_LINE" | grep "\ \[\]\ \[author=\"" | rev | awk '{print $1}' | rev) MATCH_FILE_NAME=$(basename "$MATCH_FILE") - if [[ "$YRULE" =~ .*IsSuspicious.* ]]; then - # this rule does not help us a lot ... remove it from results - continue - fi + # this rule does not help us a lot ... remove it from results + [[ "$YRULE" =~ .*IsSuspicious.* ]] && continue if ! [[ -f "$LOG_PATH_MODULE"/"$MATCH_FILE_NAME" ]]; then print_output "[+] Yara rule $ORANGE$YRULE$GREEN matched in $ORANGE$MATCH_FILE$NC" "" "$LOG_PATH_MODULE/$MATCH_FILE_NAME".txt write_log "" "$LOG_PATH_MODULE/$MATCH_FILE_NAME".txt @@ -59,9 +57,7 @@ S110_yara_check() COUNTING=$((COUNTING+1)) fi fi - if [[ -v MATCH_FILE_NAME ]]; then - echo "$YARA_OUT_LINE" >> "$LOG_PATH_MODULE"/"$MATCH_FILE_NAME".txt - fi + [[ -v MATCH_FILE_NAME ]] && echo "$YARA_OUT_LINE" >> "$LOG_PATH_MODULE"/"$MATCH_FILE_NAME".txt done < "$LOG_PATH_MODULE"/yara_complete_output.txt print_ln @@ -70,8 +66,8 @@ S110_yara_check() write_log "" write_log "[*] Statistics:$COUNTING" - if [[ "$COUNTING" -eq 0 ]] ; then print_output "[-] No code patterns found with yara." ; fi - if [[ -f "$DIR_COMB_YARA" ]] ; then rm "$DIR_COMB_YARA" ; fi + [[ "$COUNTING" -eq 0 ]] && print_output "[-] No code patterns found with yara." + [[ -f "$DIR_COMB_YARA" ]] && rm "$DIR_COMB_YARA" else print_output "[!] Check with yara not possible, because it isn't installed!" fi diff --git a/modules/S115_usermode_emulator.sh b/modules/S115_usermode_emulator.sh index 45a94f16f..7d2664bbc 100755 --- a/modules/S115_usermode_emulator.sh +++ b/modules/S115_usermode_emulator.sh @@ -72,9 +72,7 @@ S115_usermode_emulator() { copy_firmware # we only need to detect the root directory again if we have copied it before - if [[ -d "$FIRMWARE_PATH_BAK" ]]; then - detect_root_dir_helper "$EMULATION_PATH_BASE" - fi + [[ -d "$FIRMWARE_PATH_BAK" ]] && detect_root_dir_helper "$EMULATION_PATH_BASE" kill_qemu_threader & PID_killer+="$!" @@ -188,9 +186,7 @@ S115_usermode_emulator() { done done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S115[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S115[@]}" s115_cleanup "$EMULATOR" running_jobs @@ -378,9 +374,7 @@ run_init_test() { done else - if [[ -z "$CPU_CONFIG_" ]]; then - CPU_CONFIG_="NONE" - fi + [[ -z "$CPU_CONFIG_" ]] && CPU_CONFIG_="NONE" write_log "[+] CPU configuration used for $ORANGE$BIN_EMU_NAME_$GREEN: $ORANGE$CPU_CONFIG_$GREEN" "$LOG_FILE_INIT" write_log "CPU_CONFIG_det\;$CPU_CONFIG_" "$LOG_PATH_MODULE""/qemu_init_cpu.txt" @@ -412,14 +406,10 @@ run_init_qemu() { # echo "R_PATH: $R_PATH" | tee -a "$LOG_FILE_INIT" # echo "CPU_CONFIG: $CPU_CONFIG_" | tee -a "$LOG_FILE_INIT" - if [[ "$STRICT_MODE" -eq 1 ]]; then - set +e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set +e run_init_qemu_runner "$CPU_CONFIG_" "$BIN_EMU_NAME_" "$LOG_FILE_INIT" & PID=$! - if [[ "$STRICT_MODE" -eq 1 ]]; then - set -e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set -e # wait a bit and then kill it sleep 1 @@ -478,9 +468,7 @@ emulate_strace_run() { write_log "" "$LOG_FILE_STRACER" # currently we only look for file errors (errno=2) and try to fix this - if [[ "$STRICT_MODE" -eq 1 ]]; then - set +e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set +e if [[ -z "$CPU_CONFIG_" || "$CPU_CONFIG_" == *"NONE"* ]]; then if [[ "$CHROOT" == "jchroot" ]] || grep -q "jchroot" "$TMP_DIR"/chroot_mode.tmp; then timeout --preserve-status --signal SIGINT 2 "$CHROOT" "${OPTS[@]}" "$R_PATH" -- ./"$EMULATOR" --strace "$BIN_" >> "$LOG_FILE_STRACER" 2>&1 & @@ -498,9 +486,7 @@ emulate_strace_run() { PID=$! fi fi - if [[ "$STRICT_MODE" -eq 1 ]]; then - set -e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set -e # wait a second and then kill it sleep 1 @@ -608,13 +594,9 @@ emulate_binary() { fi for PARAM in "${EMULATION_PARAMS[@]}"; do - if [[ -z "$PARAM" ]]; then - PARAM="NONE" - fi + [[ -z "$PARAM" ]] && PARAM="NONE" - if [[ "$STRICT_MODE" -eq 1 ]]; then - set +e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set +e if [[ -z "$CPU_CONFIG_" ]] || [[ "$CPU_CONFIG_" == "NONE" ]]; then write_log "[*] Emulating binary $ORANGE$BIN_$NC with parameter $ORANGE$PARAM$NC" "$LOG_FILE_BIN" if [[ "$CHROOT" == "jchroot" ]] || grep -q "jchroot" "$TMP_DIR"/chroot_mode.tmp; then @@ -630,9 +612,7 @@ emulate_binary() { timeout --preserve-status --signal SIGINT "$QRUNTIME" "$CHROOT" "${OPTS[@]}" "$R_PATH" ./"$EMULATOR" -cpu "$CPU_CONFIG_" "$BIN_" "$PARAM" &>> "$LOG_FILE_BIN" || true & fi fi - if [[ "$STRICT_MODE" -eq 1 ]]; then - set -e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set -e check_disk_space_emu done diff --git a/modules/S116_qemu_version_detection.sh b/modules/S116_qemu_version_detection.sh index 8d1dd1f22..e106db8dd 100755 --- a/modules/S116_qemu_version_detection.sh +++ b/modules/S116_qemu_version_detection.sh @@ -47,9 +47,8 @@ S116_qemu_version_detection() { fi done < "$CONFIG_DIR"/bin_version_strings.cfg print_ln "no_log" - if [[ $THREADED -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_F05[@]}" - fi + + [[ $THREADED -eq 1 ]] && wait_for_pid "${WAIT_PIDS_F05[@]}" if [[ $(wc -l "$CSV_DIR"/s116_qemu_version_detection.csv | awk '{print $1}' ) -gt 1 ]]; then NEG_LOG=1 fi diff --git a/modules/S120_cwe_checker.sh b/modules/S120_cwe_checker.sh index 5d402d18b..5583872fe 100755 --- a/modules/S120_cwe_checker.sh +++ b/modules/S120_cwe_checker.sh @@ -30,16 +30,12 @@ S120_cwe_checker() pre_module_reporter "${FUNCNAME[0]}" local CWE_CNT_=0 - if [[ "$IN_DOCKER" -eq 1 ]]; then - cwe_container_prepare - fi + [[ "$IN_DOCKER" -eq 1 ]] && cwe_container_prepare cwe_check if [[ -f "$TMP_DIR"/CWE_CNT.tmp ]]; then - while read -r COUNTING; do - (( CWE_CNT_="$CWE_CNT_"+"$COUNTING" )) - done < "$TMP_DIR"/CWE_CNT.tmp + CWE_CNT_=$(awk '{sum += $1 } END { print sum }' "$TMP_DIR"/CWE_CNT_.tmp) fi final_cwe_log "$CWE_CNT_" @@ -91,10 +87,8 @@ cwe_check() { for BINARY in "${BINARIES[@]}" ; do if ( file "$BINARY" | grep -q ELF ) ; then - if [[ "$BINARY" == *".ko" ]]; then - # do not try to analyze kernel modules: - continue - fi + # do not try to analyze kernel modules: + [[ "$BINARY" == *".ko" ]] && continue if [[ "$THREADED" -eq 1 ]]; then local MAX_MOD_THREADS=$(("$(grep -c ^processor /proc/cpuinfo || true)")) if [[ $(grep -i -c S09_ "$LOG_DIR"/"$MAIN_LOG_FILE" || true) -eq 1 ]]; then @@ -111,9 +105,7 @@ cwe_check() { fi done - if [[ $THREADED -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S120[@]}" - fi + [[ $THREADED -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S120[@]}" } cwe_checker_threaded () { @@ -124,7 +116,7 @@ cwe_checker_threaded () { local CWE="" local CWE_DESC="" local CWE_CNT=0 - local MEM_LIMIT=$(( "$TOTAL_MEMORY"*80/100 )) + local MEM_LIMIT=$(( "$TOTAL_MEMORY" )) local NAME="" NAME=$(basename "$BINARY_") @@ -138,7 +130,7 @@ cwe_checker_threaded () { print_output "[*] Tested $ORANGE""$(print_path "$BINARY_")""$NC" if [[ -s "$LOG_PATH_MODULE"/cwe_"$NAME".log ]]; then - jq -rc '.[].name + " - " + .[].description' "$LOG_PATH_MODULE"/cwe_"$NAME".log || true + jq -rc '.[].name + " - " + .[].description' "$LOG_PATH_MODULE"/cwe_"$NAME".log | sort -u || true mapfile -t CWE_OUT < <( jq -r '.[] | "\(.name) \(.description)"' "$LOG_PATH_MODULE"/cwe_"$NAME".log | cut -d\) -f1 | tr -d '(' | sort -u|| true) # this is the logging after every tested file if [[ ${#CWE_OUT[@]} -ne 0 ]] ; then @@ -158,7 +150,7 @@ cwe_checker_threaded () { rm "$LOG_PATH_MODULE"/cwe_"$NAME".log fi fi - if [[ ${#TEST_OUTPUT[@]} -ne 0 ]] ; then print_ln ; fi + [[ ${#TEST_OUTPUT[@]} -ne 0 ]] && print_ln if [[ -f "$LOG_FILE" ]]; then cat "$LOG_FILE" >> "$OLD_LOG_FILE" diff --git a/modules/S13_weak_func_check.sh b/modules/S13_weak_func_check.sh index 5c3bf8657..5d2b6811a 100755 --- a/modules/S13_weak_func_check.sh +++ b/modules/S13_weak_func_check.sh @@ -27,7 +27,7 @@ S13_weak_func_check() module_title "Check binaries for weak functions (intense)" pre_module_reporter "${FUNCNAME[0]}" - STRCPY_CNT=0 + local STRCPY_CNT=0 local BINARY="" local VULNERABLE_FUNCTIONS=() local VULNERABLE_FUNCTIONS_VAR="" @@ -119,9 +119,7 @@ S13_weak_func_check() fi done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S13[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S13[@]}" # ensure that we do not have result files without real results: find "$LOG_DIR"/s13_weak_func_check/vul_func_0*.txt -exec rm {} \; 2>/dev/null || true @@ -129,9 +127,7 @@ S13_weak_func_check() print_top10_statistics "${VULNERABLE_FUNCTIONS[@]}" if [[ -f "$TMP_DIR"/S13_STRCPY_CNT.tmp ]]; then - while read -r STRCPY; do - STRCPY_CNT=$((STRCPY_CNT+STRCPY)) - done < "$TMP_DIR"/S13_STRCPY_CNT.tmp + STRCPY_CNT=$(awk '{sum += $1 } END { print sum }' "$TMP_DIR"/S13_STRCPY_CNT.tmp) fi write_log "" @@ -148,6 +144,7 @@ function_check_NIOS2(){ shift 1 local VULNERABLE_FUNCTIONS=("$@") local NAME="" + local STRCPY_CNT=0 NAME=$(basename "$BINARY_" 2> /dev/null) if ! [[ -f "$BINARY_" ]]; then return @@ -196,6 +193,7 @@ function_check_PPC32(){ local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi @@ -236,9 +234,11 @@ function_check_MIPS() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi + for FUNCTION in "${VULNERABLE_FUNCTIONS[@]}" ; do FUNC_ADDR=$(readelf -a "$BINARY_" --use-dynamic 2> /dev/null | grep -E \ "$FUNCTION" | grep gp | grep -m1 UND | cut -d\ -f4 | sed s/\(gp\)// | sed s/-// 2> /dev/null || true) if [[ -z "$FUNC_ADDR" ]] || [[ "$FUNC_ADDR" == "00000000" ]]; then @@ -281,9 +281,11 @@ function_check_ARM64() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi + for FUNCTION in "${VULNERABLE_FUNCTIONS[@]}" ; do NETWORKING=$(readelf -a "$BINARY_" --use-dynamic 2> /dev/null | grep -E "FUNC[[:space:]]+UND" | grep -c "\ bind\|\ socket\|\ accept\|\ recvfrom\|\ listen" 2> /dev/null || true) FUNC_LOG="$LOG_PATH_MODULE""/vul_func_""$FUNCTION""-""$NAME"".txt" @@ -319,9 +321,11 @@ function_check_ARM32() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi + for FUNCTION in "${VULNERABLE_FUNCTIONS[@]}" ; do NETWORKING=$(readelf -a "$BINARY_" --use-dynamic 2> /dev/null | grep -E "FUNC[[:space:]]+UND" | grep -c "\ bind\|\ socket\|\ accept\|\ recvfrom\|\ listen" 2> /dev/null || true) FUNC_LOG="$LOG_PATH_MODULE""/vul_func_""$FUNCTION""-""$NAME"".txt" @@ -356,9 +360,11 @@ function_check_x86() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi + for FUNCTION in "${VULNERABLE_FUNCTIONS[@]}" ; do if ( readelf -r --use-dynamic "$BINARY_" | awk '{print $5}' | grep -E -q "^$FUNCTION" 2> /dev/null ) ; then NETWORKING=$(readelf -a "$BINARY_" --use-dynamic 2> /dev/null | grep -E "FUNC[[:space:]]+UND" | grep -c "\ bind\|\ socket\|\ accept\|\ recvfrom\|\ listen" 2> /dev/null || true) @@ -395,9 +401,11 @@ function_check_x86_64() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi + for FUNCTION in "${VULNERABLE_FUNCTIONS[@]}" ; do if ( readelf -r --use-dynamic "$BINARY_" | awk '{print $5}' | grep -E -q "^$FUNCTION" 2> /dev/null ) ; then NETWORKING=$(readelf -a "$BINARY_" --use-dynamic 2> /dev/null | grep -E "FUNC[[:space:]]+UND" | grep -c "\ bind\|\ socket\|\ accept\|\ recvfrom\|\ listen" 2> /dev/null || true) @@ -453,9 +461,7 @@ print_top10_statistics() { for BINARY in "${RESULTS[@]}" ; do SEARCH_TERM="$(echo "$BINARY" | awk '{print $2}')" F_COUNTER="$(echo "$BINARY" | awk '{print $1}')" - if [[ "$F_COUNTER" -eq 0 ]]; then - continue - fi + [[ "$F_COUNTER" -eq 0 ]] && continue if [[ -f "$BASE_LINUX_FILES" ]]; then # if we have the base linux config file we are checking it: if grep -E -q "^$SEARCH_TERM$" "$BASE_LINUX_FILES" 2>/dev/null; then diff --git a/modules/S14_weak_func_radare_check.sh b/modules/S14_weak_func_radare_check.sh index 7f5861d3f..44aad63de 100755 --- a/modules/S14_weak_func_radare_check.sh +++ b/modules/S14_weak_func_radare_check.sh @@ -28,7 +28,7 @@ S14_weak_func_radare_check() module_title "Check binaries for weak functions (radare mode)" pre_module_reporter "${FUNCNAME[0]}" - STRCPY_CNT=0 + local STRCPY_CNT=0 if [[ -n "$ARCH" ]] ; then # as this module is slow we only run it in case the objdump method from s13 was not working as expected @@ -115,16 +115,12 @@ S14_weak_func_radare_check() fi done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S14[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S14[@]}" radare_print_top10_statistics "${VULNERABLE_FUNCTIONS[@]}" if [[ -f "$TMP_DIR"/S14_STRCPY_CNT.tmp ]]; then - while read -r STRCPY; do - STRCPY_CNT=$((STRCPY_CNT+STRCPY)) - done < "$TMP_DIR"/S14_STRCPY_CNT.tmp + STRCPY_CNT=$(awk '{sum += $1 } END { print sum }' "$TMP_DIR"/S14_STRCPY_CNT.tmp) fi write_log "" @@ -142,6 +138,7 @@ radare_function_check_PPC32(){ local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi @@ -182,6 +179,7 @@ radare_function_check_MIPS() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi @@ -223,6 +221,7 @@ radare_function_check_ARM64() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi @@ -263,6 +262,7 @@ radare_function_check_ARM32() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi @@ -303,6 +303,7 @@ radare_function_check_x86() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi @@ -344,6 +345,7 @@ radare_function_check_x86_64() { local VULNERABLE_FUNCTIONS=("$@") local NAME="" NAME=$(basename "$BINARY_" 2> /dev/null) + local STRCPY_CNT=0 if ! [[ -f "$BINARY_" ]]; then return fi @@ -386,7 +388,6 @@ radare_print_top10_statistics() { sub_module_title "Top 10 legacy C functions" - if [[ "$(find "$LOG_PATH_MODULE" -xdev -iname "vul_func_*_*-*.txt" | wc -l)" -gt 0 ]]; then for FUNCTION in "${VULNERABLE_FUNCTIONS[@]}" ; do local SEARCH_TERM="" @@ -402,9 +403,8 @@ radare_print_top10_statistics() { for BINARY in "${RESULTS[@]}" ; do SEARCH_TERM="$(echo "$BINARY" | awk '{print $2}')" F_COUNTER="$(echo "$BINARY" | awk '{print $1}')" - if [[ "$F_COUNTER" -eq 0 ]]; then - continue - fi + [[ "$F_COUNTER" -eq 0 ]] && continue + if [[ -f "$BASE_LINUX_FILES" ]]; then # if we have the base linux config file we are checking it: if grep -E -q "^$SEARCH_TERM$" "$BASE_LINUX_FILES" 2>/dev/null; then @@ -533,4 +533,3 @@ radare_output_function_details() write_csv_log "$(print_path "$BINARY_")" "$FUNCTION" "$COUNT_FUNC" "$CFF_CSV" "$NW_CSV" fi } - diff --git a/modules/S20_shell_check.sh b/modules/S20_shell_check.sh index 192681662..0441f0cad 100755 --- a/modules/S20_shell_check.sh +++ b/modules/S20_shell_check.sh @@ -49,19 +49,13 @@ S20_shell_check() fi done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S20[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S20[@]}" if [[ -f "$TMP_DIR"/S20_VULNS.tmp ]]; then - while read -r VULNS; do - S20_SHELL_VULNS=$((S20_SHELL_VULNS+VULNS)) - done < "$TMP_DIR"/S20_VULNS.tmp + S20_SHELL_VULNS=$(awk '{sum += $1 } END { print sum }' "$TMP_DIR"/S20_VULNS.tmp) rm "$TMP_DIR"/S20_VULNS.tmp fi - if [[ "$S20_SHELL_VULNS" -gt 0 ]]; then - NEG_LOG=1 - fi + [[ "$S20_SHELL_VULNS" -gt 0 ]] && NEG_LOG=1 print_ln if [[ "$S20_SHELL_VULNS" -gt 0 ]]; then @@ -85,9 +79,7 @@ S20_shell_check() # semgrep has issues if we are running throught a complete filesystem with /proc and other filesystems are in use # This results that we need to wait for for S115_usermode_emulator and unmounted /proc filesytem # check emba.log for S115_usermode_emulator - if [[ "$THREADED" -eq 1 ]]; then - module_wait "S115_usermode_emulator" - fi + [[ "$THREADED" -eq 1 ]] && module_wait "S115_usermode_emulator" local S20_SEMGREP_SCRIPTS=0 local S20_SEMGREP_VULNS=0 local SHELL_LOG="$LOG_PATH_MODULE"/semgrep.log @@ -108,9 +100,9 @@ S20_shell_check() # highlight security findings in semgrep log: sed -i -r "s/.*external\.semgrep-rules\.bash\.lang\.security.*/\x1b[32m&\x1b[0m/" "$SHELL_LOG" fi - if [[ "$S20_SEMGREP_ISSUES" -gt 0 ]]; then - NEG_LOG=1 - fi + + [[ "$S20_SEMGREP_ISSUES" -gt 0 ]] && NEG_LOG=1 + write_log "" write_log "[*] Statistics1:$S20_SEMGREP_ISSUES:$S20_SEMGREP_SCRIPTS" else diff --git a/modules/S21_python_check.sh b/modules/S21_python_check.sh index 7b09e74a5..603b7bc23 100755 --- a/modules/S21_python_check.sh +++ b/modules/S21_python_check.sh @@ -45,14 +45,10 @@ S21_python_check() fi done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S21[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S21[@]}" if [[ -f "$TMP_DIR"/S21_VULNS.tmp ]]; then - while read -r VULNS; do - (( S21_PY_VULNS="$S21_PY_VULNS"+"$VULNS" )) - done < "$TMP_DIR"/S21_VULNS.tmp + S21_PY_VULNS=$(awk '{sum += $1 } END { print sum }'"$TMP_DIR"/S21_VULNS.tmp) fi if [[ "$S21_PY_VULNS" -gt 0 ]]; then diff --git a/modules/S22_php_check.sh b/modules/S22_php_check.sh index ef1bb5c57..36ac1d787 100755 --- a/modules/S22_php_check.sh +++ b/modules/S22_php_check.sh @@ -83,14 +83,10 @@ s22_vuln_check_caller() { fi done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S22[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S22[@]}" if [[ -f "$TMP_DIR"/S22_VULNS.tmp ]]; then - while read -r VULNS; do - (( S22_PHP_VULNS="$S22_PHP_VULNS"+"$VULNS" )) - done < "$TMP_DIR"/S22_VULNS.tmp + S22_PHP_VULNS=$(awk '{sum += $1 } END { print sum }' "$TMP_DIR"/S22_VULNS.tmp) fi print_ln diff --git a/modules/S24_kernel_bin_identifier.sh b/modules/S24_kernel_bin_identifier.sh index 56012a1c5..1197eaef9 100755 --- a/modules/S24_kernel_bin_identifier.sh +++ b/modules/S24_kernel_bin_identifier.sh @@ -172,45 +172,29 @@ extract_kconfig() { # Initial attempt for uncompressed images or objects: dump_config "$IMG" - if [[ $? -eq 4 ]]; then - return - fi + [[ $? -eq 4 ]] && return # That didn't work, so retry after decompression. try_decompress '\037\213\010' xy gunzip - if [[ $? -eq 4 ]]; then - return - fi + [[ $? -eq 4 ]] && return try_decompress '\3757zXZ\000' abcde unxz - if [[ $? -eq 4 ]]; then - return - fi + [[ $? -eq 4 ]] && return try_decompress 'BZh' xy bunzip2 - if [[ $? -eq 4 ]]; then - return - fi + [[ $? -eq 4 ]] && return try_decompress '\135\0\0\0' xxx unlzma - if [[ $? -eq 4 ]]; then - return - fi + [[ $? -eq 4 ]] && return try_decompress '\211\114\132' xy 'lzop -d' - if [[ $? -eq 4 ]]; then - return - fi + [[ $? -eq 4 ]] && return try_decompress '\002\041\114\030' xyy 'lz4 -d -l' - if [[ $? -eq 4 ]]; then - return - fi + [[ $? -eq 4 ]] && return try_decompress '\050\265\057\375' xxx unzstd - if [[ $? -eq 4 ]]; then - return - fi + [[ $? -eq 4 ]] && return } dump_config() { @@ -229,9 +213,7 @@ dump_config() { tail -c+"$((POS + 8))" "$IMG_" | zcat > "$TMP1" 2> /dev/null if [[ $? != 1 ]]; then # exit status must be 0 or 2 (trailing garbage warning) - if [[ "$STRICT_MODE" -eq 1 ]]; then - set +e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set +e if ! [[ -f "$TMP1" ]]; then return @@ -258,9 +240,7 @@ try_decompress() { POS=${POS%%:*} tail -c+"$POS" "$IMG" | "$3" > "$TMP2" 2> /dev/null dump_config "$TMP2" - if [[ $? -eq 4 ]]; then - return 4 - fi + [[ $? -eq 4 ]] && return 4 done } diff --git a/modules/S25_kernel_check.sh b/modules/S25_kernel_check.sh index 42bc079c6..d76ac3352 100755 --- a/modules/S25_kernel_check.sh +++ b/modules/S25_kernel_check.sh @@ -169,7 +169,7 @@ demess_kv_version() { # sometimes our kernel version is wasted with some "-" -> so we exchange them with spaces for the exploit suggester for VER in "${K_VERSION[@]}" ; do if ! [[ "$VER" == *[0-9]* ]]; then - continue; + continue fi KV=$(echo "$VER" | tr "-" " ") @@ -252,15 +252,11 @@ analyze_kernel_module() { fi done - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S25[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S25[@]}" # in threading we need to go via a temp file with the need to count it now: if [[ -f "$TMP_DIR"/KMOD_BAD.tmp ]]; then - while read -r COUNTING; do - KMOD_BAD=$((KMOD_BAD+COUNTING)) - done < "$TMP_DIR"/KMOD_BAD.tmp + KMOD_BAD=$(awk '{sum += $1 } END { print sum }' "$TMP_DIR"/KMOD_BAD.tmp) fi } diff --git a/modules/S26_kernel_vuln_verifier.sh b/modules/S26_kernel_vuln_verifier.sh index 36f6853c7..9d22e2b14 100755 --- a/modules/S26_kernel_vuln_verifier.sh +++ b/modules/S26_kernel_vuln_verifier.sh @@ -209,9 +209,7 @@ S26_kernel_vuln_verifier() write_link "$LOG_DIR/kernel_downloader.log" KERNEL_DIR="$LOG_PATH_MODULE/linux-$K_VERSION_KORG" - if [[ -d "$KERNEL_DIR" ]]; then - rm -rf "$KERNEL_DIR" - fi + [[ -d "$KERNEL_DIR" ]] && rm -rf "$KERNEL_DIR" if ! [[ -d "$KERNEL_DIR" ]] && [[ "$(file "$KERNEL_ARCH_PATH/linux-$K_VERSION_KORG.tar.gz")" == *"gzip compressed data"* ]]; then print_output "[*] Kernel version $ORANGE$K_VERSION$NC extraction ... " tar -xzf "$KERNEL_ARCH_PATH/linux-$K_VERSION_KORG.tar.gz" -C "$LOG_PATH_MODULE" @@ -399,11 +397,9 @@ symbol_verifier() { fi done - if [[ "$VULN_FOUND" -eq 1 ]]; then - # if we have already a match for this path we can skip the 2nd check - # this is only for speed up the process a bit - return - fi + # if we have already a match for this path we can skip the 2nd check + # this is only for speed up the process a bit + [[ "$VULN_FOUND" -eq 1 ]] && return for CHUNK_FILE in "$LOG_PATH_MODULE"/symbols_uniq.split_gpl.* ; do # echo "testing chunk file $CHUNK_FILE" diff --git a/modules/S40_weak_perm_check.sh b/modules/S40_weak_perm_check.sh index 6f94ca4da..c0dc8982b 100755 --- a/modules/S40_weak_perm_check.sh +++ b/modules/S40_weak_perm_check.sh @@ -26,9 +26,9 @@ S40_weak_perm_check() { local LINE="" local SETUID_NAME="" local GTFO_LINK="" - local ETC_ARR ETC_ARR=("$(mod_path "/ETC_PATHS")") + readarray -t SETUID_FILES < <(find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -xdev -user root -perm -4000 -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3 2>/dev/null || true) readarray -t SETGID_FILES < <(find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -xdev -user root -perm -2000 -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3 2>/dev/null || true) readarray -t WORLD_WRITE_FILES < <(find "$FIRMWARE_PATH" "${EXCL_FIND[@]}" -xdev -type f -perm -o+w -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3 2>/dev/null || true) diff --git a/modules/S50_authentication_check.sh b/modules/S50_authentication_check.sh index 716a3decc..a2ea9b552 100755 --- a/modules/S50_authentication_check.sh +++ b/modules/S50_authentication_check.sh @@ -69,14 +69,10 @@ S50_authentication_check() { search_pam_files fi - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S50[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S50[@]}" if [[ -f "$TMP_DIR"/S50_AUTH_ISSUES.tmp ]]; then - while read -r ISSUES; do - AUTH_ISSUES=$((AUTH_ISSUES+ISSUES)) - done < "$TMP_DIR"/S50_AUTH_ISSUES.tmp + AUTH_ISSUES=$(awk '{sum += $1 } END { print sum }' "$TMP_DIR"/S50_AUTH_ISSUES.tmp) fi write_log "" write_log "[*] Statistics:$AUTH_ISSUES" @@ -151,9 +147,7 @@ user_zero() { fi fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] /etc/passwd not available" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] /etc/passwd not available" echo "$AUTH_ISSUES" >> "$TMP_DIR"/S50_AUTH_ISSUES.tmp } @@ -182,9 +176,7 @@ non_unique_acc() { fi fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] /etc/passwd not available" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] /etc/passwd not available" echo "$AUTH_ISSUES" >> "$TMP_DIR"/S50_AUTH_ISSUES.tmp } @@ -213,9 +205,7 @@ non_unique_group_id() { fi fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] /etc/group not available" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] /etc/group not available" echo "$AUTH_ISSUES" >> "$TMP_DIR"/S50_AUTH_ISSUES.tmp } @@ -243,9 +233,7 @@ non_unique_group_name() { fi fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] /etc/group not available" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] /etc/group not available" echo "$AUTH_ISSUES" >> "$TMP_DIR"/S50_AUTH_ISSUES.tmp } @@ -271,9 +259,7 @@ query_user_acc() { print_output "[*] Found minimal user id specified: ""$UID_MIN" fi done - if [[ "$UID_MIN" = "" ]] ; then - UID_MIN="1000" - fi + [[ "$UID_MIN" = "" ]] && UID_MIN="1000" print_output "[*] Linux real users output (ID = 0, or ""$UID_MIN""+, but not 65534):" FIND=$(awk -v UID_MIN="$UID_MIN" -F: '($3 >= UID_MIN && $3 != 65534) || ($3 == 0) { print $1","$3 }' "$PASSWD_FILE") @@ -285,9 +271,7 @@ query_user_acc() { fi fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] /etc/passwd not available" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] /etc/passwd not available" echo "$AUTH_ISSUES" >> "$TMP_DIR"/S50_AUTH_ISSUES.tmp } @@ -328,9 +312,7 @@ query_nis_plus_auth_supp() { fi fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] /etc/nsswitch.conf not available" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] /etc/nsswitch.conf not available" echo "$AUTH_ISSUES" >> "$TMP_DIR"/S50_AUTH_ISSUES.tmp } @@ -542,9 +524,7 @@ scan_pam_conf() { fi fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] /etc/pam.conf not available" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] /etc/pam.conf not available" echo "$AUTH_ISSUES" >> "$TMP_DIR"/S50_AUTH_ISSUES.tmp } @@ -587,9 +567,7 @@ search_pam_configs() { done fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] /etc/pam.d not available" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] /etc/pam.d not available" echo "$AUTH_ISSUES" >> "$TMP_DIR"/S50_AUTH_ISSUES.tmp } @@ -622,9 +600,7 @@ search_pam_files() { ((AUTH_ISSUES+=1)) fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] Nothing interesting found" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] Nothing interesting found" else print_output "[-] Nothing found" fi diff --git a/modules/S65_config_file_check.sh b/modules/S65_config_file_check.sh index 5fca0cecc..c5bffa7c8 100755 --- a/modules/S65_config_file_check.sh +++ b/modules/S65_config_file_check.sh @@ -87,5 +87,4 @@ check_fstab() else print_output "[-] No fstab files with passwords found" fi - } diff --git a/modules/S75_network_check.sh b/modules/S75_network_check.sh index d2193fd8d..4ed0b25e5 100755 --- a/modules/S75_network_check.sh +++ b/modules/S75_network_check.sh @@ -49,14 +49,12 @@ check_resolv() DNS_INFO=$(grep "nameserver" "$RES_INFO_P" 2>/dev/null || true) if [[ "$DNS_INFO" ]] ; then - print_output "$(indent "$DNS_INFO")" - ((NET_CFG_FOUND+=1)) + print_output "$(indent "$DNS_INFO")" + ((NET_CFG_FOUND+=1)) fi fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] No or empty network configuration found" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] No or empty network configuration found" } check_iptables() @@ -75,9 +73,7 @@ check_iptables() ((NET_CFG_FOUND+=1)) fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] No iptables configuration found" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] No iptables configuration found" } # This check is based on source code from lynis: https://github.com/CISOfy/lynis/blob/master/include/tests_snmp @@ -106,9 +102,7 @@ check_snmp() fi fi done - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] No SNMP configuration found" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] No SNMP configuration found" } check_network_configs() diff --git a/modules/S80_cronjob_check.sh b/modules/S80_cronjob_check.sh index 50a9411ed..34d94a15d 100755 --- a/modules/S80_cronjob_check.sh +++ b/modules/S80_cronjob_check.sh @@ -13,7 +13,8 @@ # # Author(s): Michael Messner, Pascal Eckmann -# Description: Examine all files for cronjob configuration, e.g. cron or crontab and lists their jobs and other possible intriguing details. +# Description: Examine all files for cronjob configuration, e.g. cron or crontab +# and lists their jobs and other possible intriguing details. S80_cronjob_check() { diff --git a/modules/S85_ssh_check.sh b/modules/S85_ssh_check.sh index b49c369ea..2e10b1dcf 100755 --- a/modules/S85_ssh_check.sh +++ b/modules/S85_ssh_check.sh @@ -102,9 +102,7 @@ check_squid() ((SQUID_VUL_CNT+=1)) fi done - if [[ $SQUID_VUL_CNT -eq 0 ]] ; then - print_output "[-] No possible squid executable found" - fi + [[ $SQUID_VUL_CNT -eq 0 ]] && print_output "[-] No possible squid executable found" local SQUID_DAEMON_CONFIG_LOCS=("/ETC_PATHS" "/ETC_PATHS/squid" "/ETC_PATHS/squid3" "/usr/local/etc/squid" "/usr/local/squid/etc") mapfile -t SQUID_PATHS_ARR < <(mod_path_array "${SQUID_DAEMON_CONFIG_LOCS[@]}") @@ -129,7 +127,5 @@ check_squid() fi done fi - if [[ $CHECK -eq 0 ]] ; then - print_output "[-] No squid configuration found" - fi + [[ $CHECK -eq 0 ]] && print_output "[-] No squid configuration found" } diff --git a/modules/S95_interesting_binaries_check.sh b/modules/S95_interesting_binaries_check.sh index 5c4d07447..398c64b93 100755 --- a/modules/S95_interesting_binaries_check.sh +++ b/modules/S95_interesting_binaries_check.sh @@ -35,9 +35,8 @@ S95_interesting_binaries_check() post_exploitation fi - if [[ "$THREADED" -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S95[@]}" - fi + [[ "$THREADED" -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S95[@]}" + if [[ -f "$LOG_PATH_MODULE"/interesting_binaries.txt ]]; then sub_module_title "Interesting binaries" tee -a "$LOG_FILE" < "$LOG_PATH_MODULE"/interesting_binaries.txt diff --git a/modules/S99_grepit.sh b/modules/S99_grepit.sh index d453b2106..21fae578e 100755 --- a/modules/S99_grepit.sh +++ b/modules/S99_grepit.sh @@ -84,9 +84,7 @@ S99_grepit() { done fi - if [[ $THREADED -eq 1 ]]; then - wait_for_pid "${WAIT_PIDS_S99[@]}" - fi + [[ $THREADED -eq 1 ]] && wait_for_pid "${WAIT_PIDS_S99[@]}" grepit_reporter From 30647765b19068b341306d08b9452f51188b7d22 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 26 Jan 2023 15:18:29 +0100 Subject: [PATCH 2/6] cleanup --- emba.sh | 4 +--- helpers/helpers_emba_internet_access.sh | 2 +- helpers/helpers_emba_print.sh | 4 +--- modules/S03_firmware_bin_base_analyzer.sh | 8 ++++---- modules/S120_cwe_checker.sh | 2 +- 5 files changed, 8 insertions(+), 12 deletions(-) diff --git a/emba.sh b/emba.sh index 22b944e10..10a9f96c7 100755 --- a/emba.sh +++ b/emba.sh @@ -885,9 +885,7 @@ main() write_notification "EMBA starting docker container" - if [[ "$STRICT_MODE" -eq 1 ]]; then - set +e - fi + [[ "$STRICT_MODE" -eq 1 ]] && set +e disable_strict_mode "$STRICT_MODE" 0 EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /logs -f /firmware -i "$@"' _ "${ARGUMENTS[@]}" diff --git a/helpers/helpers_emba_internet_access.sh b/helpers/helpers_emba_internet_access.sh index be394741e..5dc9f3f45 100755 --- a/helpers/helpers_emba_internet_access.sh +++ b/helpers/helpers_emba_internet_access.sh @@ -82,7 +82,7 @@ kernel_downloader() { print_output "$OUTPUTTER" "no_log" write_log "$OUTPUTTER" "$LOG_DIR/kernel_downloader.log" - if [[ -d "$TMP_DIR" ]]; then + if ! [[ -d "$TMP_DIR" ]]; then mkdir "$TMP_DIR" fi diff --git a/helpers/helpers_emba_print.sh b/helpers/helpers_emba_print.sh index 48f58332e..50631d056 100755 --- a/helpers/helpers_emba_print.sh +++ b/helpers/helpers_emba_print.sh @@ -169,10 +169,8 @@ escape_echo() { if [[ -v 2 ]]; then local LOG_TO_FILE="${2:-}" printf -- "%q" "$STRING_TO_ECHO" | tee -a "$LOG_TO_FILE" >/dev/null || true - # printf -- "%b" "\r\n" | tee -a "$LOG_TO_FILE" >/dev/null || true else printf -- "%q" "$STRING_TO_ECHO" || true - # printf -- "%b" "\r\n" || true fi } @@ -715,8 +713,8 @@ write_notification() { # this function will handle it and generate a desktop notification print_notification() { [[ "$DISABLE_NOTIFICATIONS" -eq 1 ]] && return - # in case DISPLAY is not set we are not able to show notifications if ! [[ -v DISPLAY ]]; then + # in case DISPLAY is not set we are not able to show notifications return fi local NOTIFICATION_LOCATION="$TMP_DIR"/notifications.log diff --git a/modules/S03_firmware_bin_base_analyzer.sh b/modules/S03_firmware_bin_base_analyzer.sh index d05bcb0da..edb6733ce 100755 --- a/modules/S03_firmware_bin_base_analyzer.sh +++ b/modules/S03_firmware_bin_base_analyzer.sh @@ -79,8 +79,8 @@ os_identification() { local WAIT_PIDS_S03_1=() if [[ ${#ROOT_PATH[@]} -gt 1 || $LINUX_PATH_COUNTER -gt 2 ]] ; then - escape_echo "${#ROOT_PATH[@]}" >> "$TMP_DIR"/s03.tmp - escape_echo "$LINUX_PATH_COUNTER" >> "$TMP_DIR"/s03.tmp + safe_echo "${#ROOT_PATH[@]}" >> "$TMP_DIR"/s03.tmp + safe_echo "$LINUX_PATH_COUNTER" >> "$TMP_DIR"/s03.tmp fi print_ln @@ -166,7 +166,7 @@ os_detection_thread_per_os() { fi fi - [[ "${OS_COUNTER[$OS]}" -gt 0 ]] && escape_echo "${OS_COUNTER[$OS]}" >> "$TMP_DIR"/s03.tmp + [[ "${OS_COUNTER[$OS]}" -gt 0 ]] && safe_echo "${OS_COUNTER[$OS]}" >> "$TMP_DIR"/s03.tmp } binary_architecture_detection() { @@ -211,6 +211,6 @@ binary_architecture_reporter() { PRE_ARCH_=$(safe_echo "$PRE_ARCH_" | cut -d\; -f2) print_ln print_output "[+] Possible architecture details found ($ORANGE$SOURCE$GREEN): $ORANGE$PRE_ARCH_$NC" - escape_echo "$PRE_ARCH_" >> "$TMP_DIR"/s03.tmp + safe_echo "$PRE_ARCH_" >> "$TMP_DIR"/s03.tmp done < "$TMP_DIR"/s03_arch.tmp } diff --git a/modules/S120_cwe_checker.sh b/modules/S120_cwe_checker.sh index 5583872fe..441037a69 100755 --- a/modules/S120_cwe_checker.sh +++ b/modules/S120_cwe_checker.sh @@ -116,7 +116,7 @@ cwe_checker_threaded () { local CWE="" local CWE_DESC="" local CWE_CNT=0 - local MEM_LIMIT=$(( "$TOTAL_MEMORY" )) + local MEM_LIMIT=$(( "$TOTAL_MEMORY"/2 )) local NAME="" NAME=$(basename "$BINARY_") From 06ca6a981b495ceaa2b2920ffceafd3c0a0cf377 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 26 Jan 2023 15:20:58 +0100 Subject: [PATCH 3/6] dumb syntax --- modules/S06_distribution_identification.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/S06_distribution_identification.sh b/modules/S06_distribution_identification.sh index efe7846b7..1170810be 100755 --- a/modules/S06_distribution_identification.sh +++ b/modules/S06_distribution_identification.sh @@ -113,7 +113,7 @@ dlink_image_sign() { get_csv_rule_distri() { # this is a temp solution. If this list grows we are going to solve it via a configuration file local VERSION_IDENTIFIER="${1:-}" - VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | tr '[:upper:]' '[:lower:]' | tr -dc '[[:print:]]')" + VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | tr '[:upper:]' '[:lower:]' | tr -dc '[:print:]')" ### handle versions of linux distributions: # debian 9 (stretch) - installer build 20170615+deb9u5 @@ -152,5 +152,5 @@ get_csv_rule_distri() { # MikroTik routerOS V2.4 (c) 1999-2001 http://mikrotik.com/ VERSION_IDENTIFIER="$(safe_echo "$VERSION_IDENTIFIER" | sed -r 's/.*mikrotik\ routeros\ v([0-9]\.[0-9]+).*/mikrotik:routeros:\1/')" VERSION_IDENTIFIER="${VERSION_IDENTIFIER// /:}" - CSV_RULE="$(safe_echo "$VERSION_IDENTIFIER" | tr -dc '[[:print:]]')" + CSV_RULE="$(safe_echo "$VERSION_IDENTIFIER" | tr -dc '[:print:]')" } From 73f7e47bd00cdddad8c90794432d3caac028e3e7 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 26 Jan 2023 15:46:33 +0100 Subject: [PATCH 4/6] emba.sh renamed to emba only --- check_project.sh | 6 +++--- emba.sh => emba | 4 ++-- helpers/helpers_emba_status_bar.sh | 2 +- installer/R00_emba_remove.sh | 2 +- modules/P61_unblob_eval.sh | 4 ++-- modules/S120_cwe_checker.sh | 2 +- modules/template_module.sh | 2 +- 7 files changed, 11 insertions(+), 11 deletions(-) rename emba.sh => emba (99%) diff --git a/check_project.sh b/check_project.sh index 863c65dc8..2d33dba51 100755 --- a/check_project.sh +++ b/check_project.sh @@ -13,7 +13,7 @@ # # Author(s): Michael Messner, Pascal Eckmann -# Description: Check all shell scripts inside ./helpers, ./modules, emba.sh and itself with shellchecker +# Description: Check all shell scripts inside ./helpers, ./modules, emba and itself with shellchecker STRICT_MODE=1 @@ -106,7 +106,7 @@ import_installer() { import_emba_main() { MODULES=() - mapfile -t MODULES < <(find ./ -iname "emba.sh" -o -iname "installer.sh" -o -iname "check_project.sh" 2>/dev/null) + mapfile -t MODULES < <(find ./ -iname "emba" -o -iname "installer.sh" -o -iname "check_project.sh" 2>/dev/null) for LINE in "${MODULES[@]}"; do if (file "$LINE" | grep -q "shell script"); then echo "$LINE" @@ -172,7 +172,7 @@ check() { echo -e "\\n""$GREEN""Run shellcheck and semgrep:""$NC""\\n" for SOURCE in "${SOURCES[@]}"; do echo -e "\\n""$GREEN""Run ${ORANGE}shellcheck$GREEN on $ORANGE$SOURCE""$NC""\\n" - if shellcheck -P "$HELP_DIR":"$MOD_DIR":"$MOD_DIR_LOCAL" -a ./emba.sh "$SOURCE" || [[ $? -ne 1 && $? -ne 2 ]]; then + if shellcheck -P "$HELP_DIR":"$MOD_DIR":"$MOD_DIR_LOCAL" -a ./emba "$SOURCE" || [[ $? -ne 1 && $? -ne 2 ]]; then echo -e "$GREEN""$BOLD""==> SUCCESS""$NC""\\n" else echo -e "\\n""$ORANGE""$BOLD""==> FIX ERRORS""$NC""\\n" diff --git a/emba.sh b/emba similarity index 99% rename from emba.sh rename to emba index 10a9f96c7..78faf1606 100755 --- a/emba.sh +++ b/emba @@ -437,7 +437,7 @@ main() fi export EMBA_COMMAND - EMBA_COMMAND="$(dirname "$0")""/emba.sh ""$*" + EMBA_COMMAND="$(dirname "$0")""/emba ""$*" while getopts a:bBA:cC:dDe:Ef:Fghijk:l:m:N:p:P:QrsStT:UxX:yY:WzZ: OPT ; do case $OPT in @@ -888,7 +888,7 @@ main() [[ "$STRICT_MODE" -eq 1 ]] && set +e disable_strict_mode "$STRICT_MODE" 0 - EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba.sh -l /logs -f /firmware -i "$@"' _ "${ARGUMENTS[@]}" + EMBA="$INVOCATION_PATH" FIRMWARE="$FIRMWARE_PATH" LOG="$LOG_DIR" docker-compose run --rm emba -c './emba -l /logs -f /firmware -i "$@"' _ "${ARGUMENTS[@]}" D_RETURN=$? enable_strict_mode "$STRICT_MODE" 0 diff --git a/helpers/helpers_emba_status_bar.sh b/helpers/helpers_emba_status_bar.sh index 6a0aae2a3..633b7f722 100755 --- a/helpers/helpers_emba_status_bar.sh +++ b/helpers/helpers_emba_status_bar.sh @@ -176,7 +176,7 @@ update_box_status() { local RUNTIME=0 RUNTIME="$(date -d@"$(( "$(date +%s)" - "$DATE_STR" ))" -u +%H:%M:%S)" LOG_DIR_SIZE="$(du -sh "$LOG_DIR" 2> /dev/null | cut -d$'\t' -f1 2> /dev/null || true)" - RUN_EMBA_PROCESSES="$(ps -C emba.sh | wc -l || true)" + RUN_EMBA_PROCESSES="$(ps -C emba | wc -l || true)" printf '\e[s\e[%s;29f%s\e[%s;29f%s\e[%s;29f%s\e[u' "$(( LINES - 3 ))" "$(status_util_str 0 "$RUNTIME")" "$(( LINES - 2 ))" "$(status_util_str 1 "$LOG_DIR_SIZE")" "$(( LINES - 1 ))" "$(status_util_str 2 "$RUN_EMBA_PROCESSES")" || true sleep .5 if [[ -f "$STATUS_TMP_PATH" ]] ; then diff --git a/installer/R00_emba_remove.sh b/installer/R00_emba_remove.sh index 842a99f43..9d3be01bc 100755 --- a/installer/R00_emba_remove.sh +++ b/installer/R00_emba_remove.sh @@ -26,7 +26,7 @@ R00_emba_remove() { read -p "If you know what you are doing you can press any key to continue ..." -n1 -s -r echo -e "\\n""$ORANGE""Stopping EMBA processes""$NC" - pkill -f "emba.sh" || true + pkill -f "emba" || true echo -e "\\n""$ORANGE""Stopping mongod process""$NC" if [[ -f "/etc/init.d/mongod" ]]; then diff --git a/modules/P61_unblob_eval.sh b/modules/P61_unblob_eval.sh index f54e24e1b..bc8926944 100755 --- a/modules/P61_unblob_eval.sh +++ b/modules/P61_unblob_eval.sh @@ -32,7 +32,7 @@ P61_unblob_eval() { if [[ -f "$TMP_DIR""/unblob_disable.cfg" ]]; then print_output "[-] Unblob module automatically disabled from other module." else - print_output "[-] Unblob module currently disabled - enable it in emba.sh setting the UNBLOB variable to 1" + print_output "[-] Unblob module currently disabled - enable it in emba setting the UNBLOB variable to 1" fi module_end_log "${FUNCNAME[0]}" 0 return @@ -66,7 +66,7 @@ P61_unblob_eval() { module_title "Unblob binary firmware extractor" pre_module_reporter "${FUNCNAME[0]}" - print_output "[*] Unblob module currently enabled - disable it in emba.sh setting the UNBLOB variable to 0" + print_output "[*] Unblob module currently enabled - disable it in emba setting the UNBLOB variable to 0" print_output "[!] INFO: This is an evaluation module for the extractor ${ORANGE}unblob - https://unblob.org/$MAGENTA." print_output "[!] INFO: The results are currently only further used if the binwalk extraction process failes (this will probably change in the future)." diff --git a/modules/S120_cwe_checker.sh b/modules/S120_cwe_checker.sh index 441037a69..edf8f1632 100755 --- a/modules/S120_cwe_checker.sh +++ b/modules/S120_cwe_checker.sh @@ -90,7 +90,7 @@ cwe_check() { # do not try to analyze kernel modules: [[ "$BINARY" == *".ko" ]] && continue if [[ "$THREADED" -eq 1 ]]; then - local MAX_MOD_THREADS=$(("$(grep -c ^processor /proc/cpuinfo || true)")) + local MAX_MOD_THREADS=$(("$(grep -c ^processor /proc/cpuinfo || true)" / 2)) if [[ $(grep -i -c S09_ "$LOG_DIR"/"$MAIN_LOG_FILE" || true) -eq 1 ]]; then local MAX_MOD_THREADS=1 fi diff --git a/modules/template_module.sh b/modules/template_module.sh index 75c34dcbe..e6be65464 100755 --- a/modules/template_module.sh +++ b/modules/template_module.sh @@ -134,7 +134,7 @@ print_examples() { # If you only want to print stuff into an own log file print_log "log text" "[path to log file]" "g" - # "g" is optional for printing line into grep-able log file (emba.sh -g) + # "g" is optional for printing line into grep-able log file (emba -g) } path_handling() { From b9ffd95bdf40d85ff5d948110ff58944629ff8c7 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 26 Jan 2023 16:00:44 +0100 Subject: [PATCH 5/6] remove thread prio from L modules --- modules/L10_system_emulation.sh | 3 --- modules/L15_emulated_checks_nmap.sh | 3 --- modules/L20_snmp_checks.sh | 3 --- modules/L25_web_checks.sh | 3 --- modules/L30_routersploit.sh | 3 --- modules/L35_metasploit_check.sh | 3 --- modules/L99_cleanup.sh | 3 --- 7 files changed, 21 deletions(-) diff --git a/modules/L10_system_emulation.sh b/modules/L10_system_emulation.sh index 8213338e1..67038329b 100755 --- a/modules/L10_system_emulation.sh +++ b/modules/L10_system_emulation.sh @@ -24,9 +24,6 @@ # Warning: This module changes your network configuration and it could happen that your system looses # network connectivity. -# Threading priority - if set to 1, these modules will be executed first -export THREAD_PRIO=0 - L10_system_emulation() { module_log_init "${FUNCNAME[0]}" module_title "System emulation of Linux based embedded devices." diff --git a/modules/L15_emulated_checks_nmap.sh b/modules/L15_emulated_checks_nmap.sh index 3a924688f..854386bea 100755 --- a/modules/L15_emulated_checks_nmap.sh +++ b/modules/L15_emulated_checks_nmap.sh @@ -16,9 +16,6 @@ # Currently this is an experimental module and needs to be activated separately via the -Q switch. # It is also recommended to only use this technique in a dockerized or virtualized environment. -# Threading priority - if set to 1, these modules will be executed first -export THREAD_PRIO=0 - L15_emulated_checks_nmap() { local MODULE_END=0 diff --git a/modules/L20_snmp_checks.sh b/modules/L20_snmp_checks.sh index c5cd9c9d6..bf665508a 100755 --- a/modules/L20_snmp_checks.sh +++ b/modules/L20_snmp_checks.sh @@ -16,9 +16,6 @@ # Currently this is an experimental module and needs to be activated separately via the -Q switch. # It is also recommended to only use this technique in a dockerized or virtualized environment. -# Threading priority - if set to 1, these modules will be executed first -export THREAD_PRIO=0 - L20_snmp_checks() { export SNMP_UP=0 diff --git a/modules/L25_web_checks.sh b/modules/L25_web_checks.sh index f5d2f565a..5114fe053 100755 --- a/modules/L25_web_checks.sh +++ b/modules/L25_web_checks.sh @@ -16,9 +16,6 @@ # Currently this is an experimental module and needs to be activated separately via the -Q switch. # It is also recommended to only use this technique in a dockerized or virtualized environment. -# Threading priority - if set to 1, these modules will be executed first -export THREAD_PRIO=0 - L25_web_checks() { export ARACHNI_BIN_PATH="$EXT_DIR/arachni/arachni-1.6.1.3-0.6.1.1/bin" diff --git a/modules/L30_routersploit.sh b/modules/L30_routersploit.sh index ec6b6a2c0..ae2210a60 100755 --- a/modules/L30_routersploit.sh +++ b/modules/L30_routersploit.sh @@ -16,9 +16,6 @@ # Currently this is an experimental module and needs to be activated separately via the -Q switch. # It is also recommended to only use this technique in a dockerized or virtualized environment. -# Threading priority - if set to 1, these modules will be executed first -export THREAD_PRIO=0 - L30_routersploit() { local MODULE_END=0 diff --git a/modules/L35_metasploit_check.sh b/modules/L35_metasploit_check.sh index 025167fc7..2e8965500 100755 --- a/modules/L35_metasploit_check.sh +++ b/modules/L35_metasploit_check.sh @@ -16,9 +16,6 @@ # Currently this is an experimental module and needs to be activated separately via the -Q switch. # It is also recommended to only use this technique in a dockerized or virtualized environment. -# Threading priority - if set to 1, these modules will be executed first -export THREAD_PRIO=0 - L35_metasploit_check() { local MODULE_END=0 diff --git a/modules/L99_cleanup.sh b/modules/L99_cleanup.sh index 6a07dae65..a2ffbad28 100755 --- a/modules/L99_cleanup.sh +++ b/modules/L99_cleanup.sh @@ -14,9 +14,6 @@ # Description: Stop and cleanup emulation environment -# Threading priority - if set to 1, these modules will be executed first -export THREAD_PRIO=0 - L99_cleanup() { local MODULE_END=0 From b42a6212a5f8b9ddad2dc43d5520fd1df247769e Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Thu, 26 Jan 2023 16:31:59 +0100 Subject: [PATCH 6/6] s120 - json parsing fix --- modules/L35_metasploit_check.sh | 2 +- modules/S120_cwe_checker.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/L35_metasploit_check.sh b/modules/L35_metasploit_check.sh index 2e8965500..9e2479ea1 100755 --- a/modules/L35_metasploit_check.sh +++ b/modules/L35_metasploit_check.sh @@ -74,7 +74,7 @@ check_live_metasploit() { if [[ "$D_END" == "eb" ]]; then D_END="be"; fi ARCH_END="$(echo "$ARCH" | tr '[:upper:]' '[:lower:]')$(echo "$D_END" | tr '[:upper:]' '[:lower:]')" - timeout --preserve-status --signal SIGINT 2000 msfconsole -q -n -r "$HELP_DIR"/l35_msf_check.rc "$IP_ADDRESS_" "$PORTS" "$ARCH_END"| tee -a "$LOG_PATH_MODULE"/metasploit-check-"$IP_ADDRESS_".txt || true + timeout --preserve-status --signal SIGINT -k 60 2000 msfconsole -q -n -r "$HELP_DIR"/l35_msf_check.rc "$IP_ADDRESS_" "$PORTS" "$ARCH_END"| tee -a "$LOG_PATH_MODULE"/metasploit-check-"$IP_ADDRESS_".txt || true if [[ -f "$LOG_PATH_MODULE"/metasploit-check-"$IP_ADDRESS_".txt ]] && [[ $(grep -a -i -c "Vulnerability identified for module" "$LOG_PATH_MODULE"/metasploit-check-"$IP_ADDRESS_".txt) -gt 0 ]]; then write_csv_log "Source" "Module" "CVE" "ARCH_END" "IP_ADDRESS" "PORTS" diff --git a/modules/S120_cwe_checker.sh b/modules/S120_cwe_checker.sh index edf8f1632..24f831998 100755 --- a/modules/S120_cwe_checker.sh +++ b/modules/S120_cwe_checker.sh @@ -130,7 +130,7 @@ cwe_checker_threaded () { print_output "[*] Tested $ORANGE""$(print_path "$BINARY_")""$NC" if [[ -s "$LOG_PATH_MODULE"/cwe_"$NAME".log ]]; then - jq -rc '.[].name + " - " + .[].description' "$LOG_PATH_MODULE"/cwe_"$NAME".log | sort -u || true + jq -r '.[] | "\(.name) - \(.description)"' "$LOG_PATH_MODULE"/cwe_"$NAME".log | sort -u || true mapfile -t CWE_OUT < <( jq -r '.[] | "\(.name) \(.description)"' "$LOG_PATH_MODULE"/cwe_"$NAME".log | cut -d\) -f1 | tr -d '(' | sort -u|| true) # this is the logging after every tested file if [[ ${#CWE_OUT[@]} -ne 0 ]] ; then