From 8b5a7c53f60ba0313218c823254ff9722f85210e Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 8 Apr 2023 10:36:00 +0200 Subject: [PATCH 1/7] move default profile to long, create new default profile --- scan-profiles/default-scan.emba | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/scan-profiles/default-scan.emba b/scan-profiles/default-scan.emba index 26c3a6e7d..11fbd72d0 100644 --- a/scan-profiles/default-scan.emba +++ b/scan-profiles/default-scan.emba @@ -19,6 +19,7 @@ export THREADED=1 export SHORT_PATH=1 export HTML=1 export QEMULATION=1 +export MODULE_BLACKLIST=( "S99_grepit" "S110_yara_check" ) # we output the profile only at the beginning - outside the docker environment if [[ $IN_DOCKER -ne 1 ]] ; then @@ -32,5 +33,9 @@ if [[ $IN_DOCKER -ne 1 ]] ; then print_output "$(indent "$(orange "Enables automated qemu emulation tests")")" "no_log" fi print_output "$(indent "$(orange "Runs EMBA in docker container")")" "no_log" + print_output "$(indent "$(orange "Disable EMBA module via profile")")" "no_log" + for MODULE_ in "${MODULE_BLACKLIST[@]}"; do + print_output "$(indent "$(orange "Blacklisted module: $MODULE_")")" "no_log" + done export USE_DOCKER=1 fi From b94fb57d8267131064dec72c73f8c602cc7a57ee Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 8 Apr 2023 10:37:18 +0200 Subject: [PATCH 2/7] Copyright adjustments --- scan-profiles/default-scan-emulation.emba | 4 ++-- scan-profiles/default-scan.emba | 4 ++-- scan-profiles/full-scan.emba | 5 +++-- 3 files changed, 7 insertions(+), 6 deletions(-) diff --git a/scan-profiles/default-scan-emulation.emba b/scan-profiles/default-scan-emulation.emba index bf3b4c8d8..251d4c7a6 100644 --- a/scan-profiles/default-scan-emulation.emba +++ b/scan-profiles/default-scan-emulation.emba @@ -1,7 +1,7 @@ # EMBA - EMBEDDED LINUX ANALYZER # -# Copyright 2020-2022 Siemens Energy AG -# Copyright 2020-2022 Siemens AG +# Copyright 2020-2023 Siemens Energy AG +# Copyright 2020-2023 Siemens AG # # EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. diff --git a/scan-profiles/default-scan.emba b/scan-profiles/default-scan.emba index 11fbd72d0..e48bfe1e1 100644 --- a/scan-profiles/default-scan.emba +++ b/scan-profiles/default-scan.emba @@ -1,7 +1,7 @@ # EMBA - EMBEDDED LINUX ANALYZER # -# Copyright 2020-2022 Siemens Energy AG -# Copyright 2020-2022 Siemens AG +# Copyright 2020-2023 Siemens Energy AG +# Copyright 2020-2023 Siemens AG # # EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. diff --git a/scan-profiles/full-scan.emba b/scan-profiles/full-scan.emba index 20d5c7c0c..5d1d363d7 100644 --- a/scan-profiles/full-scan.emba +++ b/scan-profiles/full-scan.emba @@ -1,7 +1,7 @@ # EMBA - EMBEDDED LINUX ANALYZER # -# Copyright 2020-2022 Siemens Energy AG -# Copyright 2020-2022 Siemens AG +# Copyright 2020-2023 Siemens Energy AG +# Copyright 2020-2023 Siemens AG # # EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are # welcome to redistribute it under the terms of the GNU General Public License. @@ -21,6 +21,7 @@ export HTML=1 export CWE_CHECKER=1 export QEMULATION=1 export FULL_EMULATION=1 + # we output the profile only at the beginning - outside the docker environment if [[ $IN_DOCKER -ne 1 ]] ; then print_output "$(indent "$(orange "Adds ANSI color codes to log")")" "no_log" From 3e61484c38ab472c9b99750a7a176a3bba59148f Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 8 Apr 2023 10:38:19 +0200 Subject: [PATCH 3/7] add long default profile --- scan-profiles/default-scan-long.emba | 36 ++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 scan-profiles/default-scan-long.emba diff --git a/scan-profiles/default-scan-long.emba b/scan-profiles/default-scan-long.emba new file mode 100644 index 000000000..5b2a5d51a --- /dev/null +++ b/scan-profiles/default-scan-long.emba @@ -0,0 +1,36 @@ +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2023 Siemens Energy AG +# Copyright 2020-2023 Siemens AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner, Pascal Eckmann +# +# Description: This is a default EMBA profile. You can Use it as a template for your own profiles +# or start emba with "-p default-scan.emba" to use it + +export FORMAT_LOG=1 +export THREADED=1 +export SHORT_PATH=1 +export HTML=1 +export QEMULATION=1 + +# we output the profile only at the beginning - outside the docker environment +if [[ $IN_DOCKER -ne 1 ]] ; then + print_output "$(indent "$(orange "Adds ANSI color codes to log")")" "no_log" + print_output "$(indent "$(orange "Activate multi threading (destroys regular console output)")")" "no_log" + print_output "$(indent "$(orange "Prints only relative paths")")" "no_log" + print_output "$(indent "$(orange "Activates web report creation in log path")")" "no_log" + if [[ "$USE_DOCKER" -ne 1 ]]; then + print_output "$(indent "$(orange "Enables automated qemu emulation tests (WARNING this module could harm your host!)")")" "no_log" + else + print_output "$(indent "$(orange "Enables automated qemu emulation tests")")" "no_log" + fi + print_output "$(indent "$(orange "Runs EMBA in docker container")")" "no_log" + export USE_DOCKER=1 +fi From 12dda6efc1b79a48406537d7c87556a3065f0b2f Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 8 Apr 2023 16:42:14 +0200 Subject: [PATCH 4/7] running modules helper --- helpers/running_modules.sh | 44 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100755 helpers/running_modules.sh diff --git a/helpers/running_modules.sh b/helpers/running_modules.sh new file mode 100755 index 000000000..b0570ab3e --- /dev/null +++ b/helpers/running_modules.sh @@ -0,0 +1,44 @@ +#!/bin/bash -p +# see: https://developer.apple.com/library/archive/documentation/OpenSource/Conceptual/ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html#//apple_ref/doc/uid/TP40004268-CH8-SW29 + +# EMBA - EMBEDDED LINUX ANALYZER +# +# Copyright 2020-2023 Siemens Energy AG +# +# EMBA comes with ABSOLUTELY NO WARRANTY. This is free software, and you are +# welcome to redistribute it under the terms of the GNU General Public License. +# See LICENSE file for usage of this software. +# +# EMBA is licensed under GPLv3 +# +# Author(s): Michael Messner + +# Description: EMBA helper script to identify currently running EMBA modules +# start it with "watch". E.g., +# watch -c ./helpers/running_modules.sh ~/firmware-stuff/emba_logs_dir300_new_bins + + +export GREEN="\033[0;32m" +export ORANGE="\033[0;33m" +export NC="\033[0m" # no color + +if [[ $# -eq 0 ]]; then + echo -e "\\n""${ORANGE}""In order to be able to use EMBAbite, you have to specify at least an EMBA firmware log directory${NC}" + exit 1 +fi + +EMBA_LOG_DIR="${1:-}" +EMBA_LOG_FILE="${EMBA_LOG_DIR}""/emba.log" +if ! [[ -f "${EMBA_LOG_FILE}" ]]; then + echo -e "\\n""${ORANGE}""No valid EMBA firmware log directory found.${NC}" + exit 1 +fi + + +mapfile -t STARTED_EMBA_PROCESSES < <(grep starting "${EMBA_LOG_FILE}" | awk '{print $9}'|| true) + +for EMBA_STARTED_PROC in "${STARTED_EMBA_PROCESSES[@]}"; do + if ! grep -q "${EMBA_STARTED_PROC}"" finished" "${EMBA_LOG_FILE}"; then + echo -e "[*] EMBA module ${GREEN}${EMBA_STARTED_PROC}${NC} currently running" + fi +done From f784001f76c6e4518be47510fd52fc5d35528b88 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 8 Apr 2023 16:46:09 +0200 Subject: [PATCH 5/7] wording --- helpers/running_modules.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/running_modules.sh b/helpers/running_modules.sh index b0570ab3e..8bfd4a42d 100755 --- a/helpers/running_modules.sh +++ b/helpers/running_modules.sh @@ -23,7 +23,7 @@ export ORANGE="\033[0;33m" export NC="\033[0m" # no color if [[ $# -eq 0 ]]; then - echo -e "\\n""${ORANGE}""In order to be able to use EMBAbite, you have to specify at least an EMBA firmware log directory${NC}" + echo -e "\\n""${ORANGE}""In order to be able to use this script, you have to specify an EMBA firmware log directory${NC}" exit 1 fi From 7285e59096c8fe6bd9202baa124e70a8aa67481a Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sat, 8 Apr 2023 16:47:09 +0200 Subject: [PATCH 6/7] format --- helpers/running_modules.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/helpers/running_modules.sh b/helpers/running_modules.sh index 8bfd4a42d..2c3edfbbd 100755 --- a/helpers/running_modules.sh +++ b/helpers/running_modules.sh @@ -29,12 +29,12 @@ fi EMBA_LOG_DIR="${1:-}" EMBA_LOG_FILE="${EMBA_LOG_DIR}""/emba.log" + if ! [[ -f "${EMBA_LOG_FILE}" ]]; then echo -e "\\n""${ORANGE}""No valid EMBA firmware log directory found.${NC}" exit 1 fi - mapfile -t STARTED_EMBA_PROCESSES < <(grep starting "${EMBA_LOG_FILE}" | awk '{print $9}'|| true) for EMBA_STARTED_PROC in "${STARTED_EMBA_PROCESSES[@]}"; do From 0cd4cdf79b4f064c5df51a47a061aacffb81c246 Mon Sep 17 00:00:00 2001 From: m-1-k-3 Date: Sun, 9 Apr 2023 18:45:41 +0200 Subject: [PATCH 7/7] semgrep in s22 --- modules/S22_php_check.sh | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/modules/S22_php_check.sh b/modules/S22_php_check.sh index bf9a69a30..13b7a33c9 100755 --- a/modules/S22_php_check.sh +++ b/modules/S22_php_check.sh @@ -34,6 +34,8 @@ S22_php_check() mapfile -t PHP_SCRIPTS < <( find "$FIRMWARE_PATH" -xdev -type f -iname "*.php" -exec md5sum {} \; 2>/dev/null | sort -u -k1,1 | cut -d\ -f3 ) s22_vuln_check_caller "${PHP_SCRIPTS[@]}" + s22_vuln_check_semgrep "${PHP_SCRIPTS[@]}" + s22_check_php_ini s22_phpinfo_check "${PHP_SCRIPTS[@]}" @@ -62,6 +64,33 @@ s22_phpinfo_check() { print_ln } +s22_vuln_check_semgrep() { + sub_module_title "PHP script vulnerabilities - semgrep" + local PHP_SEMGREP_LOG="$LOG_PATH_MODULE"/semgrep_php_results.log + local S22_SEMGREP_VULNS=0 + + semgrep --disable-version-check --config "$EXT_DIR"/semgrep-rules/php "$LOG_DIR"/firmware/ > "$PHP_SEMGREP_LOG" 2>&1 || true + + if [[ -f "$PHP_SEMGREP_LOG" ]]; then + S22_SEMGREP_ISSUES=$(grep "\ findings\." "$PHP_SEMGREP_LOG" | cut -d: -f2 | awk '{print $1}' || true) + S22_SEMGREP_VULNS=$(grep -c "semgrep-rules.php.lang.security" "$PHP_SEMGREP_LOG" || true) + S22_SEMGREP_SCRIPTS=$(grep "\ findings\." "$PHP_SEMGREP_LOG" | awk '{print $5}' || true) + print_ln + + sub_module_title "Summary of php issues (semgrep)" + if [[ "$S22_SEMGREP_VULNS" -gt 0 ]]; then + print_output "[+] Found ""$ORANGE""$S22_SEMGREP_ISSUES"" issues""$GREEN"" (""$ORANGE""$S22_SEMGREP_VULNS"" vulnerabilites${GREEN}) in ""$ORANGE""$S22_SEMGREP_SCRIPTS""$GREEN"" php files""$NC" "" "$PHP_SEMGREP_LOG" + elif [[ "$S22_SEMGREP_ISSUES" -gt 0 ]]; then + print_output "[+] Found ""$ORANGE""$S22_SEMGREP_ISSUES"" issues""$GREEN"" in ""$ORANGE""$S22_SEMGREP_SCRIPTS""$GREEN"" php files""$NC" "" "$PHP_SEMGREP_LOG" + fi + # highlight security findings in semgrep log: + sed -i -r "s/.*external\.semgrep-rules\.php\.lang\.security.*/\x1b[32m&\x1b[0m/" "$PHP_SEMGREP_LOG" + fi + + write_log "" + write_log "[*] Statistics1:$S22_SEMGREP_ISSUES:$S22_SEMGREP_SCRIPTS" +} + s22_vuln_check_caller() { sub_module_title "PHP script vulnerabilities" write_csv_log "Script path" "PHP issues detected" "common linux file"