Merge branch '3296-fix-hadoop-otp-leak' into develop

Issue #3296 PR #3298
guardicore · May 3, 2023 · ff4aad2 · ff4aad2
2 parents 452cac1 + 87b90a9
commit ff4aad2
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -20,6 +20,9 @@ Changelog](https://keepachangelog.com/en/1.0.0/).
 - Plugins are now being checked for local OS compatibility. #3275
 - A bug that could prevent multi-hop propagation via SMB. #3173
 
+### Security
+- Fixes a bug where OTPs can be leaked by the hadoop exploiter. #3296
+
 ## [2.1.0] - 2023-04-19
 ### Added
 - Logout button. #3063

diff --git a/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py b/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py
@@ -2,10 +2,11 @@
 import logging
 import posixpath
 import string
+from copy import deepcopy
 from http import HTTPStatus
 from pprint import pformat
 from time import time
-from typing import Mapping, Tuple
+from typing import Any, Mapping, Tuple
 
 import requests
 
@@ -155,10 +156,22 @@ def _build_payload(
             "max-app-attempts": 1,
             "application-type": "YARN",
         }
-        logger.debug(f"Hadoop exploit payload: {pformat(payload)}")
+        HadoopExploitClient._log_payload(payload)
 
         return payload
 
+    @staticmethod
+    def _log_payload(payload: Mapping[str, Any]):
+        sanitized_payload = HadoopExploitClient._sanitize_payload(payload)
+        logger.debug(f"Hadoop exploit payload:\n{pformat(sanitized_payload)}")
+
+    @staticmethod
+    def _sanitize_payload(payload: Mapping[str, Any]) -> Mapping[str, Any]:
+        sanitized_payload = deepcopy(payload)
+        sanitized_payload["am-container-spec"]["commands"]["command"] = "<REDACTED>"
+
+        return sanitized_payload
+
     @staticmethod
     def _send_exploit_payload(
         url: str, payload: Mapping[str, str], timeout: int

diff --git a/monkey/infection_monkey/main.py b/monkey/infection_monkey/main.py
@@ -32,12 +32,14 @@ class OTPFormatter(logging.Formatter):
     Formatter that replaces OTPs in log messages with asterisks
     """
 
-    def format(self, record):
-        otp_regex = re.compile(f"{AGENT_OTP_ENVIRONMENT_VARIABLE}=[a-zA-Z0-9]*")
-        otp_replacement = f"{AGENT_OTP_ENVIRONMENT_VARIABLE}={'*' * 6}"
+    OTP_REGEX = re.compile(f"{AGENT_OTP_ENVIRONMENT_VARIABLE}=\\S+[\\s;]+")
+    OTP_REPLACEMENT = f"{AGENT_OTP_ENVIRONMENT_VARIABLE}={'*' * 6}"
 
+    def format(self, record):
         original_log_message = logging.Formatter.format(self, record)
-        formatted_log_message = re.sub(otp_regex, otp_replacement, original_log_message)
+        formatted_log_message = re.sub(
+            OTPFormatter.OTP_REGEX, OTPFormatter.OTP_REPLACEMENT, original_log_message
+        )
 
         return formatted_log_message