From d68bbc771409c62ad46f0db192b92a6a37eb6a6b Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 3 May 2023 12:58:47 -0400 Subject: [PATCH 1/5] Agent: Compile OTPFormatter regex only once --- monkey/infection_monkey/main.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/monkey/infection_monkey/main.py b/monkey/infection_monkey/main.py index c782f93b7cc..2477caba0d1 100644 --- a/monkey/infection_monkey/main.py +++ b/monkey/infection_monkey/main.py @@ -32,12 +32,14 @@ class OTPFormatter(logging.Formatter): Formatter that replaces OTPs in log messages with asterisks """ - def format(self, record): - otp_regex = re.compile(f"{AGENT_OTP_ENVIRONMENT_VARIABLE}=[a-zA-Z0-9]*") - otp_replacement = f"{AGENT_OTP_ENVIRONMENT_VARIABLE}={'*' * 6}" + OTP_REGEX = re.compile(f"{AGENT_OTP_ENVIRONMENT_VARIABLE}=[a-zA-Z0-9]*") + OTP_REPLACEMENT = f"{AGENT_OTP_ENVIRONMENT_VARIABLE}={'*' * 6}" + def format(self, record): original_log_message = logging.Formatter.format(self, record) - formatted_log_message = re.sub(otp_regex, otp_replacement, original_log_message) + formatted_log_message = re.sub( + OTPFormatter.OTP_REGEX, OTPFormatter.OTP_REPLACEMENT, original_log_message + ) return formatted_log_message From b77f2fc6797437927f1e2719ff435a252d7cbd3e Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 3 May 2023 13:11:34 -0400 Subject: [PATCH 2/5] Agent: Improve OTPFormatter's regex --- monkey/infection_monkey/main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/infection_monkey/main.py b/monkey/infection_monkey/main.py index 2477caba0d1..9cf58b505d3 100644 --- a/monkey/infection_monkey/main.py +++ b/monkey/infection_monkey/main.py @@ -32,7 +32,7 @@ class OTPFormatter(logging.Formatter): Formatter that replaces OTPs in log messages with asterisks """ - OTP_REGEX = re.compile(f"{AGENT_OTP_ENVIRONMENT_VARIABLE}=[a-zA-Z0-9]*") + OTP_REGEX = re.compile(f"{AGENT_OTP_ENVIRONMENT_VARIABLE}=\\S+[\\s;]+") OTP_REPLACEMENT = f"{AGENT_OTP_ENVIRONMENT_VARIABLE}={'*' * 6}" def format(self, record): From 7d97e6b112260424a42c4924e05900caf4fdfa94 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 3 May 2023 13:24:50 -0400 Subject: [PATCH 3/5] Hadoop: Sanitize OTP from payload before logging --- .../hadoop/src/hadoop_exploit_client.py | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py b/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py index 76e149ff57f..4a42dff22e1 100644 --- a/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py +++ b/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py @@ -2,10 +2,11 @@ import logging import posixpath import string +from copy import deepcopy from http import HTTPStatus from pprint import pformat from time import time -from typing import Mapping, Tuple +from typing import Any, Mapping, Tuple import requests @@ -155,10 +156,22 @@ def _build_payload( "max-app-attempts": 1, "application-type": "YARN", } - logger.debug(f"Hadoop exploit payload: {pformat(payload)}") + HadoopExploitClient._log_payload(payload) return payload + @staticmethod + def _log_payload(payload: Mapping[str, Any]): + sanitized_payload = HadoopExploitClient._sanitize_payload(payload) + logger.debug(f"Hadoop exploit payload: {pformat(sanitized_payload)}") + + @staticmethod + def _sanitize_payload(payload: Mapping[str, Any]) -> Mapping[str, Any]: + sanitized_payload = deepcopy(payload) + sanitized_payload["am-container-spec"]["commands"]["command"] = "" + + return sanitized_payload + @staticmethod def _send_exploit_payload( url: str, payload: Mapping[str, str], timeout: int From 9d34a6acc5395c15078c71384e921e03971a0314 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 3 May 2023 13:28:27 -0400 Subject: [PATCH 4/5] Hadoop: Fix formatting of payload logging --- .../exploiters/hadoop/src/hadoop_exploit_client.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py b/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py index 4a42dff22e1..7282ca035e3 100644 --- a/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py +++ b/monkey/agent_plugins/exploiters/hadoop/src/hadoop_exploit_client.py @@ -163,7 +163,7 @@ def _build_payload( @staticmethod def _log_payload(payload: Mapping[str, Any]): sanitized_payload = HadoopExploitClient._sanitize_payload(payload) - logger.debug(f"Hadoop exploit payload: {pformat(sanitized_payload)}") + logger.debug(f"Hadoop exploit payload:\n{pformat(sanitized_payload)}") @staticmethod def _sanitize_payload(payload: Mapping[str, Any]) -> Mapping[str, Any]: From 87b90a92f160527dcdbba469c490cc13ec2a3071 Mon Sep 17 00:00:00 2001 From: Mike Salvatore Date: Wed, 3 May 2023 13:34:54 -0400 Subject: [PATCH 5/5] Changelog: Add an entry for #3296 --- CHANGELOG.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 9f5c3f617b7..229dafa1daf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -20,6 +20,9 @@ Changelog](https://keepachangelog.com/en/1.0.0/). - Plugins are now being checked for local OS compatibility. #3275 - A bug that could prevent multi-hop propagation via SMB. #3173 +### Security +- Fixes a bug where OTPs can be leaked by the hadoop exploiter. #3296 + ## [2.1.0] - 2023-04-19 ### Added - Logout button. #3063