Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Find and fix sensitive info in mongo #1454

Closed
1 of 3 tasks
VakarisZ opened this issue Sep 6, 2021 · 0 comments · Fixed by #1485
Closed
1 of 3 tasks

Find and fix sensitive info in mongo #1454

VakarisZ opened this issue Sep 6, 2021 · 0 comments · Fixed by #1485
Assignees
@VakarisZ
Labels
Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island. Complexity: Medium Impact: Critical Security sp/5

Comments

@VakarisZ
Copy link
Contributor

VakarisZ commented Sep 6, 2021
edited
Loading

Describe the bug

If a password is used to exploit a machine, it gets stored in the report in plaintext.

To Reproduce

Steps to reproduce the behavior:

  1. Exploit machine with any brute-force exploiter
  2. Generate a report
  3. Check mongodb
  4. The password used for exploit is stored in plaintext

Expected behavior

Use the same mechanism we use for configuration.

Tasks

  • Do a realistic monkey run and audit the database searching for sensitive plaintext information (0d) - @VakarisZ
  • Write a function to encrypt values in a dictionary based on keys specified (0.25d) @VakarisZ
  • Separate the report/telemetry/whatever and the db access with a layer of encryption (0d) @VakarisZ
@VakarisZ VakarisZ added the Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island. label Sep 6, 2021
@VakarisZ VakarisZ mentioned this issue Sep 13, 2021
Closed
1 task
@VakarisZ VakarisZ changed the title Unhashed passwords in report Find and fix sensitive info in mongo Sep 16, 2021
@VakarisZ VakarisZ added the sp/5 label Sep 16, 2021
@VakarisZ VakarisZ self-assigned this Sep 17, 2021
@VakarisZ VakarisZ mentioned this issue Sep 21, 2021
Merged
5 tasks
@mssalvatore mssalvatore reopened this Sep 21, 2021
@VakarisZ VakarisZ mentioned this issue Sep 24, 2021
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@VakarisZ VakarisZ

Labels
Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island. Complexity: Medium Impact: Critical Security sp/5
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Telemetry encryption in database guardicore/monkey
2 participants
@mssalvatore @VakarisZ