Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leaking OTP in Hadoop plugin #3296

Closed
5 tasks
ilija-lazoroski opened this issue May 3, 2023 · 3 comments · Fixed by #3298
Closed
5 tasks

Leaking OTP in Hadoop plugin #3296

ilija-lazoroski opened this issue May 3, 2023 · 3 comments · Fixed by #3298
Labels
Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island. Complexity: Low Impact: High Security
Milestone
v2.2.0

Comments

@ilija-lazoroski
Copy link
Contributor

ilija-lazoroski commented May 3, 2023
edited by mssalvatore
Loading

Describe the bug

It seems that we are leaking OTP in Hadoop payload logging

To Reproduce

Steps to reproduce the behavior:

  1. Configure the Monkey with Hadoop plugin
  2. Run the monkey on any hadoop machine
  3. Observe logs

Expected behavior

We shouldn't be logging OTP.

Screenshots

image

Machine version (please complete the following information):

  • OS: Windows or Linux

Tasks

  • Fix up logging level in Hadoop plugin
    • Do not forget to rebuild the plugin
  • Fix the regex in OTPFormatter
    • Store the OTP character set in common and use it in OTPFormatter and AuthenticationFacade.generate_otp()
    • Compile regexes as class variables so they don't need to be recompiled for every single log message
@ilija-lazoroski ilija-lazoroski added Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island. Impact: Critical Complexity: Low labels May 3, 2023
@ilija-lazoroski ilija-lazoroski added this to the v2.2.0 milestone May 3, 2023
@shreyamalviya
Copy link
Contributor

The regex in OTPFormatter needs to be fixed.

@mssalvatore
Copy link
Collaborator

We should also consider modifying the plugin to not leak this in the first place.

@mssalvatore
Copy link
Collaborator

The regex in OTPFormatter needs to be fixed.

A few improvements that can be made:

  1. Store the OTP character set somewhere in common so the regex and the generate_otp() function are kept in sync
  2. Compile the regexes once as a class variables, instead of every time the format() function is called.

mssalvatore added a commit that referenced this issue May 3, 2023
@mssalvatore
Changelog: Add an entry for #3296
18d0776
@mssalvatore mssalvatore mentioned this issue May 3, 2023
Merged
10 tasks
mssalvatore added a commit that referenced this issue May 3, 2023
@mssalvatore
Changelog: Add an entry for #3296
a1e0b3c
mssalvatore added a commit that referenced this issue May 3, 2023
@mssalvatore
Changelog: Add an entry for #3296
febeaa1
mssalvatore added a commit that referenced this issue May 3, 2023
@mssalvatore
Changelog: Add an entry for #3296
df72e14
mssalvatore added a commit that referenced this issue May 3, 2023
@mssalvatore
Changelog: Add an entry for #3296
87b90a9
mssalvatore added a commit that referenced this issue May 3, 2023
@mssalvatore
Merge branch '3296-fix-hadoop-otp-leak' into develop
ff4aad2 
Issue #3296
PR #3298
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug An error, flaw, misbehavior or failure in the Monkey or Monkey Island. Complexity: Low Impact: High Security
Projects
None yet
Milestone
v2.2.0
Development

Successfully merging a pull request may close this issue.

3296 fix hadoop otp leak guardicore/monkey
3 participants
@ilija-lazoroski @mssalvatore @shreyamalviya