Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alternative format for threat lib for better readability and editing #237

Open
raphaelahrens opened this issue Mar 29, 2024 · 5 comments
Open

Alternative format for threat lib for better readability and editing #237

raphaelahrens opened this issue Mar 29, 2024 · 5 comments

Comments

@raphaelahrens
Copy link
Contributor

raphaelahrens commented Mar 29, 2024
edited
Loading

So I looked through the threats recently and again and again I find it difficult to read through the JSON document.

What bothers me the most is the combination of text in details, mitigation, and example with the metadata like id condtion severity and target.

It makes the text hard to read and the metadata difficult to find.

Now I had the idea to have a markdown file for each threat in the style of pandoc with the yaml_metadata_extension.

The result could look similar to this

---
id: INP01
condition: target.usesEnvironmentVariables is True and target.controls.sanitizesInput is False and target.controls.checksInputBounds is False
severity: High
target: (<class 'pytm.pytm.Lambda'>, <class 'pytm.pytm.Process'>)
---

# Buffer Overflow via Environment Variables

This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.

## Example

Attack Example: Buffer Overflow in `$HOME` A buffer overflow in sccw allows local users to gain root access via the `$HOME` environmental variable. Attack Example: Buffer Overflow in TERM A buffer overflow in the rlogin program involves its consumption of the TERM environmental variable.

## Mitigations

Do not expose environment variable to the user.Do not use untrusted data in your environment variables. Use a language or compiler that performs automatic bounds checking. There are tools such as Sharefuzz [R.10.3] which is an environment variable fuzzer for Unix that support loading a shared library. You can use Sharefuzz to determine if you are exposing an environment variable vulnerable to buffer overflow.

## References

-  https://capec.mitre.org/data/definitions/10.html
-  CVE-1999-0906
-  CVE-1999-0046
-  http://cwe.mitre.org/data/definitions/120.html
-  http://cwe.mitre.org/data/definitions/119.html
-  http://cwe.mitre.org/data/definitions/680.html

Of course this file would not be parseable by pytm with the restriction that it should only depend on python stdlib.
But what could be done is that the threats are stored in markdown files from which the threatlib.json could be generated.

What do you think about this idea?
raphaelahrens added a commit to raphaelahrens/pytm that referenced this issue Apr 12, 2024
@raphaelahrens
Added prerequisites and likelihood to Threat
bd363e9 
In threats.json the two properties ("prerequisites", "Likelihood Of Attack") are defined, but are not used in the
rest of pytm.

This commit adds the two properties to the Threat class, so they can be
used by other parts of pytm.

For me this was relevant, since I started to experiment with a different
format for threats mentioned in OWASP#237 .
And after exporting threat.json to a markdown format and back into
threat.json these two fields where missing.
@raphaelahrens raphaelahrens mentioned this issue Apr 12, 2024
Merged
@raphaelahrens
Copy link
Contributor Author

Another advantage of this approach would be that code elements in the threats, could be marked as code and will not interfere with the formatting in the report.

An example of this is in SC04, which includes examples of jjencode

($=[$=[]][(__=!$+$)[_=-~-~-~$]+({}+$)[_/_]+($$=($_=!''+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+$$](_/_)

and a bypass via the window

this['al' + 'ert'](1)

When running

python3 tm.py --report docs/basic_template.md | pandoc > /dev/null

we get the error

[WARNING] Could not convert TeX math =($_=!&#x27;&#x27;+$)[_/_]+$_[+$])])()[__[_/_]+__[_+~$]+$_[_]+, rendering as TeX:
  =($_=!&#x27;&#x27;+$)[_/_]+$_[+$])])()[_
    ^
  unexpected '$'
  expecting "\\bangle", "\\brace", "\\brack", "\\choose", "\\displaystyle", "\\textstyle", "\\scriptstyle", "\\scriptscriptstyle", "{", "\\operatorname", letter, digit, ".",
 "!", "'", "''", "'''", "''''", "*", "+", ",", "-", ".", "/", ":", ":=", ";", "<", "=", ">", "?", "@", "~", "_", "^", "\\left", "\\", "\\hyperref" or end of input

For the first line but for this['al' + 'ert'](1) this turned into

<a href="1">'al' + 'ert'</a>

@raphaelahrens
Copy link
Contributor Author

raphaelahrens commented May 7, 2024
edited
Loading

I have implemented a prototype

https://github.com/raphaelahrens/threatmd

@pentestguy
Copy link

Do you know if this issue is going to be fixed? because I am also facing the same issue.

@raphaelahrens
Copy link
Contributor Author

@pentestguy what issue do you mean?

@pentestguy
Copy link

The same issue is below

[WARNING] Could not convert TeX math =($=!''+$)[/]+$[+$])])()[[/]+[+~$]+$[]+, rendering as TeX:
=($=!''+$)[/]+$[+$])])()[
^
unexpected '$'
expecting "\bangle", "\brace", "\brack", "\choose", "\displaystyle", "\textstyle", "\scriptstyle", "\scriptscriptstyle", "{", "\operatorname", letter, digit, ".",
"!", "'", "''", "'''", "''''", "*", "+", ",", "-", ".", "/", ":", ":=", ";", "<", "=", ">", "?", "@", "~", "_", "^", "\left", "\", "\hyperref" or end of input

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@raphaelahrens @pentestguy