Skip to content

Commit

Permalink
add crypto-bad-cipher detection
Browse files Browse the repository at this point in the history
  • Loading branch information
lostsnow committed Jan 10, 2022
1 parent b91ca83 commit 61bca52
Show file tree
Hide file tree
Showing 4 changed files with 172 additions and 2 deletions.
25 changes: 23 additions & 2 deletions dongtai_agent_python/policy/tracking.py
Original file line number Diff line number Diff line change
Expand Up @@ -90,8 +90,15 @@ def apply(self, args, kwargs, target):
source_ids = recurse_tracking(source, self.node_type)

if self.node_type != const.NODE_TYPE_SOURCE:
# if len([item for item in source_ids if item in self.context.taint_ids]) == 0:
if len(list(set(self.context.taint_ids) & set(source_ids))) == 0:
if self.signature in const.CRYPTO_BAD_CIPHER_NEW:
pass
elif (self.signature.startswith('Crypto.Cipher._mode_') or
self.signature.startswith('Cryptodome.Cipher._mode_')) and \
self.signature.endswith('Mode.encrypt'):
for sid in source_ids:
if sid not in self.context.taint_ids:
return
elif len(list(set(self.context.taint_ids) & set(source_ids))) == 0:
return

self.get_caller(-4)
Expand Down Expand Up @@ -148,6 +155,20 @@ def processing_invoke_args(signature=None, come_args=None, come_kwargs=None):
'pymongo.collection.Collection.find': {'args': [1], 'kwargs': ['filter']},
'ldap3.core.connection.Connection.search': {'args': [2], 'kwargs': ['search_filter']},
'ldap.ldapobject.SimpleLDAPObject.search_ext': {'args': [3], 'kwargs': ['filterstr']},
'Crypto.Cipher._mode_cbc.CbcMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Crypto.Cipher._mode_cfb.CfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Crypto.Cipher._mode_ctr.CtrMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Crypto.Cipher._mode_eax.EaxMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Crypto.Cipher._mode_ecb.EcbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Crypto.Cipher._mode_ofb.OfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Crypto.Cipher._mode_openpgp.OpenPgpMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Cryptodome.Cipher._mode_cbc.CbcMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Cryptodome.Cipher._mode_cfb.CfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Cryptodome.Cipher._mode_ctr.CtrMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Cryptodome.Cipher._mode_eax.EaxMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Cryptodome.Cipher._mode_ecb.EcbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Cryptodome.Cipher._mode_ofb.OfbMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
'Cryptodome.Cipher._mode_openpgp.OpenPgpMode.encrypt': {'args': [0, 1], 'kwargs': ['plaintext']},
}

context = CONTEXT_TRACKER.current()
Expand Down
133 changes: 133 additions & 0 deletions dongtai_agent_python/policy_api.json
Original file line number Diff line number Diff line change
Expand Up @@ -296,6 +296,111 @@
}
]
},
{
"type": 4,
"enable": 1,
"value": "crypto-bad-cipher",
"details": [
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Crypto.Cipher._mode_cbc.CbcMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Crypto.Cipher._mode_cfb.CfbMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Crypto.Cipher._mode_ctr.CtrMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Crypto.Cipher._mode_eax.EaxMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Crypto.Cipher._mode_ecb.EcbMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Crypto.Cipher._mode_ofb.OfbMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Crypto.Cipher._mode_openpgp.OpenPgpMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Cryptodome.Cipher._mode_cbc.CbcMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Cryptodome.Cipher._mode_cfb.CfbMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Cryptodome.Cipher._mode_ctr.CtrMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Cryptodome.Cipher._mode_eax.EaxMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Cryptodome.Cipher._mode_ecb.EcbMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Cryptodome.Cipher._mode_ofb.OfbMode.encrypt",
"inherit": "false"
},
{
"source": "P1,2,plaintext",
"track": "true",
"target": "",
"value": "Cryptodome.Cipher._mode_openpgp.OpenPgpMode.encrypt",
"inherit": "false"
}
]
},
{
"type": 2,
"enable": 1,
Expand Down Expand Up @@ -713,6 +818,34 @@
"target": "R",
"value": "django.template.base.render_value_in_context",
"inherit": "false"
},
{
"source": "P",
"track": "true",
"target": "R",
"value": "Crypto.Cipher.Blowfish.new",
"inherit": "false"
},
{
"source": "P",
"track": "true",
"target": "R",
"value": "Crypto.Cipher.DES.new",
"inherit": "false"
},
{
"source": "P",
"track": "true",
"target": "R",
"value": "Cryptodome.Cipher.Blowfish.new",
"inherit": "false"
},
{
"source": "P",
"track": "true",
"target": "R",
"value": "Cryptodome.Cipher.DES.new",
"inherit": "false"
}
]
},
Expand Down
7 changes: 7 additions & 0 deletions dongtai_agent_python/setting/const.py
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,13 @@
'builtins.bytearray.__init__',
]

CRYPTO_BAD_CIPHER_NEW = [
'Crypto.Cipher.Blowfish.new',
'Crypto.Cipher.DES.new',
'Cryptodome.Cipher.Blowfish.new',
'Cryptodome.Cipher.DES.new',
]

RESPONSE_SIGNATURES = [
'django.http.response.HttpResponse.__init__',
]
9 changes: 9 additions & 0 deletions dongtai_agent_python/tests/vul-test.sh
Original file line number Diff line number Diff line change
Expand Up @@ -120,3 +120,12 @@ if [[ "x${FRAMEWORK}" == "xflask" ]]; then
api_get "demo/ldap3_search" "username=*&password=*"
api_get "demo/ldap3_safe_search" "username=*&password=*"
fi

headline "crypto-bad-cipher"
if [[ "x${FRAMEWORK}" == "xflask" ]]; then
api_get "demo/crypto/aes" "text=content"
api_get "demo/crypto/blowfish" "text=content"
api_get "demo/crypto/des" "text=content"
api_get "demo/cryptox/blowfish" "text=content"
api_get "demo/cryptox/des" "text=content"
fi

0 comments on commit 61bca52

Please sign in to comment.