Encryptor doesn't work with UTF-8 characters

guardicore / monkey

Infection Monkey - An open-source adversary emulation platform

https://www.guardicore.com/infectionmonkey/

GNU General Public License v3.0

6.67k stars 785 forks source link

Encryptor doesn't work with UTF-8 characters #1490

Closed VakarisZ closed 3 years ago

VakarisZ commented 3 years ago

Describe the bug

Datastore encryptor breaks when a UTF-8 character is encountered:

This is an important bug, because gathered credentials might contain unicode characters, user can't submit common passwords, for e.g. "slaptažodis" means password in Lithuanian and might be common in Lithuanian networks:

Tasks

[x] We should write unit tests that reproduce the issue and then swap out the padding functions with functions from Crypto.Util.Padding. (0d) - @shreyamalviya

mssalvatore commented 3 years ago

This is caused by incorrect assumptions in the padding function.

https://github.com/guardicore/monkey/blob/96c525d6569494d08b1de069e794ae46d63579b2/monkey/monkey_island/cc/server_utils/encryption/key_based_encryptor.py#L40-L47

The padding function uses len(message), but this assumes that all characters are 1 byte. Unicode characters can be more than 1 byte.

This is probably the solution:

We should write unit tests that reproduce the issue and then swap out the padding functions.