search

j3ssie / osmedeus

A Workflow Engine for Offensive Security
https://osmedeus.org/
MIT License
5.25k stars 873 forks source link

Osmedeus susceptible to man-in-the-middle attack #250

Closed SkyperTHC closed 1 year ago

SkyperTHC commented 1 year ago

Hi,

Binary packages are downloaded and executed with TLS/SSL-security disabled.

An attacker can forge the package and infiltrate the user during the installation process.

In your installer script:

download() {
    wget --no-check-certificate -q -O $1 $2
    if [ ! -f "$1" ]; then
        wget --no-check-certificate -q -O $1 $2
    fi
}

The function is used further down to downloading packer from hashicorp.com and later (in install-external-binaries.sh) various packages/binaries from github).

That's not cool to disable certificate check by default :> (any dodgy uplink provider or government can substitute the downloads on the fly with a backdoored one without the user noticing - and what a finding it would be to backdoor security researchers :>>>>> please use proper TLS without disabling certification check on the HTTPS).

This is particularly worrisome because an attacker can easily determine that the download is for osmedeus by looking at the fixed order of multiple downloads / thus the attacker can determine (remotely; by passivity observing) that TLS security has been disabled by the osmedeus install script and forge the packet only when osmedeus is doing an install.

Otherwise, great tool. Good work.

j3ssie commented 1 year ago

Thank you for pointing it out. I just pushed an update for it. To clarify, all the scripts are calling github.com. Therefore, if you are under a MITM attack, it would be impossible to initiate the installation script in the first place.

SkyperTHC commented 1 year ago

Thank you for pointing it out. I just pushed an update for it. To clarify, all the scripts are calling github.com. Therefore, if you are under a MITM attack, it would be impossible to initiate the installation script in the first place.

Thanks for fixing this.

The attack is possible. Long gone are the days where an attacker either had to 'MITM all or noting'. It's an easy task for an attacker to separate osmedeus package installs via wget from other installs from GitHub (just by looking at the SNI requests in the TLS and then checking the TLS transfer volume of each connection - osmedeus downloads around 20+ different packages in rapid succession from GitHub - each of the downloads on a separate TLS connection and each TLS connection of a precise fixed size matching each package on Github.)

This was demonstrated over 15 years ago and by now I assume there to be a 'click button' in NSO's product for at least that long :>

p.s. smalltalk: github.com, archive.ubuntu.com etc etc - ALL repos and all distros are MITM attacked in Iran (for example; equally true for most autocratic countries where the people are subjugated) - they are not even hiding it - just resolve any domain (github.com, ubuntu, ..) and it resolves to their proxy/MITM address.

Thanks for fixing. ❤️