search

jamesoff / simplemonitor

A Python-based network and host monitor
https://simplemonitor.readthedocs.io/en/latest/
BSD 3-Clause "New" or "Revised" License
404 stars 165 forks source link

Monitoring untrusted hosts #143

Closed progval closed 5 years ago

progval commented 5 years ago

Hi,

I'm considering using simplemonitor for my servers. I noticed it uses pickle to transfer data from a client to the master host, so a malicious/compromised client could run arbitrary code on the master. How hard would it be to replace pickle with a safe protocol, like JSON or XML?

Thanks!

jamesoff commented 5 years ago

Hi,

As it stands, that would be moderately non-trivial but not impossible.

However, since 1.6 (actually, since c88f11c), SimpleMonitor uses a shared secret to validate the pickled data that's arrived to mitigate this issue. Hopefully that's safe enough for you? (And I'm by no means a crypto expert so if you know of an issue with that implementation please let me know!)

Thanks :)

progval commented 5 years ago

Thanks for the quick reply!

Unfortunately, a shared secret does not protect from a compromised host, because the attacker would have access to the secret :/

jamesoff commented 5 years ago

Indeed, although as you say they then already have access to at least one of your hosts and there may well be other options for lateral movement in the network at that point.

Changing the network monitoring to use something like JSON (I'd always pick that over XML ;) is something I'd like to do but do not currently have the bandwidth for.

At the moment, pickle is used to instantiate Monitor instances on the receiving ends which allows them to be fully populated and easy to call methods on. (It seemed like a good idea at the time, which was ~2006!) Replacing that method with sending properties by JSON and creating/populating Monitor instances on the receiving end would probably suffice and let the rest of the code stay the same.

I'll have a think, but in the meanwhile if you happen to feel like trying your hand at it, I'm happy to receive pull requests.

progval commented 5 years ago

I'll have a think, but in the meanwhile if you happen to feel like trying your hand at it, I'm happy to receive pull requests.

Sure!

I started some work here, feel free to take a look: https://github.com/jamesoff/simplemonitor/compare/master...ProgVal:remove-pickle

jamesoff commented 5 years ago

Looks like a good start :)

jamesoff commented 5 years ago

Happy to close this now?

progval commented 5 years ago

Sure, thanks!