The principalmapper/querying/presetsprivesc.py can_privesc() method only returns one edge_list (the first one that it finds). This makes sense if only checking if privileges can be escalated. However, it is also called in principalmapper/analysis/find_risks.py and principalmapper/visualizing/graphviz_writer.py to get privilege escalation findings. As it is now, if one role can escalate to five other roles, only the first is returned; the other four are not reported as findings. Is this intentional?
The fix is relatively simple. Add a new method as below and make minor changes to the calling code to handle the extra returned findings:
def get_privesc(graph: Graph, node: Node) -> (bool, List[List[Edge]]):
"""Method for determining if a given Node in a Graph can escalate privileges.
Returns a bool, List[Edge] tuple. The bool indicates if there is a privesc risk, and the List[Edge] component
describes the path of edges the node would have to take to gain access to the admin node.
"""
edge_lists = get_search_list(graph, node)
searched_nodes = []
found_edge_lists = []
for edge_list in edge_lists:
# check if the node at the end of the list has been looked at yet, skip if so
end_of_list = edge_list[-1].destination
if end_of_list in searched_nodes:
continue
# add end of list to the searched nodes and do the privesc check
searched_nodes.append(end_of_list)
if end_of_list.is_admin:
found_edge_lists.append(edge_list)
if len(found_edge_lists) > 0:
return True, found_edge_lists
return False, None
Question
The
principalmapper/querying/presetsprivesc.py can_privesc()
method only returns one edge_list (the first one that it finds). This makes sense if only checking if privileges can be escalated. However, it is also called inprincipalmapper/analysis/find_risks.py
andprincipalmapper/visualizing/graphviz_writer.py
to get privilege escalation findings. As it is now, if one role can escalate to five other roles, only the first is returned; the other four are not reported as findings. Is this intentional?The fix is relatively simple. Add a new method as below and make minor changes to the calling code to handle the extra returned findings:
Did the Wiki Have an Answer?
If https://github.com/nccgroup/PMapper/wiki does not have an answer, please suggest where to put one.