Closed sethsec-bf closed 2 years ago
The --scps
flag has no effect on this preset query. Instead of authorization checks, it's doing breadth-first searches of the Graph starting at each Node. However, that is a good reminder that another preset query called endgame
should allow users to include SCPs and I'll need to fix that.
I think https://github.com/nccgroup/PMapper/issues/94 is the root cause of the unexpected behavior here. The edges and admins are defined when the Graph is created, so any mistakes there will be reflected in the privesc query, which is why you're getting the unexpected output.
v1.1.4 is out, closing.
Describe the bug If pmapper loads the org data, and the org includes SCPs, I get the same output with the
query preset privesc *
regardless of whether I use the--scps
flag or not.To Reproduce
playground
account, attached todev
account. Let's say for example the SCP deny'siam:passrole
.playground
creds, runpmapper orgs create
dev
creds, runpmapper graph create --include-region us-east-1
dev
creds, runpmapper orgs update --org ID
dev
creds, runpmapper query --scps 'preset privesc *'
dev
creds, runpmapper query 'preset privesc *'
Expected behavior I would expect step 7 to ignore the SCPs applied to the
dev
account. Not that I can think of a reason I would ever need that output, but based on the existence of the--scps
flag, that's would I would expect.