search

tclahr / uac

UAC is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
https://tclahr.github.io/uac-docs
Apache License 2.0
732 stars 113 forks source link

Regex to extract %user_home% fail with old version of grep #245

Closed william-billaud closed 1 month ago

william-billaud commented 1 month ago

On some version of grep (eg 2.20, present on centos6 or rhel 6) the regexp used to retrieve user home from .user_home_list.tmp fail : 

❯ docker run -v `pwd`:/data --rm -it centos:centos6.8 bash
[root@7f550a96d1fc /]# grep -V
grep (GNU grep) 2.20
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Mike Haertel and others, see <http://git.sv.gnu.org/cgit/grep.git/tree/AUTHORS>.
[root@7f550a96d1fc /]# echo "test:/home/test"| grep -v -E "^:|:$"
[root@7f550a96d1fc /]#
❯ docker run -v `pwd`:/data --rm -it ubuntu:24.04 bash
root@a4e526cf1d32:/# grep -V
grep (GNU grep) 3.11
Copyright (C) 2023 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by Mike Haertel and others; see
<https://git.savannah.gnu.org/cgit/grep.git/tree/AUTHORS>.

grep -P uses PCRE2 10.42 2022-12-11
root@a4e526cf1d32:/# echo "test:/home/test"| grep -v -E "^:|:$"
test:/home/test
root@a4e526cf1d32:/#

even if the bug comes from grep, it would be nice if uac could still retrieve the user_home file as expected.

william-billaud commented 1 month ago

In branch 2.x the fix may be a simple change of the regex in https://github.com/tclahr/uac/blob/2647c128a55f79cbe83fa9c4186b545b193a7331/lib/get_user_home_list.sh#L87 by 

  grep -v -E "^:" "${TEMP_DATA_DIR}/.user_home_list.tmp" | grep -v -E ":$" | sort -u

As the project is are under a massive rework, I'm not sure you'll want a PR to correct it.

tclahr commented 1 month ago

You are right. The issue applies to old grep versions. I tested the code from the develop branch and it seems to work properly on a centos6.8 container. Can you confirm that?

Also, the plan is to release the new UAC v3 RC1 next week (which fixes this issue), so I see no reasons to fix this in v2.

Thanks!

william-billaud commented 1 month ago

According to my test this work properly on centos 6.8 (vm not a containers sharing the same kernel as the host).

Another small "bug" I'have found is than the zip binary won't work on really old kernel (eg 2.6.x) because kernel is too old (like statx, but a check is made to ensure than statx can run before use it).

FATAL: kernel too old
Abort trap (core dumped)

Because of this the collection will fail to complete. The workaround is easy (launch with tar.gz output format) but it's would be nice to have an automatic fallback in case of failure (even if it's not a high priority issue).

Thanks for your work

tclahr commented 1 month ago

Yes, I noticed this occurring in FreeBSD and NetScaler as well (depending on the system architecture). I pushed a new code to develop that checks whether the zip binary provided by UAC runs properly in the target system before adding its path to PATH. This makes UAC to quit with an error message before the collection starts if zip fails to run.

Let me know if you find any issues.

Thanks for all you support on this.

william-billaud commented 1 month ago

Everything work, it's even use the machine zip if available.

I close the issue as it will be resolved in next release. Thanks again for your work.