Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Jetpack version based detection #124

Merged
merged 6 commits into from
Oct 21, 2024
Merged

Add Jetpack version based detection #124

Show file tree
Hide file tree
Changes from 4 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f794e4b
before adding unitests
ybadaoui-ostorlab Oct 16, 2024
5182201
save changes
ybadaoui-ostorlab Oct 17, 2024
aef0919
refactor the version check logic
ybadaoui-ostorlab Oct 18, 2024
0656484
add version based detection for jetpack wordpress plugin vulnerability
ybadaoui-ostorlab Oct 18, 2024
8cbfd8e
resolve comments
ybadaoui-ostorlab Oct 18, 2024
91f6fac
add unittest for triggring network exception to fix code coverage
ybadaoui-ostorlab Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
202 changes: 202 additions & 0 deletions agent/exploits/jetpack_version_detection.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,202 @@
import datetime
import re
from urllib import parse as urlparse

import requests
from requests import exceptions as requests_exceptions
from semver import Version
ybadaoui-ostorlab marked this conversation as resolved.
Show resolved Hide resolved

from agent import definitions
from agent import exploits_registry
from agent.exploits import webexploit

MAX_REDIRECTS = 2
DEFAULT_TIMEOUT = datetime.timedelta(seconds=90)
ybadaoui-ostorlab marked this conversation as resolved.
Show resolved Hide resolved
VULNERABILITY_TITLE = (
"UNAUTHORIZED FORM DATA EXPOSURE VULNERABILITY IN JETPACK'S CONTACT FORM FEATURE"
)
VULNERABILITY_REFERENCE = "jetpack data exposure"
VULNERABILITY_DESCRIPTION = """The vulnerability resides in the Contact Form feature in Jetpack, and could be used by any logged in users on a site to read forms submitted by visitors on the site."""
RISK_RATING = "CRITICAL"

# Define vulnerable ranges with actual values
VULNERABLE_RANGES = [
("13.9.0", "13.9.0"),
("13.8.0", "13.8.1"),
("13.7.0", "13.7.0"),
("13.6.0", "13.6.0"),
("13.5.0", "13.5.0"),
("13.4.0", "13.4.3"),
("13.3.0", "13.3.1"),
("13.2.0", "13.2.2"),
("13.1.0", "13.1.3"),
("13.0.0", "13.0.0"),
("12.9.0", "12.9.3"),
("12.8.0", "12.8.1"),
("12.7.0", "12.7.1"),
("12.6.0", "12.6.2"),
("12.5.0", "12.5.0"),
("12.4.0", "12.4.0"),
("12.3.0", "12.3.0"),
("12.2.0", "12.2.1"),
("12.1.0", "12.1.1"),
("12.0.0", "12.0.1"),
("11.9.0", "11.9.2"),
("11.8.0", "11.8.5"),
("11.7.0", "11.7.2"),
("11.6.0", "11.6.1"),
("11.5.0", "11.5.2"),
("11.4.0", "11.4.1"),
("11.3.0", "11.3.3"),
("11.2.0", "11.2.1"),
("11.1.0", "11.1.3"),
("11.0.0", "11.0.1"),
("10.9.0", "10.9.2"),
("10.8.0", "10.8.1"),
("10.7.0", "10.7.1"),
("10.6.0", "10.6.1"),
("10.5.0", "10.5.2"),
("10.4.0", "10.4.1"),
("10.3.0", "10.3.1"),
("10.2.0", "10.2.2"),
("10.1.0", "10.1.1"),
("10.0.0", "10.0.1"),
("9.9.0", "9.9.2"),
("9.8.0", "9.8.2"),
("9.7.0", "9.7.2"),
("9.6.0", "9.6.3"),
("9.5.0", "9.5.4"),
("9.4.0", "9.4.3"),
("9.3.0", "9.3.4"),
("9.2.0", "9.2.3"),
("9.1.0", "9.1.2"),
("9.0.0", "9.0.4"),
("8.9.0", "8.9.3"),
("8.8.0", "8.8.4"),
("8.7.0", "8.7.3"),
("8.6.0", "8.6.3"),
("8.5.0", "8.5.2"),
("8.4.0", "8.4.4"),
("8.3.0", "8.3.2"),
("8.2.0", "8.2.5"),
("8.1.0", "8.1.3"),
("8.0.0", "8.0.2"),
("7.9.0", "7.9.3"),
("7.8.0", "7.8.3"),
("7.7.0", "7.7.5"),
("7.6.0", "7.6.3"),
("7.5.0", "7.5.6"),
("7.4.0", "7.4.4"),
("7.3.0", "7.3.4"),
("7.2.0", "7.2.4"),
("7.1.0", "7.1.4"),
("7.0.0", "7.0.4"),
("6.9.0", "6.9.3"),
("6.8.0", "6.8.4"),
("6.7.0", "6.7.3"),
("6.6.0", "6.6.4"),
("6.5.0", "6.5.3"),
("6.4.0", "6.4.5"),
("6.3.0", "6.3.6"),
("6.2.0", "6.2.4"),
("6.1.0", "6.1.4"),
("6.0.0", "6.0.3"),
("5.9.0", "5.9.3"),
("5.8.0", "5.8.3"),
("5.7.0", "5.7.4"),
("5.6.0", "5.6.4"),
("5.5.0", "5.5.4"),
("5.4.0", "5.4.3"),
("5.3.0", "5.3.3"),
("5.2.0", "5.2.4"),
("5.1.0", "5.1.3"),
("5.0.0", "5.0.2"),
("4.9.0", "4.9.2"),
("4.8.0", "4.8.4"),
("4.7.0", "4.7.3"),
("4.6.0", "4.6.2"),
("4.5.0", "4.5.2"),
("4.4.0", "4.4.4"),
("4.3.0", "4.3.4"),
("4.2.0", "4.2.4"),
("4.1.0", "4.1.3"),
("4.0.0", "4.0.6"),
(None, "3.9.9"),
3asm marked this conversation as resolved.
Show resolved Hide resolved
]


@exploits_registry.register
class JetpackExploit(webexploit.WebExploit):
accept_request = definitions.Request(
method="GET", path="/wp-content/plugins/jetpack/readme.txt"
)
check_request = definitions.Request(
method="GET", path="/wp-content/plugins/jetpack/readme.txt"
)
accept_pattern = [
re.compile("=== Jetpack - WP Security, Backup, Speed, & Growth ===")
]
version_pattern = re.compile("Stable\stag:\s(\d+\.\d+\.\d+)")

metadata = definitions.VulnerabilityMetadata(
title=VULNERABILITY_TITLE,
description=VULNERABILITY_DESCRIPTION,
reference=VULNERABILITY_REFERENCE,
risk_rating=RISK_RATING,
)

def check(self, target: definitions.Target) -> list[definitions.Vulnerability]:
"""Rule to detect specific vulnerability on a specific target.

Args:
target: Target to scan

Returns:
List of identified vulnerabilities.
"""
session = requests.Session()
session.max_redirects = MAX_REDIRECTS
session.verify = False

vulnerabilities: list[definitions.Vulnerability] = []

target_endpoint = urlparse.urljoin(target.origin, self.check_request.path)

try:
req = requests.Request(
method=self.check_request.method,
url=target_endpoint,
data=self.check_request.data,
ohachimOs marked this conversation as resolved.
Show resolved Hide resolved
).prepare()
resp = session.send(req, timeout=DEFAULT_TIMEOUT.seconds)
except requests_exceptions.RequestException:
ybadaoui-ostorlab marked this conversation as resolved.
Show resolved Hide resolved
return vulnerabilities

Check warning on line 173 in agent/exploits/jetpack_version_detection.py

View check run for this annotation

Codecov / codecov/patch

agent/exploits/jetpack_version_detection.py#L172-L173 

Added lines #L172 - L173 were not covered by tests

if (matched := self.version_pattern.findall(resp.text)) != []:
for extracted_version in matched:
if _is_vulnerable(extracted_version) is True:
vulnerability = self._create_vulnerability(target)
vulnerabilities.append(vulnerability)
ybadaoui-ostorlab marked this conversation as resolved.
Show resolved Hide resolved

return vulnerabilities


def _is_vulnerable(extracted_version: str) -> bool:
"""Check if the extracted version is in the list of vulnerable ranges.

Args:
extracted_version: Version of Jetpack

Returns:
True if the version is vulnerable, False otherwise.
"""
extracted_ver = Version.parse(extracted_version)

for min_version, max_version in VULNERABLE_RANGES:
min_ver = Version.parse(min_version) if min_version else None
max_ver = Version.parse(max_version)

if (min_ver is None or extracted_ver >= min_ver) and extracted_ver <= max_ver:
return True

return False
62 changes: 62 additions & 0 deletions tests/exploits/jetpack_version_detection_test.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
"""Unit tests for Agent Asteroid: Jetpack Exploit"""

import requests_mock as req_mock

from agent import definitions
from agent.exploits import jetpack_version_detection


def testCVE20249487_whenVulnerable_reportFinding(
requests_mock: req_mock.mocker.Mocker,
) -> None:
"""Jetpack Exploit unit test: case when target is vulnerable."""
requests_mock.get(
"http://localhost:80/wp-content/plugins/jetpack/readme.txt",
text="""
=== Jetpack - WP Security, Backup, Speed, & Growth ===
Tags: Security, backup, malware, scan, performance
Stable tag: 4.9.2
Requires at least: 6.5
""",
status_code=200,
)
exploit_instance = jetpack_version_detection.JetpackExploit()
target = definitions.Target("http", "localhost", 80)

accept = exploit_instance.accept(target)
vulnerabilities = exploit_instance.check(target)

assert accept is True
vulnerability = vulnerabilities[0]
assert (
vulnerability.entry.title
== "UNAUTHORIZED FORM DATA EXPOSURE VULNERABILITY IN JETPACK'S CONTACT FORM FEATURE"
)
assert vulnerability.technical_detail == (
"http://localhost:80 is vulnerable to jetpack data exposure, "
"UNAUTHORIZED FORM DATA EXPOSURE VULNERABILITY IN JETPACK'S CONTACT FORM FEATURE"
)


def testCVE20249487_whenNotVulnerable_reportNothing(
requests_mock: req_mock.mocker.Mocker,
) -> None:
"""jetpack_version_detection unit test: case when target is vulnerable."""
requests_mock.get(
"http://localhost:80/wp-content/plugins/jetpack/readme.txt",
text="""
=== Jetpack - WP Security, Backup, Speed, & Growth ===
Tags: Security, backup, malware, scan, performance
Stable tag: 13.9.1
Requires at least: 6.5
""",
status_code=200,
)
exploit_instance = jetpack_version_detection.JetpackExploit()
target = definitions.Target("http", "localhost", 80)

accept = exploit_instance.accept(target)
vulnerabilities = exploit_instance.check(target)

assert accept is True
assert len(vulnerabilities) == 0
Loading