google · copybara-service · May 6, 2024 · May 6, 2024
diff --git a/detector/weakcredentials/etcshadow/cracker.go b/detector/weakcredentials/etcshadow/cracker.go
@@ -0,0 +1,95 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package etcshadow
+
+import (
+	"context"
+	"errors"
+	"strings"
+
+	"github.com/GehirnInc/crypt/sha512_crypt"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// ErrNotCracked returned when a cracker did not find a matching password.
+var ErrNotCracked = errors.New("not cracked")
+
+// Cracker interface is implemented by types which know how to crack hashes.
+type Cracker interface {
+	// Crack returns (password,nil) on success and ("", ErrNotCracked) on failure.
+	Crack(context.Context, string) (string, error)
+}
+
+type passwordCracker struct {
+	bcryptCracker      Cracker
+	sha512cryptCracker Cracker
+}
+
+// NewPasswordCracker returns a cracker that can attempt to find the password for a given hash.
+func NewPasswordCracker() Cracker {
+	return passwordCracker{
+		bcryptCracker:      bcryptCracker{},
+		sha512cryptCracker: sha512CryptCracker{},
+	}
+}
+
+func (c passwordCracker) Crack(ctx context.Context, hash string) (string, error) {
+	switch {
+	case strings.HasPrefix(hash, "$2"):
+		return c.bcryptCracker.Crack(ctx, hash)
+	case strings.HasPrefix(hash, sha512_crypt.MagicPrefix):
+		return c.sha512cryptCracker.Crack(ctx, hash)
+	}
+	return "", ErrNotCracked
+}
+
+// Cracker for bcrypt password hashes.
+type bcryptCracker struct {
+}
+
+func (c bcryptCracker) Crack(ctx context.Context, hash string) (string, error) {
+	for _, v := range topPasswords {
+		select {
+		case <-ctx.Done():
+			return "", ctx.Err()
+		default: // keep cracking
+		}
+		err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(v))
+		if err == nil {
+			return v, nil
+		}
+	}
+	return "", ErrNotCracked
+}
+
+// Cracker for sha512crypt password hashes.
+type sha512CryptCracker struct {
+}
+
+func (c sha512CryptCracker) Crack(ctx context.Context, hash string) (string, error) {
+	crypter := sha512_crypt.New()
+	for _, v := range topPasswords {
+		select {
+		case <-ctx.Done():
+			return "", ctx.Err()
+		default: // keep cracking
+		}
+		err := crypter.Verify(hash, []byte(v))
+		if err == nil {
+			return v, nil
+		}
+	}
+	return "", ErrNotCracked
+}
diff --git a/detector/weakcredentials/etcshadow/cracker_test.go b/detector/weakcredentials/etcshadow/cracker_test.go
@@ -0,0 +1,98 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package etcshadow_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/google/osv-scalibr/detector/weakcredentials/etcshadow"
+)
+
+// All the hashes below are for the string "Password123" and where obtained
+// running: 'mkpasswd -m METHOD PASSWORD'.
+//
+// Note the the obsolete descrypt will limit password to 8 characters and
+// there will be cracked as the value 'Password'.
+var testHashes = map[string]string{
+	"yescrypt":      "$y$j9T$huXYrFRxr5.EtlA/GqJQg1$R36Nu5MbY5YM0SzRaWbBPyGpM7KMcWtbUmBq5gDZA9B",
+	"gost-yescrypt": "$gy$j9T$i.krMgTvuXE2doi6Hguka/$qwn482j7gJbWZNQ3cF0YdKAud.C3vUIorQGsF0ryox3",
+	"scrypt":        "$7$CU..../....oupVTCfqrgm0HQkQR3JaB1$2m9CeDTqL8i5pMsc8E73A2bCIsvQPhntxBmSVlbrql2",
+	"bcrypt":        "$2b$05$IYDlXvHmeORyyiUwu8KKuek2LE8VrxIYZ2skPvRDDNngpXJHRq7sG",
+	"bcrypt-a":      "$2a$05$pRmHHyGfKl9/9AZLORG/neKW39VHGF4ptLT2MLq1BqQOnbwL6DQM6",
+	"sha512crypt":   "$6$5dZ5RtTlA.rNzi8o$sE23IbqB0Q57/7nI2.AqazHUnWGP06HmkadfBJ90mHgAHkWVZteoaUWV25jITMIUXC/buIgZ9hU2JYQM5qGZn1",
+	"sha256crypt":   "$5$bMDt75aAcRJMgynJ$7dvcQe0UPWAlpr4VFNQI2iDDUQLgwcaTOV5oQVSIR56",
+	"sunmd5":        "$md5,rounds=46947$ieGPlcPv$$sJ4xQqZ5DHZu0Bma2EW/..",
+	"md5crypt":      "$1$emQTNiRX$kZ2UzRTLgfsTBGS0M1OOb1",
+	"NT-Hash":       "$3$$58a478135a93ac3bf058a5ea0e8fdb71",
+	// Quite old and insecure password hash algorithms. Do not use the $ format.
+	"bsdicrypt": "_J9..Sc51o5Op8yDIuHc",
+	"descrypt":  "chERDiI95PGCQ",
+}
+
+func TestPasswordHashCracker(t *testing.T) {
+	cracker := etcshadow.NewPasswordCracker()
+	crackableHash := map[string]bool{
+		"bcrypt":      true,
+		"bcrypt-a":    true,
+		"sha512crypt": true,
+	}
+	for k, v := range testHashes {
+		password, err := cracker.Crack(context.Background(), v)
+		_, isCrackable := crackableHash[k]
+		if isCrackable && err != nil {
+			t.Errorf("not cracked supported hash: [%v] [%v]", k, v)
+		} else if !isCrackable && err == nil {
+			t.Errorf("cracked unsupported hash: [%v] [%v] [%v]", k, password, v)
+		} else if password != "Password123" && err == nil {
+			t.Errorf("cracked password is not 'Password123': [%v] [%v] [%v]", k, password, v)
+		}
+	}
+}
+
+func TestPasswordHashCrackerBadHashes(t *testing.T) {
+	cracker := etcshadow.NewPasswordCracker()
+	badValues := []string{
+		"$2$",
+		"$2$123",
+		"$2$123$",
+		"$6$",
+		"$6$123",
+		"$6$123$",
+		"*",
+		"!!",
+		"!",
+		"$2$*",
+		"$2$!",
+		"$6$*",
+		"$6$!",
+	}
+
+	for _, v := range badValues {
+		if _, err := cracker.Crack(context.Background(), v); err != etcshadow.ErrNotCracked {
+			t.Errorf("expected ErrNotCracked on hash [%s] received [%v]", v, err)
+		}
+	}
+}
+
+func TestPasswordHashCrackerCancelled(t *testing.T) {
+	cracker := etcshadow.NewPasswordCracker()
+	ctx, cancelFunc := context.WithCancel(context.Background())
+	cancelFunc()
+	_, err := cracker.Crack(ctx, testHashes["bcrypt"])
+	if err != ctx.Err() {
+		t.Errorf("expected error %v on cancelled context, received error %v", ctx.Err(), err)
+	}
+}
diff --git a/detector/weakcredentials/etcshadow/detector.go b/detector/weakcredentials/etcshadow/detector.go
@@ -0,0 +1,137 @@
+// Copyright 2024 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package etcshadow implements a detector for weak/guessable passwords stored in /etc/shadow.
+package etcshadow
+
+import (
+	"bufio"
+	"context"
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"sort"
+	"strings"
+
+	"github.com/google/osv-scalibr/detector"
+	"github.com/google/osv-scalibr/inventoryindex"
+)
+
+// Detector is a SCALIBR Detector for weak/guessable passwords from /etc/shadow.
+type Detector struct{}
+
+// Name of the detector.
+func (Detector) Name() string { return "weakcredentials/etcshadow" }
+
+// Version of the detector.
+func (Detector) Version() int { return 0 }
+
+// RequiredExtractors returns an empty list as there are no dependencies.
+func (Detector) RequiredExtractors() []string { return []string{} }
+
+// Scan starts the scan.
+func (d Detector) Scan(ctx context.Context, scanRoot string, ix *inventoryindex.InventoryIndex) ([]*detector.Finding, error) {
+	return d.ScanFS(ctx, os.DirFS(scanRoot), ix)
+}
+
+// ScanFS starts the scan from a pseudo-filesystem.
+func (Detector) ScanFS(ctx context.Context, fs fs.FS, ix *inventoryindex.InventoryIndex) ([]*detector.Finding, error) {
+	f, err := fs.Open("etc/shadow")
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			// File doesn't exist, check not applicable.
+			return nil, nil
+		}
+		return nil, err
+	}
+	defer f.Close()
+
+	users, err := parseShadowFile(f)
+	if err != nil {
+		return nil, err
+	}
+
+	cracker := NewPasswordCracker()
+
+	// When looking at password hashes we strictly focus on hash strings
+	// with the format $ALGO$SALT$HASH. There are many other things we choose
+	// not to check for the sake of simplicity (e.g. hash strings preceded
+	// by one or two ! characters are for locked logins - password can still be weak
+	// and running as user can be done locally with the 'su' command).
+	var problemUsers []string
+	for user, hash := range users {
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		default: // keep cracking
+		}
+		if _, err := cracker.Crack(ctx, hash); err == nil { // if cracked
+			// Report only user name to avoid PII leakage.
+			problemUsers = append(problemUsers, user)
+		}
+	}
+
+	if len(problemUsers) == 0 {
+		return nil, nil
+	}
+
+	title := "Ensure all users have strong passwords configured"
+	description := "The /etc/shadow file contains user account password hashes. " +
+		"These passwords must be strong and not easily guessable."
+	recommendation := "Run the following command to reset password for the reported users:\n" +
+		"# change password for USER: sudo passwd USER"
+
+	// Sort users to avoid non-determinism in the processing order from users map.
+	sort.Strings(problemUsers)
+	buf := new(strings.Builder)
+	fmt.Fprintln(buf, "The following users have weak passwords:")
+	for _, u := range problemUsers {
+		fmt.Fprintln(buf, u)
+	}
+	problemDescription := buf.String()
+
+	return []*detector.Finding{&detector.Finding{
+		Adv: &detector.Advisory{
+			ID: &detector.AdvisoryID{
+				Publisher: "SCALIBR",
+				Reference: "etc-shadow-weakcredentials",
+			},
+			Type:           detector.TypeVulnerability,
+			Title:          title,
+			Description:    description,
+			Recommendation: recommendation,
+			Sev:            &detector.Severity{Severity: detector.SeverityCritical},
+		},
+		Target: &detector.TargetDetails{Location: []string{"/etc/shadow"}},
+		Extra:  problemDescription,
+	}}, nil
+}
+
+func parseShadowFile(f fs.File) (map[string]string, error) {
+	users := make(map[string]string)
+	scanner := bufio.NewScanner(f)
+	for scanner.Scan() {
+		fields := strings.Split(scanner.Text(), ":")
+		if len(fields) >= 2 {
+			users[fields[0]] = fields[1]
+		}
+	}
+
+	if err := scanner.Err(); err != nil {
+		return nil, err
+	}
+
+	return users, nil
+}