I think we are having some flaw in our current Parrot project. Here is my ideas and solutions. I want to here all of Parrot user about it
Current Parrot (count to 4.6) issue
- Our files and folders in
$USERare having 755 permission. It means other users can read each other data. For example: 1 workstation user is developing web app, and it has RCE somehow. Attacker can exploit it withwww-datapermission and accessdeveloperdata. - We don’t have firejail profiles for our pentesting tools. Check out:
- Burp Suite has RCE
https://www.youtube.com/watch?v=Bv_j8ZsNwl8. - Python library backdoor
https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/And we must prevent all of this issue as much as possible
So, I am having some suggestions and ideas
- For file permissions: set 750 or even 700 by default, as same as hosting systems does
- This is complex. We are having thousand tools. Create each profile for each tool is nearly impossible in days or months. And we are having scanners, exploiters, forensic tools, …, user custom tools, unstrusted tools that user download from internet. We can group it:
- Requires root permission: aircrack, airgedon, …
- Non root permission:
- Scan targets, put result to STDOUT. No permission is needed (DNS scanners, …)
- Need read tool’s config files, their script to execute advance tasks (nmap)
- Need write file to
$HOMEas result (wapiti), user define where to write result (airodump) Even we define whitelist and blacklist folder for these tools, I believe tools can read user data in whitelist folders
- Other tool on internet can be executed normally without sandbox
- User’s tools, need permission based on user tasks For Non-root permission tools and untrusted tool, I think we can run them under virtual user permission, combine with default file and folder permission in
1., we can prevent them from reading data in$HOME. All config files and results will be written as virtual user permission. (This is conflict with 700 permission). Other idea is we can create a “virtual”pentestuser and stores result in/home/pentest/-> other problem,pentestuser mustn’t be a backdoor.