From c5fc99af49aad92f52379761e0f166eaa65338f6 Mon Sep 17 00:00:00 2001 From: Manuel Bua Date: Mon, 22 Jun 2020 23:25:52 +0200 Subject: [PATCH 1/3] Add rules Linkerd service detection --- technologies/linkerd-badrule-detect.yaml | 46 +++++++++++++++++ technologies/linkerd-ssrf-detect.yaml | 66 ++++++++++++++++++++++++ 2 files changed, 112 insertions(+) create mode 100644 technologies/linkerd-badrule-detect.yaml create mode 100644 technologies/linkerd-ssrf-detect.yaml diff --git a/technologies/linkerd-badrule-detect.yaml b/technologies/linkerd-badrule-detect.yaml new file mode 100644 index 0000000000..4442c91666 --- /dev/null +++ b/technologies/linkerd-badrule-detect.yaml @@ -0,0 +1,46 @@ +id: linkerd-badrule-detect + +# Detect the Linkerd service by overriding the delegation table with an invalid +# rule, the presence of the service is indicated by either: +# - a "Via: .. linkerd .." +# - a "l5d-err" and/or a "l5d-success" header +# - a literal error in the body + +info: + name: Linkerd detection via bad rule + author: dudez + severity: low + +requests: + - method: GET + path: + - "{{BaseURL}}/" + headers: + l5d-dtab: /svc/* + + matchers-condition: or + matchers: + - type: regex + name: via-linkerd-present + regex: + - '(?mi)^Via\s*?:.*?linkerd.*$' + part: header + + - type: regex + name: l5d-err-present + regex: + - '(?im)^l5d-err:.*$' + part: header + + - type: regex + name: l5d-success-class-present + regex: + - '(?im)^l5d-success-class: 0.*$' + part: header + + - type: word + name: body-error-present + words: + - 'expected but end of input found at' + part: body + diff --git a/technologies/linkerd-ssrf-detect.yaml b/technologies/linkerd-ssrf-detect.yaml new file mode 100644 index 0000000000..da518ab000 --- /dev/null +++ b/technologies/linkerd-ssrf-detect.yaml @@ -0,0 +1,66 @@ +id: linkerd-ssrf-detect + +# Detect the Linkerd service by overriding the delegation table and +# inspect the response for: +# - a "Via: .. linkerd .." +# - a "l5d-err" and/or a "l5d-success" header +# - a verbose timeout error (binding timeout) +# - a full response +# The full-response case indicates a possible SSRF condition, the others +# only indicates the service presence. +# +# If a full-response is returned you should really manually probe requests with +# the following header values: +# +# - "l5d-dtab: /svc/* => /$/inet/yourserver.com/80", to get to other external hosts +# - "l5d-dtab: /svc/* => /$/inet/169.254.169.254/80", to get to cloud metadata + +info: + name: Linkerd SSRF detection + author: dudez + severity: medium + +requests: + - method: GET + path: + - "{{BaseURL}}/" + headers: + l5d-dtab: /svc/* => /$/inet/example.com/443 + + matchers-condition: or + matchers: + - type: regex + name: via-linkerd-present + regex: + - '(?mi)^Via\s*?:.*?linkerd.*$' + part: header + + - type: regex + name: l5d-err-present + regex: + - '(?im)^l5d-err:.*$' + part: header + + - type: regex + name: l5d-success-class-present + regex: + - '(?im)^l5d-success-class: 0.*$' + part: header + + - type: word + name: ssrf-response-body + words: + - '

This domain is for use in illustrative examples in documents.' + part: body + + - type: regex + name: resolve-timeout-error-present + regex: + - '(?mi)Exceeded .*? binding timeout while resolving name' + part: body + + - type: regex + name: dynbind-error-present + regex: + - '(?mi)exceeded .*? to unspecified while dyn binding' + part: body \ No newline at end of file From 19edc731660c2f110801125b47260985045d89cb Mon Sep 17 00:00:00 2001 From: Manuel Bua Date: Mon, 22 Jun 2020 23:31:30 +0200 Subject: [PATCH 2/3] Fix formatting --- technologies/linkerd-badrule-detect.yaml | 1 - technologies/linkerd-ssrf-detect.yaml | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/technologies/linkerd-badrule-detect.yaml b/technologies/linkerd-badrule-detect.yaml index 4442c91666..740e9f1d74 100644 --- a/technologies/linkerd-badrule-detect.yaml +++ b/technologies/linkerd-badrule-detect.yaml @@ -43,4 +43,3 @@ requests: words: - 'expected but end of input found at' part: body - diff --git a/technologies/linkerd-ssrf-detect.yaml b/technologies/linkerd-ssrf-detect.yaml index da518ab000..6083cbe091 100644 --- a/technologies/linkerd-ssrf-detect.yaml +++ b/technologies/linkerd-ssrf-detect.yaml @@ -63,4 +63,4 @@ requests: name: dynbind-error-present regex: - '(?mi)exceeded .*? to unspecified while dyn binding' - part: body \ No newline at end of file + part: body From 410423834c2f3e6e836d5e304b7dd533954b4f18 Mon Sep 17 00:00:00 2001 From: Manuel Bua Date: Mon, 22 Jun 2020 23:41:24 +0200 Subject: [PATCH 3/3] Tweak flags --- technologies/linkerd-badrule-detect.yaml | 4 ++-- technologies/linkerd-ssrf-detect.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/technologies/linkerd-badrule-detect.yaml b/technologies/linkerd-badrule-detect.yaml index 740e9f1d74..7c8722f647 100644 --- a/technologies/linkerd-badrule-detect.yaml +++ b/technologies/linkerd-badrule-detect.yaml @@ -29,13 +29,13 @@ requests: - type: regex name: l5d-err-present regex: - - '(?im)^l5d-err:.*$' + - '(?mi)^l5d-err:.*$' part: header - type: regex name: l5d-success-class-present regex: - - '(?im)^l5d-success-class: 0.*$' + - '(?mi)^l5d-success-class: 0.*$' part: header - type: word diff --git a/technologies/linkerd-ssrf-detect.yaml b/technologies/linkerd-ssrf-detect.yaml index 6083cbe091..941519bc91 100644 --- a/technologies/linkerd-ssrf-detect.yaml +++ b/technologies/linkerd-ssrf-detect.yaml @@ -38,13 +38,13 @@ requests: - type: regex name: l5d-err-present regex: - - '(?im)^l5d-err:.*$' + - '(?mi)^l5d-err:.*$' part: header - type: regex name: l5d-success-class-present regex: - - '(?im)^l5d-success-class: 0.*$' + - '(?mi)^l5d-success-class: 0.*$' part: header - type: word