Skip to content

Latest commit

 

History

History
102 lines (70 loc) · 6.04 KB

attack-tree.md

File metadata and controls

102 lines (70 loc) · 6.04 KB

Attack Tree Analysis for openresty/lua-nginx-module

Objective: To achieve Remote Code Execution (RCE) on the Nginx server hosting the application, leveraging vulnerabilities or misconfigurations within the lua-nginx-module ecosystem.

Attack Tree Visualization

[Attacker Achieves RCE via lua-nginx-module] [CRITICAL NODE] | ------------------------------------------------------------------------- | | [Exploit Lua Code Injection] [Abuse Lua-Resty Library Vulnerabilities] | | ==HIGH-RISK PATH== ==HIGH-RISK PATH== | | | | [Unsafe Eval] [Path Traversal] [Known CVE in Resty Lib] [Unsafe Deserialization] | | | | [CRITICAL NODE] [CRITICAL NODE] [CRITICAL NODE] [CRITICAL NODE] [Dynamic Code] [Read/Write Files] [e.g., CVE-2021-24750] [Unsafe Input] [Generation] [Outside Allowed Paths] [lua-resty-lrucache] ==HIGH-RISK PATH==

Attack Tree Path: Attacker Achieves RCE via lua-nginx-module

  • Description: This is the ultimate objective of the attacker – gaining the ability to execute arbitrary code on the server.
  • Likelihood: N/A (This is the goal, not a step)
  • Impact: High (Complete server compromise)
  • Effort: N/A
  • Skill Level: N/A
  • Detection Difficulty: N/A

Attack Tree Path: Exploit Lua Code Injection

  • Description: The attacker successfully injects malicious Lua code into the application's execution context.

Attack Tree Path: ==HIGH-RISK PATH== (under Exploit Lua Code Injection)

  • Description: This path represents a likely and impactful sequence of actions involving either unsafe evaluation of code or path traversal vulnerabilities.

Attack Tree Path: Unsafe Eval

  • Description: The application uses functions like loadstring (or similar) to execute Lua code that is constructed, at least in part, from user-supplied input without proper sanitization or validation.
  • Likelihood: Medium
  • Impact: High (Direct RCE)
  • Effort: Medium
  • Skill Level: Medium
  • Detection Difficulty: Medium

Attack Tree Path: Dynamic Code Generation (under Unsafe Eval)

  • Description: The application dynamically generates Lua code based on user input. If this input is not carefully controlled, an attacker can inject malicious code.

Attack Tree Path: Path Traversal

  • Description: The application uses Lua to read or write files, and the file path is constructed using user-supplied input without proper sanitization. This allows an attacker to access or modify files outside the intended directory.
  • Likelihood: Medium
  • Impact: High (File overwrite, data leak, potential RCE)
  • Effort: Medium
  • Skill Level: Medium
  • Detection Difficulty: Medium

Attack Tree Path: Read/Write Files Outside Allowed Paths (under Path Traversal)

  • Description: The attacker successfully manipulates the file path to access or modify files outside of the intended directory, often using sequences like "../"

Attack Tree Path: ==HIGH-RISK PATH== (under Path Traversal)

  • Description: This path represents the successful exploitation of a path traversal vulnerability, leading to unauthorized file access or modification.

Attack Tree Path: Abuse Lua-Resty Library Vulnerabilities

  • Description: The attacker exploits vulnerabilities in commonly used lua-resty-* libraries.

Attack Tree Path: ==HIGH-RISK PATH== (under Abuse Lua-Resty Library Vulnerabilities)

  • Description: This path represents a likely and impactful sequence of actions involving either known CVEs or unsafe deserialization.

Attack Tree Path: Known CVE in Resty Lib

  • Description: The application uses an outdated version of a lua-resty-* library that has a publicly known vulnerability (with a CVE identifier) that can be exploited.
  • Likelihood: Low (Assuming patching is done)
  • Impact: High (Depends on the CVE, but often RCE or other serious issues)
  • Effort: Low (Exploits are often publicly available)
  • Skill Level: Low (Often requires minimal skill)
  • Detection Difficulty: Low (Vulnerability scanners can detect this)

Attack Tree Path: e.g., CVE-2021-24750 (lua-resty-lrucache) (under Known CVE in Resty Lib)

  • Description: A specific example of a known CVE in a popular library. While this particular CVE is for a DoS, it illustrates the concept.

Attack Tree Path: Unsafe Deserialization

  • Description: The application uses a library (e.g., lua-cjson) to deserialize data from an untrusted source. If the library has vulnerabilities related to unsafe object creation during deserialization, an attacker can potentially achieve RCE.
  • Likelihood: Medium
  • Impact: High (Potential RCE)
  • Effort: Medium
  • Skill Level: Medium
  • Detection Difficulty: High

Attack Tree Path: Unsafe Input (under Unsafe Deserialization)

  • Description: The attacker provides specially crafted input to the deserialization function that triggers the vulnerability.