Skip to content

Latest commit

 

History

History
134 lines (112 loc) · 8.99 KB

vulnerabilities-workflow-1.md

File metadata and controls

134 lines (112 loc) · 8.99 KB

Combined Vulnerability List

This document combines the identified vulnerabilities into a single list, removing any duplicates and maintaining the detailed descriptions for each.

1. Vulnerability Name: Dynamic Block Type Expansion with Uncontrolled Collection Length

  • Description:

    1. An attacker crafts a malicious HCL configuration.
    2. The configuration includes a dynamic block definition.
    3. The for_each attribute of the dynamic block is set to an expression that, when evaluated, results in an excessively large collection (e.g., a list or map with millions of elements).
    4. The attacker submits this configuration to the application for parsing and processing.
    5. When the application attempts to expand the dynamic block, it iterates over the very large collection.
    6. For each element in the collection, a new block is generated, consuming significant resources (memory and CPU).
    7. This excessive resource consumption leads to performance degradation, application instability, or potential memory exhaustion.

  • Impact: High. Excessive resource consumption (memory, CPU) leading to performance degradation or potential application instability. In cloud environments, it could lead to increased costs due to resource scaling.

  • Vulnerability Rank: high

  • Currently implemented mitigations: None. No explicit size limits or resource controls for dynamic block expansion are implemented in the provided code.

  • Missing mitigations:

    • Implement limits on the maximum size (number of elements) of the for_each collection allowed in dynamic blocks.
    • Introduce resource quotas or timeouts to restrict the resources consumed during dynamic block expansion, preventing unbounded consumption.
    • Implement validation of the for_each expression result to ensure it is within acceptable size limits before proceeding with expansion.

  • Preconditions:

    • The application using HCL must have the dynamic blocks extension enabled.
    • The application must process HCL configurations where the for_each attribute in dynamic blocks can be influenced or directly controlled by external users (attackers).

  • Source code analysis:

    1. File: /code/ext/dynblock/expand_body.go
    2. Function: expandBlocks
    3. The expandBlocks function processes dynamic blocks by iterating over the collection obtained from the for_each attribute:
    for it := forEachVal.ElementIterator(); it.Next(); {
    key, value := it.Element()
    // ... block generation logic ...
}
    1. There are no explicit checks within this loop or in the surrounding code to limit the number of iterations or the size of the forEachVal collection.
    2. If a malicious user can provide a configuration with a for_each expression that evaluates to a very large collection, the expandBlocks function will attempt to iterate over all its elements, generating a large number of blocks and consuming excessive resources.
    3. This unbounded iteration can lead to memory exhaustion or significant performance degradation, as the application attempts to create and manage a huge number of dynamically generated blocks.

  • Security test case:

    1. Prepare a malicious HCL input configuration (e.g., evil_config.hcl). This configuration should define a dynamic block with a for_each expression that generates a very large list. For example:
    variable "large_count" {
  type    = number
  default = 200000
}

locals {
  large_list = range(var.large_count)
}

resource "test_resource" "test" {
  dynamic "large_block_gen" {
    for_each = local.large_list
    content {
      attribute = "test_value"
    }
  }
}
    1. Configure the target application to parse and process evil_config.hcl, ensuring that the dynamic block extension is enabled in the HCL parsing/processing engine.
    2. As an external attacker, initiate the application's configuration loading process using the malicious configuration.
    3. Monitor the resource consumption of the application process during configuration loading, specifically memory and CPU usage.
    4. Observe if the application exhibits a significant increase in memory consumption, CPU usage spikes, or becomes unresponsive.
    5. If the application's performance degrades significantly or if it exhausts available memory and potentially crashes, the vulnerability is confirmed. The extent of the degradation or resource exhaustion should be considered high, as it impacts application availability and stability.

2. Vulnerability Name: Potential Code Injection via User-Defined Functions

  • Description:

    1. An attacker crafts a malicious HCL configuration file.
    2. This configuration file defines a user-defined function using the function block from the userfunc extension.
    3. Within the result expression of the function, the attacker injects code, potentially leveraging application-provided functions or other HCL features.
    4. When the application parses and evaluates this configuration file, the malicious user-defined function is registered.
    5. If the application subsequently calls this user-defined function, the injected code within the result expression is executed within the application's context.

  • Impact:

    • Critical: Code injection can allow the attacker to execute arbitrary code on the server, potentially leading to complete system compromise, data exfiltration, or further attacks on internal infrastructure.

  • Vulnerability Rank: critical

  • Currently Implemented Mitigations:

    • None evident from the provided files. The userfunc extension focuses on functionality rather than security.

  • Missing Mitigations:

    • Input validation and sanitization: The result expression within user-defined functions should be strictly validated and sanitized to prevent injection of malicious code.
    • Sandboxing or restricted execution environment: User-defined functions should be executed in a sandboxed or restricted environment with limited privileges to minimize the impact of potential code injection vulnerabilities.
    • Principle of least privilege: Avoid providing overly powerful or unsafe functions to the HCL evaluation context that could be misused by attackers through user-defined functions.

  • Preconditions:

    • The application must enable and use the userfunc extension.
    • The application must parse and evaluate HCL configuration files provided or influenced by external users.
    • The application must call user-defined functions defined in the configuration.

  • Source Code Analysis:

    1. File: /code/ext/userfunc/decode.go: The decodeUserFunctions function parses function blocks and registers them in the funcs map.
    2. File: /code/ext/userfunc/decode.go: The impl function within decodeUserFunctions directly evaluates the resultExpr using resultExpr.Value(ctx).
    3. File: /code/ext/userfunc/decode.go: The ctx used for evaluation is created using getBaseCtx() and populated with function parameters, but there is no explicit sanitization or validation of the resultExpr itself.
    4. Visualization:
    User-provided config file --> HCL Parser --> AST (Body) --> DecodeUserFunctions
                                                                |
                                                                V
function "malicious" {                                     funcs map[string]function.Function
  params = [...]                                                |
  result = <INJECTED CODE>                                     |
}                                                              |
                                                                V
Application calls "malicious" function --> impl function (decode.go) --> resultExpr.Value(ctx) --> INJECTED CODE EXECUTION

  • Security Test Case:

    1. Create a malicious HCL configuration file (e.g., malicious.hcl) with a user-defined function that attempts to execute a system command:
    function "malicious_command" {
  params = []
  result = exec("/bin/sh", "-c", "whoami > /tmp/hcl_pwned") // Assuming 'exec' function is available in the context for demonstration
}

vulnerable_block {
  action = malicious_command()
}

    1. Set up a test application that:

      • Uses hclsimple.DecodeFile or a lower-level API to parse and decode the malicious.hcl file.
      • Includes the userfunc extension and registers user-defined functions from the configuration.
      • Executes code that triggers the vulnerable_block which in turn calls the malicious_command function.

    2. Run the test application with the malicious.hcl file.

    3. Observe if the file /tmp/hcl_pwned is created and contains the output of the whoami command. If it is, the code injection vulnerability is confirmed.

    4. Check application logs or system behavior for any other signs of code execution or unexpected actions triggered by the malicious configuration.