293 lines
8.9 KiB
Bash
Executable File
293 lines
8.9 KiB
Bash
Executable File
#!/bin/bash
|
|
#
|
|
# Security POC Test Harness
|
|
# Builds containers, runs exploits, and generates findings report
|
|
#
|
|
|
|
set -e
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
cd "$SCRIPT_DIR"
|
|
|
|
# Colors for output
|
|
RED='\033[0;31m'
|
|
GREEN='\033[0;32m'
|
|
YELLOW='\033[1;33m'
|
|
BLUE='\033[0;34m'
|
|
NC='\033[0m' # No Color
|
|
|
|
echo -e "${BLUE}╔════════════════════════════════════════════════════════════╗${NC}"
|
|
echo -e "${BLUE}║ NANOBOT SECURITY AUDIT POC HARNESS ║${NC}"
|
|
echo -e "${BLUE}╚════════════════════════════════════════════════════════════╝${NC}"
|
|
echo ""
|
|
|
|
# Create results directory
|
|
mkdir -p results sensitive
|
|
|
|
# Create test sensitive files
|
|
echo "SECRET_API_KEY=sk-supersecret12345" > sensitive/api_keys.txt
|
|
echo "DATABASE_PASSWORD=admin123" >> sensitive/api_keys.txt
|
|
echo "AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE" >> sensitive/api_keys.txt
|
|
|
|
# Function to print section headers
|
|
section() {
|
|
echo ""
|
|
echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
|
|
echo -e "${YELLOW} $1${NC}"
|
|
echo -e "${YELLOW}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
|
|
echo ""
|
|
}
|
|
|
|
# Function to run POC in container
|
|
run_poc() {
|
|
local poc_name=$1
|
|
local poc_script=$2
|
|
|
|
echo -e "${BLUE}[*] Running: $poc_name${NC}"
|
|
docker compose run --rm nanobot python "$poc_script" 2>&1 || true
|
|
}
|
|
|
|
# Parse arguments
|
|
BUILD_ONLY=false
|
|
VULNERABLE=false
|
|
CLEAN=false
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case $1 in
|
|
--build-only)
|
|
BUILD_ONLY=true
|
|
shift
|
|
;;
|
|
--vulnerable)
|
|
VULNERABLE=true
|
|
shift
|
|
;;
|
|
--clean)
|
|
CLEAN=true
|
|
shift
|
|
;;
|
|
--help)
|
|
echo "Usage: $0 [OPTIONS]"
|
|
echo ""
|
|
echo "Options:"
|
|
echo " --build-only Only build containers, don't run tests"
|
|
echo " --vulnerable Also test with vulnerable dependency versions"
|
|
echo " --clean Clean up containers and results before running"
|
|
echo " --help Show this help message"
|
|
exit 0
|
|
;;
|
|
*)
|
|
echo "Unknown option: $1"
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
# Clean up if requested
|
|
if [ "$CLEAN" = true ]; then
|
|
section "Cleaning Up"
|
|
docker compose down -v 2>/dev/null || true
|
|
rm -rf results/*
|
|
echo -e "${GREEN}[✓] Cleanup complete${NC}"
|
|
fi
|
|
|
|
# Build containers
|
|
section "Building Containers"
|
|
echo -e "${BLUE}[*] Building nanobot POC container...${NC}"
|
|
docker compose build nanobot
|
|
|
|
if [ "$VULNERABLE" = true ]; then
|
|
echo -e "${BLUE}[*] Building vulnerable nanobot container...${NC}"
|
|
docker compose --profile vulnerable build nanobot-vulnerable
|
|
fi
|
|
|
|
echo -e "${GREEN}[✓] Build complete${NC}"
|
|
|
|
if [ "$BUILD_ONLY" = true ]; then
|
|
echo ""
|
|
echo -e "${GREEN}Build complete. Run without --build-only to execute tests.${NC}"
|
|
exit 0
|
|
fi
|
|
|
|
# Run Shell Injection POC
|
|
section "Shell Command Injection POC"
|
|
echo -e "${RED}Testing: Bypass of dangerous command pattern regex${NC}"
|
|
echo -e "${RED}Target: nanobot/agent/tools/shell.py${NC}"
|
|
echo ""
|
|
run_poc "Shell Injection" "/app/poc/exploits/shell_injection.py"
|
|
|
|
# Run Path Traversal POC
|
|
section "Path Traversal / Unrestricted File Access POC"
|
|
echo -e "${RED}Testing: Unrestricted file system access${NC}"
|
|
echo -e "${RED}Target: nanobot/agent/tools/filesystem.py${NC}"
|
|
echo ""
|
|
run_poc "Path Traversal" "/app/poc/exploits/path_traversal.py"
|
|
|
|
# Run LiteLLM RCE POC
|
|
section "LiteLLM RCE Vulnerability POC"
|
|
echo -e "${RED}Testing: Remote Code Execution via eval() - CVE-2024-XXXX${NC}"
|
|
echo -e "${RED}Affected: litellm < 1.40.16${NC}"
|
|
echo ""
|
|
run_poc "LiteLLM RCE" "/app/poc/exploits/litellm_rce.py"
|
|
|
|
# Run vulnerable version tests if requested
|
|
if [ "$VULNERABLE" = true ]; then
|
|
section "Vulnerable Dependency Tests (litellm == 1.28.11)"
|
|
echo -e "${RED}Testing: Known CVEs in older litellm versions${NC}"
|
|
echo ""
|
|
echo -e "${BLUE}[*] Testing vulnerable litellm version...${NC}"
|
|
docker compose --profile vulnerable run --rm nanobot-vulnerable \
|
|
python /app/poc/exploits/litellm_rce.py 2>&1 || true
|
|
fi
|
|
|
|
# Generate summary report
|
|
section "Generating Summary Report"
|
|
|
|
REPORT_FILE="results/poc_report_$(date +%Y%m%d_%H%M%S).md"
|
|
|
|
cat > "$REPORT_FILE" << 'EOF'
|
|
# Security POC Test Results
|
|
|
|
## Executive Summary
|
|
|
|
This report contains the results of proof-of-concept tests demonstrating
|
|
vulnerabilities identified in the nanobot security audit.
|
|
|
|
## Test Environment
|
|
|
|
- **Date:** $(date)
|
|
- **Platform:** Docker containers (Python 3.11)
|
|
- **Target:** nanobot application
|
|
|
|
## Vulnerability 1: Shell Command Injection
|
|
|
|
**Severity:** MEDIUM
|
|
**Location:** `nanobot/agent/tools/shell.py`
|
|
|
|
### Description
|
|
The shell tool uses `asyncio.create_subprocess_shell()` which passes commands
|
|
directly to the shell. While a regex pattern blocks some dangerous commands,
|
|
many bypass techniques exist.
|
|
|
|
### POC Results
|
|
See: `results/shell_injection_results.json`
|
|
|
|
### Bypasses Demonstrated
|
|
- Command substitution: `$(cat /etc/passwd)`
|
|
- Base64 encoding: `echo BASE64 | base64 -d | bash`
|
|
- Alternative interpreters: `python3 -c 'import os; ...'`
|
|
- Environment exfiltration: `env | grep KEY`
|
|
|
|
### Recommended Mitigations
|
|
1. Use `create_subprocess_exec()` instead of shell execution
|
|
2. Implement command whitelisting
|
|
3. Run in isolated container with minimal permissions
|
|
4. Use seccomp/AppArmor profiles
|
|
|
|
---
|
|
|
|
## Vulnerability 2: Path Traversal / Unrestricted File Access
|
|
|
|
**Severity:** MEDIUM
|
|
**Location:** `nanobot/agent/tools/filesystem.py`
|
|
|
|
### Description
|
|
The `_validate_path()` function supports a `base_dir` parameter for restricting
|
|
file access, but this parameter is never passed by any of the file tools,
|
|
allowing unrestricted file system access.
|
|
|
|
### POC Results
|
|
See: `results/path_traversal_results.json`
|
|
|
|
### Access Demonstrated
|
|
- Read `/etc/passwd` - user enumeration
|
|
- Read environment variables via `/proc/self/environ`
|
|
- Write files to `/tmp` and other writable locations
|
|
- List any directory on the system
|
|
|
|
### Recommended Mitigations
|
|
1. Always pass `base_dir` parameter with workspace path
|
|
2. Add additional path validation (no symlink following)
|
|
3. Run with minimal filesystem permissions
|
|
4. Use read-only mounts for sensitive directories
|
|
|
|
---
|
|
|
|
## Vulnerability 3: LiteLLM Remote Code Execution (CVE-2024-XXXX)
|
|
|
|
**Severity:** CRITICAL
|
|
**Affected Versions:** litellm <= 1.28.11 and < 1.40.16
|
|
|
|
### Description
|
|
Multiple vulnerabilities in litellm allow Remote Code Execution through:
|
|
- Unsafe use of `eval()` on user-controlled input
|
|
- Template injection in string processing
|
|
- Unsafe callback handler processing
|
|
- Server-Side Template Injection (SSTI)
|
|
|
|
### POC Results
|
|
See: `results/litellm_rce_results.json`
|
|
|
|
### Impact
|
|
- Arbitrary code execution on the server
|
|
- Access to environment variables (API keys, secrets)
|
|
- Full file system access
|
|
- Potential for reverse shell and lateral movement
|
|
|
|
### Recommended Mitigations
|
|
1. Upgrade litellm to >= 1.61.15 (latest stable)
|
|
2. Pin to specific patched version in requirements
|
|
3. Run in isolated container environment
|
|
4. Implement network egress filtering
|
|
|
|
---
|
|
|
|
## Dependency Vulnerabilities
|
|
|
|
### litellm (Current: >=1.61.15)
|
|
- Multiple CVEs in versions < 1.40.16 (RCE, SSRF)
|
|
- Current version appears patched
|
|
- **Recommendation:** Pin to specific patched version
|
|
|
|
### ws (WebSocket) (Current: ^8.17.1)
|
|
- DoS vulnerability in versions < 8.17.1
|
|
- Current version appears patched
|
|
- **Recommendation:** Pin to specific patched version
|
|
|
|
---
|
|
|
|
## Conclusion
|
|
|
|
The POC tests confirm that the identified vulnerabilities are exploitable.
|
|
While some mitigations exist (pattern blocking, timeouts), they can be bypassed.
|
|
|
|
### Priority Recommendations
|
|
|
|
1. **CRITICAL:** Ensure litellm is upgraded to patched version
|
|
2. **HIGH:** Implement proper input validation for shell commands
|
|
3. **HIGH:** Enforce base_dir restriction for all file operations
|
|
4. **MEDIUM:** Pin dependency versions to known-good releases
|
|
5. **LOW:** Add rate limiting to authentication
|
|
|
|
EOF
|
|
|
|
# Update report with actual date
|
|
sed -i "s/\$(date)/$(date)/g" "$REPORT_FILE"
|
|
|
|
echo -e "${GREEN}[✓] Report generated: $REPORT_FILE${NC}"
|
|
|
|
# Final summary
|
|
section "POC Execution Complete"
|
|
|
|
echo -e "${GREEN}Results saved to:${NC}"
|
|
echo " - results/shell_injection_results.json"
|
|
echo " - results/path_traversal_results.json"
|
|
echo " - results/litellm_rce_results.json"
|
|
echo " - $REPORT_FILE"
|
|
echo ""
|
|
echo -e "${YELLOW}To clean up:${NC}"
|
|
echo " docker compose down -v"
|
|
echo ""
|
|
echo -e "${BLUE}To run interactively:${NC}"
|
|
echo " docker compose run --rm nanobot bash"
|