Skip to content
This repository has been archived by the owner on Jun 16, 2022. It is now read-only.

Attack surface in environment variables #10

Closed
ruppde opened this issue Dec 12, 2021 · 2 comments
Closed

Attack surface in environment variables #10

ruppde opened this issue Dec 12, 2021 · 2 comments
Labels
CTI Improvements or additiions to IoCs, detection, mitigation investigate Investigation required

Comments

@ruppde
Copy link

ruppde commented Dec 12, 2021

hi,

here's a feature wish: would be great to have a collection of environment variables which get scrapped by attackers like it's partly done here: https://twitter.com/Laughing_Mantis/status/1469789508535087104?s=20

there will probably be more juicy targets and it helps to know where the great reset has to be done after patching.

regards
arnim
@rkokkelk rkokkelk added the CTI Improvements or additiions to IoCs, detection, mitigation label Dec 13, 2021
@pbeij pbeij added the investigate Investigation required label Dec 13, 2021
@bolshoytoster
Copy link

The aws environment variables are as follows:

AWS_ACCESS_KEY_ID <--
AWS_CA_BUNDLE
AWS_CLI_AUTO_PROMPT
AWS_CLI_FILE_ENCODING
AWS_CONFIG_FILE <--
AWS_DEFAULT_OUTPUT
AWS_DEFAULT_REGION
AWS_EC2_METADATA_DISABLED
AWS_MAX_ATTEMPTS
AWS_PAGER
AWS_PROFILE <--
AWS_REGION
AWS_RETRY_MODE
AWS_ROLE_ARN
AWS_ROLE_SESSION_NAME
AWS_SECRET_ACCESS_KEY <-- 
AWS_SESSION_TOKEN <--
AWS_SHARED_CREDENTIALS_FILE <--
AWS_STS_REGIONAL_ENDPOINTS
AWS_WEB_IDENTITY_TOKEN_FILE <--

Most of these are pretty useless to an attacker, apart from the ones marked with arrows.

Another thing to note: these are only useful against aws servers, these likely won't be defined on anything else. For other servers you could still use some common environment variables to learn more about the server:

Windows:

ALLUSERSPROFILE
APPDATA
CommonProgramFiles
CommonProgramFiles(x86)
CommonProgramW6432
COMPUTERNAME
ComSpec
HOMEDRIVE
HOMEPATH
LOCALAPPDATA
LOGONSERVER
PATH <--
PATHEXT <--
ProgramData
ProgramFiles
ProgramFiles(x86)
ProgramW6432
PROMPT
PSModulePath
PUBLIC
SystemDrive
SystemRoot
TEMP
TMP
USERDOMAIN
USERNAME
USERPROFILE
windir

The only two I can see being useful are PATH and PATHEXT, they could give you an idea as to what software is installed/running.

Linux (ubuntu, the most popular distro for servers):

SHELL
SESSION_MANAGER
QT_ACCESSIBILITY
COLORTERM
XDG_CONFIG_DIRS
XDG_MENU_PREFIX
GNOME_DESKTOP_SESSION_ID
LANGUAGE
GNOME_SHELL_SESSION_MODE
SSH_AUTH_SOCK
DESKTOP_SESSION
SSH_AGENT_PID
GTK_MODULES
PWD
LOGNAME
XDG_SESSION_DESKTOP
XDG_SESSION_TYPE
GPG_AGENT_INFO
XAUTHORITY
WINDOWPATH
HOME
USERNAME
IM_CONFIG_PHASE
LANG
LS_COLORS
XDG_CURRENT_DESKTOP
VTE_VERSION
GNOME_TERMINAL_SCREEN
INVOCATION_ID
MANAGERPID
LESSCLOSE
XDG_SESSION_CLASS
TERM
LESSOPEN
USER
GNOME_TERMINAL_SERVICE
DISPLAY
SHLVL
XDG_RUNTIME_DIR
JOURNAL_STREAM
XDG_DATA_DIRS
PATH
GDMSESSION
DBUS_SESSION_BUS_ADDRESS
_
OLDPWD

Linux environment variables are a lot more useful; pretty much all of them can be used to tell what software is installed/running and what versions they are running at.

MacOS:
Nobody runs a server on mac.

These other environment variables aren't very useful on their own but you can use them to find other vulnerable software running on the server, potentially leading to another exploit.

I can submit a pr to add these to the repo if they're useful.

@pbeij
Copy link
Collaborator

pbeij commented Dec 23, 2021

Thanks for the information, There were no other pull or issue request regarding this issue.
I will close this issue for now, if you have any more information or questions please let me know.

@pbeij pbeij closed this as completed Dec 23, 2021
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CTI Improvements or additiions to IoCs, detection, mitigation investigate Investigation required
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rkokkelk @ruppde @bolshoytoster @pbeij