Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Breach of confidentiality? #5800

Open
1 task done
drwetter opened this issue Nov 6, 2024 · 11 comments
Open
1 task done

[BUG] Breach of confidentiality? #5800

drwetter opened this issue Nov 6, 2024 · 11 comments
Labels
Type: Discussion Some ideas need to be planned and disucssed to come to a strategy.

Comments

@drwetter
Copy link

drwetter commented Nov 6, 2024

Is there an existing issue for this?

  • I have searched the existing issues.

Current Behavior

I ran a command and it seems that unintentionally (to me, the user) nuclei is opening 1+ connections to AWS when I run this:

nuclei -no-interactsh -vv -sa -tlog log -rl 2 -c 2 -u https://<INTERNAL_TARGET_WITH_FQDN>

Then, on the scanning machine:

prompt> lsof -i -Pn | grep -E 'nuclei|COMMAND'
COMMAND      PID  USER  FD   TYPE DEVICE SIZE/OFF NODE NAME
nuclei    159058 REDCATED 611u  IPv4 349188      0t0  TCP REDACTED:33296->3.78.95.242:465 (ESTABLISHED)
nuclei    159058 REDCATED 611u  IPv4 349188      0t0  TCP REDACTED:40720-> 104.18.36.161:443 (ESTABLISHED)
prompt>

Also I see a UDP request after startup to 1.1.1.1:53 . Which fails in this environment but I am wondering what the point is when also the DNS server in the LAN is queried as spotted too.

Expected Behavior

DO NOT open connections to the cloud unless the user says so.

Steps To Reproduce

see above

Relevant log output

Environment

  • OS: Opensuse Leap
  • Nuclei: v3.3.5
  • Go: doens't matter

Anything else?

No response
@drwetter drwetter added the Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. label Nov 6, 2024
@ehsandeep
Copy link
Member

@drwetter There are multiple self-contained templates that do not require any additional input to run. When Nuclei is executed without specifying the -t option, it defaults to loading all templates, including these self-contained ones that connect to remote hosts, as expected from the template.

If you want to avoid external connections, I suggest running a specific set of templates using the -t option. Additionally, you can use the -duc option to disable the version check API call from Nuclei.

This is expected behavior. Let me know if you have any additional questions.

@drwetter
Copy link
Author

drwetter commented Nov 6, 2024

@drwetter There are multiple self-contained templates that do not require any additional input to run. When Nuclei is executed without specifying the -t option, it defaults to loading all templates, including these self-contained ones that connect to remote hosts, as expected from the template.
[..]
If you want to avoid external connections, I suggest running a specific set of templates using the -t option.
[..]
This is expected behavior. Let me know if you have any additional questions.

Sure. This is definitely not expected behavior to me. Why do you think it is?

The suggestion you propose is for a larger number of hosts to be pen-tested is not a realistic option. In those cases most people throw everything which is offered at the targets. It's kind of unpractical to expect users to go through 5000+ templates for like 100 hosts and pick the ones which is most suitable for each host. Was that really what you suggested?

I have a suggestion: why isn't there a tag which preferably opts-in (and not opts-out) for such external information leaks . *)

Additionally, you can use the -duc option to disable the version check API call from Nuclei.

Fair enough, I haven´t checked whether this is on of the culprits (443/tcp). Can youy tell? OTOH I don't know why nuclei would check after every subsequent start whether templates and binary are up to date?.

*) FYI: I have written a tool which does the first.

@ehsandeep
Copy link
Member

@drwetter It is expected when all the templates are loaded, as those templates are meant to make external connections. Thanks for the suggestion; we are already working to exclude those templates, including a few more, by default (#5231) for other reasons as well. Hopefully, this concern will also be addressed after the above change.

I haven’t checked whether this is one of the culprits (443/tcp). Can you tell? On the other hand, I don’t know why Nuclei would check after every subsequent start whether templates and binary are up to date?

Based on the IP you shared, it’s unrelated to the version check API, but I wanted to share it anyway. The version check is how Nuclei knows if the binary or templates are outdated and updates templates when outdated but this behaviour can be optionally disabled.

@dogancanbakir dogancanbakir added Type: Discussion Some ideas need to be planned and disucssed to come to a strategy. and removed Type: Bug Inconsistencies or issues which will cause an issue or problem for users or implementors. labels Nov 8, 2024
@drwetter
Copy link
Author

Hi @ehsandeep ,

thanks for pointing me to the version check API.

For the other thing: where does the issue you cited (#5231) address my point?

Again, if you want to make this tool usable for pentesters who are worrying about where costumer data go in the scenario I outlined, the first step would be acknowledge that this is is an issue and not remove the Bug label --> @dogancanbakir

Or at least throw me a bone how I personally can tell which of the nearly 10k templates does potentially open connections which I didn't asked for.

@ehsandeep
Copy link
Member

For the other thing: where does the issue you cited (#5231) address my point?

@drwetter, the connection is created from one of the self-contained templates. I’ve linked the issue about disabling all self-contained templates by default, which should address the scenario you outlined.

@geeknik
Copy link
Contributor

geeknik commented Nov 14, 2024

Or at least throw me a bone how I personally can tell which of the nearly 10k templates does potentially open connections which I didn't asked for.

Build automation. It's what we did and I've spent nearly 3 years perfecting it. 💻

The only bug I see here is an entity who didn't take the time to explore the tool or the templates before running it willy nilly across who knows what kind of infrastructure. I'm not a lawyer, but the liability for your actions absolutely lies with you, not the authors of the tool, who, if I may add, have done their level best to make sure the defaults are safe enough. RTFM! 😆

If you've been in this game long enough, you should know to TRUST, but VERIFY. 🔒

It is the Golden Rule my friend. 👋

@drwetter
Copy link
Author

The only bug I see here is an entity who didn't take the time to explore the tool or the templates before running it willy nilly across who knows what kind of infrastructure.

yeah, right. You're telling me if you need to pentest 20-100+ servers with unknown services/software you go manually through nearly 10k templates ? Thanks for the advice. That was exactly I was waiting for. Not.

@drwetter
Copy link
Author

drwetter commented Nov 14, 2024
edited
Loading

^^ why did all of a sudden the heart, rocket, eyes emojis to my previous comment disappear? C'mon. Really?

@drwetter
Copy link
Author

@drwetter, the connection is created from one of the self-contained templates. I’ve linked the issue about disabling all self-contained templates by default, which should address the scenario you outlined.

@ehsandeep : It seems now one only?? If so can you please name names?

@ehsandeep
Copy link
Member

@drwetter new release of nuclei is out: https://github.com/projectdiscovery/nuclei/releases/tag/v3.3.6. In this version, self-contained templates are disabled by default. Let me know if you notice the same behavior after updating to the latest nuclei release.

@ehsandeep ehsandeep mentioned this issue Nov 22, 2024
Open
@ehsandeep
Copy link
Member

@ehsandeep : It seems now one only?? If so can you please name names?

it needed further investigation to pin point specifc templates, I've listed them here - projectdiscovery/nuclei-templates#11238

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Discussion Some ideas need to be planned and disucssed to come to a strategy.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@geeknik @drwetter @ehsandeep @dogancanbakir