sliver Pentest / Source Code Review

Get someone other than myself and Ronan to review the code.

Apr 29 '19 21:04 moloch--

Example considerations (non exhaustive list):

Attacker has access to the source (once we open source the project)
Multiplayer: unauthorized access to a sliver server
Unauthorized access to running agents (i.e: ability to spoof the server / send commands to running slivers)
RCE via logged in operator (might be worth to check for escape shell issues in the generate and msf commands)
...

May 02 '19 13:05 rkervella

We may want to document specific security objectives. As you stated, to me there is a clear security boundary between the operator and server, an operator should not inherently be able to run commands or code on the server. I also added an "audit log" to the server for a white team to review, which records all of the (remote) operator's commands that relies on this boundary.

May 02 '19 15:05 moloch--

Totally agree with this. Also, I don't know the status for other projects, but I think putting detailed GitHub issues with the security label could be enough for the reporting part.

May 02 '19 15:05 rkervella

I'd be happy to help in this effort, but I'll need to tackle some other PRs to familiarize myself with the codebase. If I don't circle back to this in a couple of weeks, ping me.

May 19 '19 15:05 Eriner

@altf4 - If R&D wants to chip in :)

May 23 '19 22:05 moloch--

Coverity offers free scan for OSS projects, maybe we should try.

Mar 05 '20 17:03 h4ng3r-BF

From their main page:

Find and fix defects in your Java, C/C++, C#, JavaScript, Ruby, or Python open source project for free

Mar 05 '20 17:03 rkervella

Sorry golang is aviable in 2019.06 but the scan is still in the 2019.03, maybe in a few months they will upgrade to 2019.06.

Mar 05 '20 17:03 h4ng3r-BF