Info Disclosure between Mythic Instances when using SSH tunnels

[coldwaterq]

If Team A and Team B have Mythic setup so that you have to ssh tunnel into a host in order to view the web console. Then if one user moves from Team A to Team B. The localstorage for 127.0.0.1:7443 will contain semi-sensitive information of Team A that can be loaded by Team B's instance of Mythic in that user's browser.

In our case it caused a minor heart attack because it seemed agents were calling back to a c2 that shouldn't have been possible.

This is simply a symptom of the ssh port forwarding, however given the typical use case of Mythic, it may be worth solving.

Not knowing the code base very well, my idea for how to solve it would be to use the simplest crypto library you can, and have each server use a unique symmetric encryption key on things such as openTabs.

[its-a-feature]

Are you connecting to Mythic in this way via something like ssh -L 127.0.0.1:7443:127.0.0.1:7443 user@mythic? And you're swapping between Team A and Team B by simply changing the host you're ssh-ing into?

[coldwaterq]

Yeah, it's for a lab, but it made it seem as though two disconnected networks were connected. So probably more of a usability issue than a security issue.

On Thu, Jun 8, 2023, 4:50 PM Cody Thomas @.***> wrote:

Are you connecting to Mythic in this way via something like ssh -L 127.0.0.1:7443:127.0.0.1:7443 @.***? And you're swapping between Team A and Team B by simply changing the host you're ssh-ing into?

— Reply to this email directly, view it on GitHub https://github.com/its-a-feature/Mythic/issues/302#issuecomment-1583613302, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAD3Q4JLB2NKXAW5TUAONYTXKJQMNANCNFSM6AAAAAAY74NSG4 . You are receiving this because you authored the thread.Message ID: @.***>