# NCS project proposal ## Concept & plans This project is meant to research common weakness types in applications (according to CWE categories). We need to create multiple vulnerable images, along with exploit scripts for them, to demonstrate these weakness types, while researching and learning along the way. The final product (output) of this project would be: * Multiple (6 to be precise) vulnerable boxes, built as Docker images, with vulnerabilities from different CWE categories. These vulnerabilities should also be all officially registered and assigned a CVE number. * For each vulnerable box from the previous point, an automated exploit should be implemented, which would demonstrate how to exploit this vulnerability. * A report should be produced, which would describe in-depth the chosen vulnerabilities, why do they arise (both in general and in this particular case), how to mitigate them, how to exploit them. E.g. _shellshock_ which belongs to the category _Data representation issues_ -- the report should describe the particular bug which lead to shellshock vulnerability, then the general reason of data representation issues, then the exploitation process for this particular vulnerability, then the fix for it. * A presentation in the form of a PoC video should be produced, which would demonstrate the exploit, and all gained access/privileges/etc. The plan for implementation is as follows: 1. Research the applicable vulnerabilities, and produce a project proposal which would list these vulnerabilities, while also describing the plans on achieving the final goal. 2. Implement the according vulnerable boxes, along with exploits. 3. Record the demonstration video, prepare the necessary documentation (i.e. presentation, report). ## Chosen vulnerabilities 1. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7614 Package [npm-programmatic](https://www.npmjs.com/package/npm-programmatic) allows to execute npm commands from JS environment. Unfortunately, package is vulnerable to command injection due to the absence of input validation. **CWE: Improper Neutralization of Input During Web Page Generation (79)** 2. https://www.cvedetails.com/cve/CVE-2019-10744/ Prototype polution in popular js libarary Lodash. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. **CWE: Improper Input Validation (20)** 3. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8135 The uppy npm package < 1.9.3 is vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, which allows an attacker to scan local or external network or otherwise interact with internal systems. **CWE: SSRF (918)** 4. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287 Old `sudo` (up to 1.8.28) has some overflow problems, which lead to curcumvention of target user restrictions. If a rule in `/etc/sudoers` allows execution of a specific program under "anyone except root" (`!root`), then the user can execute that program under root, using a special user id. **CWE: Privilege issues (265)** 5. https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-6271 Ol' good shellshock for bash. A bug in processing of environment variables passed from the parent process results in arbitrary code execution. This can be used to gain unrestricted access to the system from an otherwise restricted interaction (e.g. a network request). **CWE: Data representation issues (137)** 6. https://www.cvedetails.com/cve/CVE-2014-0160/ Again, a famous vulnerability -- heartbleed. A bug in bound-checking of OpenSSL heartbeat messages results in reading private memory from the remote machine. **CWE: Improper Restriction of Operations within the Bounds of a Memory Buffer (119)**