IssueHunt
Bug Bounty (New!)
Browse
Sign in with GitHub
future-architect/vuls

Do you want to work on this issue?

You can request for a bounty in order to promote it!

"user" keyword not working in config.toml #1455

barszpaw posted onGitHub

What did you do?

scan remote host by ssh using username specified in config.toml

[default]
port               = "22"
user               = "scanuser"
keyPath            = "/home/vuls/.ssh/id_rsa"
scanMode           = ["deep"]
scanModules        = ["ospkg"]
sshConfigPath      = "/home/vuls/.ssh/config"

[servers]

[servers.my-server]
host               = "my-server"

What did you expect to happen?

scan via ssh with username scanuser those differ from current linux user vuls

What happened instead?

Command vuls scan use $USER env as user for ssh login

  • Current Output
    vuls@vuls:~$ vuls scan -debug
[May  3 01:25:46]  INFO [localhost] vuls-v0.19.7-build-20220502_215403_91ed318
[May  3 01:25:46]  INFO [localhost] Start scanning
[May  3 01:25:46]  INFO [localhost] config: /home/vuls/config.toml
[May  3 01:25:46] DEBUG [localhost] map[string]config.ServerInfo{
"my-server": config.ServerInfo{
  ServerName:    "my-server",
  User:          "scanuser",
  Host:          "my-server",
  JumpServer:    []string{},
  Port:          "22",
  SSHConfigPath: "/home/vuls/.ssh/config",
  KeyPath:       "/home/vuls/.ssh/id_rsa",
  CpeNames:      []string{},
  ScanMode:      []string{
    "deep",
  },
  ScanModules: []string{
    "ospkg",
  },
  OwaspDCXMLPath:     "",
  ContainersOnly:     false,
  ContainersIncluded: []string{},
  ContainersExcluded: []string{},
  ContainerType:      "",
  Containers:         map[string]config.ContainerSetting{},
  IgnoreCves:         []string{},
  IgnorePkgsRegexp:   []string{},
  GitHubRepos:        map[string]config.GitHubConf{},
  UUIDs:              map[string]string{},
  Memo:               "",
  Enablerepo:         []string{},
  Optional:           map[string]interface {}{},
  Lockfiles:          []string{},
  FindLock:           false,
  Type:               "",
  IgnoredJSONKeys:    []string{},
  WordPress:          &config.WordPressConf{
    OSUser:  "",
    DocRoot: "",
    CmdPath: "",
  },
  PortScan: &config.PortScanConf{
    IsUseExternalScanner: false,
    ScannerBinPath:       "",
    HasPrivileged:        false,
    ScanTechniques:       []string{},
    SourcePort:           "",
  },
  IPv4Addrs:       []string{},
  IPv6Addrs:       []string{},
  IPSIdentifiers:  map[string]string{},
  LogMsgAnsiColor: "\x1b[32m",
  Container:       config.Container{
    ContainerID: "",
    Name:        "",
    Image:       "",
  },
  Distro: config.Distro{
    Family:  "",
    Release: "",
  },
  Mode: config.ScanMode{
    flag: 0x04,
  },
  Module: config.ScanModule{
    flag: 0x01,
  },
},
}
[May  3 01:25:46]  INFO [localhost] Validating config...
[May  3 01:25:46]  INFO [localhost] Detecting Server/Container OS... 
[May  3 01:25:46]  INFO [localhost] Detecting OS of servers... 
[May  3 01:25:46] DEBUG [localhost] Validating SSH Settings for Server:my-server ...
[May  3 01:25:46] DEBUG [localhost] Executing... /usr/bin/ssh -G -F /home/vuls/.ssh/config -p 22 -l scanuser my-server
[May  3 01:25:46] DEBUG [localhost] Setting SSH User:scanuser for Server:my-server ...
[May  3 01:25:46] DEBUG [localhost] Setting SSH Port:22 for Server:my-server ...
[May  3 01:25:46] DEBUG [localhost] Executing... ls /etc/debian_version
vuls@my-server's password: [May  3 01:25:50] DEBUG [localhost] Executing... ls /etc/debian_version
vuls@my-server's password:

Steps to reproduce the behaviour

use as config.toml these content:

[default]
port               = "22"
user               = "scanuser"
keyPath            = "/home/vuls/.ssh/id_rsa"
scanMode           = ["deep"]
scanModules        = ["ospkg"]
sshConfigPath      = "/home/vuls/.ssh/config"

[servers]

[servers.my-server]
host               = "my-server"

and as 'vuls' username try scan remote host with username "scanuser" ( remote username should exists on remote host )

Configuration

  • Go version (go version): go version go1.18.1 linux/amd64

  • Go environment (go env):

    GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/home/vuls/.cache/go-build"
GOENV="/home/vuls/.config/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOINSECURE=""
GOMODCACHE="/home/vuls/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="linux"
GOPATH="/home/vuls/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64"
GOVCS=""
GOVERSION="go1.18.1"
GCCGO="gccgo"
GOAMD64="v1"
AR="ar"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD="/dev/null"
GOWORK=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1279271044=/tmp/go-build -gno-record-gcc-switches"

To check the commit hash of HEAD $ vuls -v vuls-v0.19.7-build-20220502_215403_91ed318

  • config.toml:
[default]
port               = "22"
user               = "scanuser"
keyPath            = "/home/vuls/.ssh/id_rsa"
scanMode           = ["deep"]
scanModules        = ["ospkg"]
sshConfigPath      = "/home/vuls/.ssh/config"

[servers]

[servers.my-server]
host               = "my-server"
  • command: vuls scan

@barszpaw

In my environment, if $USER and user in config.toml are different, the user in config.toml is used and your bug is not reproduced.

Here are the config.toml and .ssh/config files I tried.

  • config.toml
    [default]
port               = "2222"
user               = "root"
sshConfigPath       = "/home/mainek00n/.ssh/config"
keyPath            = "/home/mainek00n/github/github.com/MaineK00n/vuls-targets-docker/.ssh/id_rsa"
scanMode           = ["fast"]
scanModules        = ["ospkg"]

[servers]

[servers.vuls-target] host = "vuls-target"


- /home/mainek00n/.ssh/config

Host vuls-target HostName 127.0.0.1



Run scan with the debug option.
```console
$ echo $USER
mainek00n

$ vuls scan -debug
[May  9 16:18:20]  INFO [localhost] vuls-v0.19.7-build-20220509_161107_2158fc6c
[May  9 16:18:20]  INFO [localhost] Start scanning
[May  9 16:18:20]  INFO [localhost] config: ./config.toml
[May  9 16:18:20] DEBUG [localhost] map[string]config.ServerInfo{
  "vuls-target": config.ServerInfo{
    ServerName:    "vuls-target",
    User:          "root",
    Host:          "vuls-target",
    JumpServer:    []string{},
    Port:          "2222",
    SSHConfigPath: "/home/mainek00n/.ssh/config",
    KeyPath:       "/home/mainek00n/github/github.com/MaineK00n/vuls-targets-docker/.ssh/id_rsa",
    CpeNames:      []string{},
    ScanMode:      []string{
      "fast",
    },
    ScanModules: []string{
      "ospkg",
    },
    OwaspDCXMLPath:     "",
    ContainersOnly:     false,
    ContainersIncluded: []string{},
    ContainersExcluded: []string{},
    ContainerType:      "",
    Containers:         map[string]config.ContainerSetting{},
    IgnoreCves:         []string{},
    IgnorePkgsRegexp:   []string{},
    GitHubRepos:        map[string]config.GitHubConf{},
    UUIDs:              map[string]string{},
    Memo:               "",
    Enablerepo:         []string{},
    Optional:           map[string]interface {}{},
    Lockfiles:          []string{},
    FindLock:           false,
    Type:               "",
    IgnoredJSONKeys:    []string{},
    WordPress:          &config.WordPressConf{
      OSUser:  "",
      DocRoot: "",
      CmdPath: "",
    },
    PortScan: &config.PortScanConf{
      IsUseExternalScanner: false,
      ScannerBinPath:       "",
      HasPrivileged:        false,
      ScanTechniques:       []string{},
      SourcePort:           "",
    },
    IPv4Addrs:       []string{},
    IPv6Addrs:       []string{},
    IPSIdentifiers:  map[string]string{},
    LogMsgAnsiColor: "\x1b[32m",
    Container:       config.Container{
      ContainerID: "",
      Name:        "",
      Image:       "",
    },
    Distro: config.Distro{
      Family:  "",
      Release: "",
    },
    Mode: config.ScanMode{
      flag: 0x01,
    },
    Module: config.ScanModule{
      flag: 0x01,
    },
  },
}
[May  9 16:18:20]  INFO [localhost] Validating config...
[May  9 16:18:20]  INFO [localhost] Detecting Server/Container OS... 
[May  9 16:18:20]  INFO [localhost] Detecting OS of servers... 
[May  9 16:18:20] DEBUG [localhost] Validating SSH Settings for Server:vuls-target ...
[May  9 16:18:20] DEBUG [localhost] Executing... /usr/bin/ssh -G -F /home/mainek00n/.ssh/config -p 2222 -l root vuls-target
[May  9 16:18:20] DEBUG [localhost] Setting SSH User:root for Server:vuls-target ...
[May  9 16:18:20] DEBUG [localhost] Setting SSH Port:2222 for Server:vuls-target ...
[May  9 16:18:20] DEBUG [localhost] Checking if the host's public key is in known_hosts...
[May  9 16:18:20] DEBUG [localhost] Executing... /usr/bin/ssh-keygen -F "[127.0.0.1]:2222" -f ~/.ssh/known_hosts
[May  9 16:18:20] DEBUG [localhost] Executing... ls /etc/debian_version
[May  9 16:18:21] DEBUG [localhost] execResult: servername: vuls-target
  cmd: /usr/bin/ssh -tt -F /home/mainek00n/.ssh/config -l root -p 2222 -i /home/mainek00n/github/github.com/MaineK00n/vuls-targets-docker/.ssh/id_rsa -o PasswordAuthentication=no vuls-target stty cols 1000; ls /etc/debian_version
  exitstatus: 0
  stdout: /etc/debian_version

  stderr: Connection to 127.0.0.1 closed.

  err: %!s(<nil>)

...

Scan Summary
================
vuls-target    ubuntu22.04    321 installed





To view the detail, vuls tui is useful.
To send a report, run vuls report -h.
posted by MaineK00n almost 3 years ago

@barszpaw

Show the Scan log with the vvv option.

$ vuls scan -debug -vvv

Or check if SSH can connect without password.

$ /usr/bin/ssh -F /home/vuls/.ssh/config -p 22 -l scanuser -i /home/vuls/.ssh/id_rsa -o PasswordAuthentication=no -vvv my-server
posted by MaineK00n almost 3 years ago

Fund this Issue

$0.00
Funded
Only logged in users can fund an issue

Pull requests

Company
AboutMission
Community
SpectrumEmbed
Support
FAQTerms of usePrivacy policyCode of conductCredits
Connect
FacebookTwitter

© 2019 BoostIO, Inc.