false positive: teleport marked CRITICAL due to multiple high risk behaviors

[tstromberg]

seen with teleport 16.0.3 - wolfi-dev/os#22915

usr/local/bin/teleport [🚨 CRITICAL]
-----------------------------------------------------------------------------------------------------------------------------------------------
RISK  KEY                   DESCRIPTION                              EVIDENCE                                                                  
-----------------------------------------------------------------------------------------------------------------------------------------------
HIGH  combo/dropper/shell   fetches content and pipes it to a shell  curl -s -L %s| bash                                                       
                                                                     curl -s -L https://%s/v1/webapi/scripts/installer/%s | bash               
HIGH  combo/stealer/creds   suspected data stealer                   Atomic                                                                    
                                                                     Bookmarks                                                                 
                                                                     Chrome                                                                    
                                                                     Chromium                                                                  
                                                                     Discord                                                                   
                                                                     Firefox                                                                   
                                                                     History                                                                   
                                                                     Snowflake                                                                 
                                                                     …                                                                         
HIGH  net/fetch/suspicious  high fetch command                       curl -o /dev/null -w "%{http_code}" -m5 -sS -H "Metadata-Flavor           
                                                                     curl -o /dev/null -w "%{http_code}" -m5 -sS -H "X-aws-ec2-metadata-token  
                                                                     curl -o /tmp/teleport-pubkey                                              
HIGH  ref/words/backdoor    References a 'backdoor'                  backdoorH                                                                 
HIGH  ref/words/trojan      References a Trojan                      Trojan                                                                    
HIGH  shell/bash_dev_tcp    uses /dev/tcp for network access (bash)  /dev/tcp                                                                  
-----------------------------------------------------------------------------------------------------------------------------------------------

Many of these are legitimately bizarre high-risk behaviors, I do think the rules could be fine-tuned, particularly combo/stealer/creds and net/fetch/suspicious

I'm really curious about what some of these mentions are though!

[tstromberg]

combo/stealer/creds

Most of the browser mentions come from this text:

Your user role supports directory sharing over desktop access, however this feature is only available by default on some Chromium based browsers like Google Chrome or Microsoft Edge. Brave users can use the feature by navigating to brave://flags/#file-system-access-api

The mention of Atomic is from things like go.uber.org/zap.AtomicLevel.Level - we can improve the rule to avoid some of this.

The mention of Discord is because there is Discord support in teleport.

ref/words/backdoor

We're going to have to look at the source code for this one - it's referencing a backdoor behavior which seems sketch.

ref/words/trojan

Same

/dev/tcp

Yeah, it uses it:

    HOST=$1
    PORT=$2
    # check with nc
    if check_exists nc; then
        CONNECTIVITY_TEST_METHOD="nc"
        if nc -z -w3 "${HOST}" "${PORT}" >/dev/null 2>&1; then return 0; else return 1; fi
    # if there's no nc, check with telnet
    elif check_exists telnet; then
        CONNECTIVITY_TEST_METHOD="telnet"
        if echo -e '\x1dclose\x0d' | telnet "${HOST}" "${PORT}" >/dev/null 2>&1; then return 0; else return 1; fi
    # if there's no nc or telnet, try and use /dev/tcp
    elif [ -f /dev/tcp ]; then
        CONNECTIVITY_TEST_METHOD="/dev/tcp"
        if (head -1 < "/dev/tcp/${HOST}/${PORT}") >/dev/null 2>&1; then return 0; else return 1; fi
    else
        return 255
    fi

[egibs]

Looks like the trojan references are buried in long strings:

/bincapz # xxd -c 128 -g 2 -b teleport-16.0.3/build/teleport | grep trojan
09f64900: 0110111001100101 0111100001110100 0110010101101110 0110010001101101 0111100101010011 0110100101110100 0110010101110011 0110101101101001 0110110001101100 0111001101100110 0110111101110101 0111001001000011 0100001101100001 0110010001110111 0110000101110010 0110010101110100 0111001001101111 0110101001100001 0110111001100100 0110100101100001 0110110001100101 0111001001110010 0110000101101110 0111001101101111 0110110101110011 0110010101110110 0110010101110010 0110010101110100 0110000101100010 0110110001100101 0111001101101100 0110010101100111 0110010101101110 0110010001110011 0110010101110010 0110100101100101 0111001101101001 0111010001100001 0110110001101001 0110001101110011 0110111101110010 0111010001001111 0110111001100101 0111100001100101 0110001100111010 0010000001110110 0011000100101110 0011011000101110 0011000001100011 0110111101101101 0110110101101111 0110111001010011 0101010001010010 0100010101000101 0101010000001010 0010000000100000 0010000000100000 0000100101110100 0110010101110011 0111010000101110 0111011001110010 0110010101100001 0110010001010101 0011010000100101  nextendmySiteskillsfourCCadwaretrojandialerransomseveretableslegendseriesitalicsortOnexec: v1.6.0commonSTREET.    .test.vreadU4%
09f70c00: 0110011101101000 0111010001001001 0110010001101101 0110000101101110 0110000101100111 0110010101100100 0100001001111001 0110111101110111 0110111001100101 0111001001110011 0110100001101001 0111000001100001 0110000101100100 0101010101110011 0110010101110010 0100100101100100 0110010101101101 0110000101101001 0110110001010010 0110111101101100 0110010101101100 0110111101100111 0110111101101110 0101010001111001 0111000001100101 0110011001110010 0110000101101101 0110010101010010 0110000101110100 0110010101100100 0110010101110100 0110010101100011 0111010001101001 0110111101101110 0110110001100001 0111010101101110 0110001101101000 0101010101110010 0110100101110011 0110101101110101 0100111001110101 0110110101100010 0110010101110010 0110101101100101 0111100101101100 0110111101100111 0110011101100101 0111001001110100 0111001001101111 0110101001100001 0110111001000110 0111010001110000 0110000101100010 0110000101101110 0110010001101111 0110111001100101 0110010001100110 0110100101110010 0111001101110100 0101011101100101 0110010101101011 0111010001101000 0110100101110010 0110010001010111  ghtIdmanagedByownershipaadUserIdemailRolelogonTypeframeRatedetectionlaunchUriskuNumberkeyloggertrojanFtpabandonedfirstWeekthirdW
09f83780: 0111010001000101 0111100001101001 0111001101110100 0110000101101100 0111011101100001 0111100101110011 0100111001101111 0111010001101001 0110011001111001 0110100101100100 0110010101101110 0111010001101001 0111010001111001 0100111001100001 0110110101100101 0111001101111001 0111001101110100 0110010101101101 0100011001100001 0110110101101001 0110110001111001 0110010101101101 0110000101101001 0110110001000110 0110110001101111 0110111101100100 0110010101110010 0111010001110010 0110111101101010 0110000101101110 0101010001100101 0110110001101110 0110010101110100 0111001001100101 0110110101101111 0111011001100101 0100011001100001 0110100101101100 0110010101100100 0110100101100011 0110111101101110 0111001101010110 0110100101110011 0110100101100010 0110110001100101 0110111001101111 0101000001110010 0110111101110100 0110010101100011 0111010001101001 0110111101101110 0110001101100001 0111010001100101 0110011101101111 0111001001111001 0100000101111000 0110100101110011 0110000101100100 0110010001110010 0110010101110011 0111001101001100 0110111101100011 0110000101101100 0110001101101111  tExistalwaysNotifyidentityNamesystemFamilyemailFloodertrojanTelnetremoveFailediconsVisiblenoProtectioncategoryAxisaddressLocalco
09f8a380: 0111010001101001 0110111101101110 0111001101110011 0110001101110010 0110100101110000 0111010001000011 0110111101101110 0111010001100101 0110111001110100 0111001101110100 0110000101110010 0111010001001101 0110010101101110 0111010101001101 0110111101100100 0110010101101110 0110111101101110 0100011001110101 0110110001101100 0101001101100011 0111001001100101 0110010101101110 0110000101101100 0110110001101111 0111011101010000 0111001001101001 0110111001110100 0110100101101110 0110011101110010 0110010101100010 0110111101101111 0111010001010000 0110010101101110 0110010001101001 0110111001100111 0110001001110010 0110111101110111 0111001101100101 0111001001010000 0110110001110101 0110011101101001 0110111001110100 0111001001101111 0110101001100001 0110111001000100 0111001001101111 0111000001110000 0110010101110010 0111011001110101 0110110001101110 0110010101110010 0110000101100010 0110100101101100 0110100101110100 0111100101110000 0111001001101111 0111010001100101 0110001101110100 0110010101100100 0100000101110000 0111000001110011 0110010101101110 0110011101101001 0110111001100101  tionsscriptContentstartMenuModenonFullScreenallowPrintingrebootPendingbrowserPlugintrojanDroppervulnerabilityprotectedAppsengine
09fa1900: 0110000101101110 0100010001101111 0111011101101110 0110110001101111 0110000101100100 0110010101110010 0111001101100101 0110001101110101 0111001001101001 0111010001111001 0100010001101001 0111001101100001 0110001001101100 0110010101110010 0111001101100101 0111010001110100 0110100101101110 0110011101110011 0100110101101111 0110010001101001 0110011001101001 0110010101110010 0111010001110010 0110111101101010 0110000101101110 0100110101100001 0111001101110011 0100110101100001 0110100101101100 0110010101110010 0111000101110101 0110000101110010 0110000101101110 0111010001101001 0110111001100101 0100011001100001 0110100101101100 0110010101100100 0110010101101110 0110011001101111 0111001001100011 0110010101101101 0110010101101110 0111010001001100 0110010101110110 0110010101101100 0110010101101110 0111010001100101 0111001001110000 0111001001101001 0111001101100101 0100010001101111 0110110101100001 0110100101101110 0110001001101001 0110111001100001 0111001001111001 0101011001100101 0111001001110011 0110100101101111 0110111001001100 0110111101110111 0110110101100100 0110110101000101  anDownloadersecurityDisablersettingsModifiertrojanMassMailerquarantineFailedenforcementLevelenterpriseDomainbinaryVersionLowmdmE
09faab80: 0111001001110110 0110100101100011 0110010101001110 0110111101110100 0101001001110101 0110111001101110 0110100101101110 0110011101110000 0110110001100001 0111010001100110 0110111101110010 0110110101001111 0111010101110100 0100111101100110 0100010001100001 0111010001100101 0111010001110010 0110111101101010 0110000101101110 0101000001110010 0110111101111000 0111100101010011 0110010101110010 0111011001100101 0111001001100010 0110100101101110 0110000101110010 0111100101010110 0110010101110010 0111001101101001 0110111101101110 0100100001101001 0110011101101000 0111001001100101 0111000101110101 0110100101110010 0110010101000001 0111010001001100 0110010101100001 0111001101110100 0100111101101110 0110010101110000 0110100101101110 0100010101111000 0111000001101001 0111001001100001 0111010001101001 0110111101101110 0100010001100001 0111100101110011 0110110101100001 0110110001110111 0110000101110010 0110010101001001 0110010001100101 0110111001110100 0110100101100110 0110100101100101 0111001001101111 0111001101010110 0110010101110010 0111001101101001 0110111101101110 0111001101010011  rviceNotRunningplatformOutOfDatetrojanProxyServerbinaryVersionHighrequireAtLeastOnepinExpirationDaysmalwareIdentifierosVersionsS
09fd0a00: 0110110001101001 0111001101101000 0110010101110010 0100100001100001 0111001101101000 0110110001100001 0111001101110100 0100001101101111 0110111001110100 0110000101100011 0111010001100101 0110010001000100 0110000101110100 0110010101010100 0110100101101101 0110010101100001 0111011001010011 0110100101100111 0110111001100001 0111010001110101 0111001001100101 0111001101001111 0111010101110100 0100111101100110 0100010001100001 0111010001100101 0110000101110011 0101001101101001 0110011101101110 0110000101110100 0111010101110010 0110010101110011 0100111101110101 0111010001001111 0110011001000100 0110000101110100 0110010101101000 0110111101110011 0111010001101001 0110110001100101 0100000101100011 0111010001101001 0111011001100101 0101100001000011 0110111101101110 0111010001110010 0110111101101100 0111001001100101 0110110101101111 0111010001100101 0100001101101111 0110111001110100 0111001001101111 0110110001010011 0110111101100110 0111010001110111 0110000101110010 0110010101110100 0111001001101111 0110101001100001 0110111001000100 0110010101101110 0110100101100001 0110110001001111  lisherHashlastContactedDateTimeavSignaturesOutOfDateasSignaturesOutOfDatehostileActiveXControlremoteControlSoftwaretrojanDenialO
09fee780: 0110111001100100 0110111101110111 0100001001101100 0110111101100011 0110101101100101 0110010001110011 0110000101101101 0111000001101100 0110010101110011 0101000001100101 0110111001100100 0110100101101110 0110011101010011 0111010101100010 0110110101101001 0111001101110011 0110100101101111 0110111001110000 0110110001100001 0111010001100110 0110111101110010 0110110101010101 0111000001100100 0110000101110100 0110010101001001 0110111001010000 0111001001101111 0110011101110010 0110010101110011 0111001101100001 0110010001100100 0110100101110100 0110100101101111 0110111001100001 0110110001001001 0110111001100110 0110111101110010 0110110101100001 0111010001101001 0110111101101110 0101010101110010 0110110001110100 0111001001101111 0110101001100001 0110111001001101 0110111101101110 0110100101110100 0110111101110010 0110100101101110 0110011101010011 0110111101100110 0111010001110111 0110000101110010 0110010101100101 0110111001110100 0110010101110010 0111000001110010 0110100101110011 0110010101010000 0111001001101111 0111100001101001 0110010101100100 0100010001101111 0110110101100001  ndowBlockedsamplesPendingSubmissionplatformUpdateInProgressadditionalInformationUrltrojanMonitoringSoftwareenterpriseProxiedDoma

backdoor as well:

/bincapz # xxd -c 128 -g 2 -b teleport-16.0.3/build/teleport | grep backdoor
09f6c180: 0110000101110101 0110010001101001 0110010101101110 0110001101100101 0111011101100101 0110001001101001 0110111001100001 0111001001110011 0110010101110110 0110010101110010 0111100101100100 0110000101111001 0111001101101001 0111101001100101 0100100101101110 0100110101000010 0111001001110101 0110110001100101 0101010001111001 0111000001100101 0110111001101111 0111010001000101 0111000101110101 0110000101101100 0110110001100101 0111001101110011 0101010001101000 0110000101101110 0111001101110101 0111000001110000 0111001001100101 0111001101110011 0110100101110011 0100001001110101 0110111001100100 0110110001100101 0110111001101111 0101001101110100 0110000101110100 0111010101110011 0111001101100011 0110000101101110 0101010001111001 0111000001100101 0110100001110100 0111010001110000 0100111101101110 0110110001111001 0110001001100001 0110001101101011 0110010001101111 0110111101110010 0110001001100101 0110100001100001 0111011001101001 0110111101110010 0110100001101001 0111000001110011 0101001001110101 0110110001100101 0110010001100101 0111010001100101 0110001101110100 0110010101100100  audiencewebinarseverydaysizeInMBruleTypenotEquallessThansuppressisBundlenoStatusscanTypehttpOnlybackdoorbehaviorhipsRuledetected