AWS EC2 detected as Tencent CVM causing long run time due to incorrect Tencent enumeration

Question

AWS EC2 detected as Tencent CVM causing long run time due to incorrect Tencent enumeration

credibleforce opened this issue 5 months ago · comments

Credibleforce commented 5 months ago

Issue description

Linpeas.sh taking a long time (>30 minutes) to run on AWS EC2 instance. Incorrectly identified as Tencent CVM.

Steps to reproduce the issue

Launch aws ec2 instance
Run curl -L https://github.com/carlospolop/PEASS-ng/releases/download/latest/linpeas.sh | /bin/bash -s -- -s -N -o system_information,container,cloud,procs_crons_timers_srvcs_sockets,users_information,software_information,interesting_files,interesting_perms_files,api_keys_regex
Logs show:

                                     ╔═══════╗
═════════════════════════════════════╣ Cloud ╠═════════════════════════════════════
                                     ╚═══════╝
═╣ GCP Virtual Machine? ................. No
═╣ GCP Cloud Funtion? ................... No
═╣ AWS ECS? ............................. No
═╣ AWS EC2? ............................. Yes
═╣ AWS EC2 Beanstalk? ................... No
═╣ AWS Lambda? .......................... No
═╣ AWS Codebuild? ....................... No
═╣ DO Droplet? .......................... No
═╣ Aliyun ECS? .......................... No
═╣ Tencent CVM? .......................... Yes
═╣ IBM Cloud VM? ........................ No
═╣ Azure VM? ............................ No
═╣ Azure APP? ........................... No

Which parameters did you use for executing the script and how did you execute it?

-s -N -o system_information,container,cloud,procs_crons_timers_srvcs_sockets,users_information,software_information,interesting_files,interesting_perms_files,api_keys_regex

Is there any AV / Threat protection in the system?

no

Please, indicate the OS, the OS version, and the kernel version (build number in case of Windows)

ubuntu focal

Please, indicate the check that is failing and add a screenshot showing the problem

check_tencent_cvm () {
  is_tencent_cvm="No"
  if [ -f "/etc/cloud/cloud.cfg.d/05_logging.cfg" ] || grep -qi Tencent /etc/cloud/cloud.cfg; then
      is_tencent_cvm="Yes"
  fi
}

the -f "/etc/cloud/cloud.cfg.d/05_logging.cfg" returns true on AWS EC2 instances.

How did you expect it to work?

AWS instances should not be detected as Tencent. When they are run time goes from ~10 minutes to > 30 minutes

Ninto · Answer 1 · Mon Feb 26 2024 02:11:50 GMT+0800 (China Standard Time)

I've encountered the same issue on physical servers running Ubuntu server

SirBroccoli · Answer 2 · Mon Feb 26 2024 03:51:27 GMT+0800 (China Standard Time)

Hi guys! Thanks for letting me know!
I have disabled the Tencent check until the author sends. PR with a better fingerprint. There should be a new release in a couple of minutes