From 6ea863ac3b650124b485f72ddeabf5278dfde7d7 Mon Sep 17 00:00:00 2001
From: Philipp Zeuner <philipp.zeuner@posteo.de>
Date: Sun, 1 Mar 2020 20:26:51 +0100
Subject: [PATCH 1/7] Initial commit

---
 checks/check_extra777 | 64 +++++++++++++++++++++++++++++++++++++++++++
 groups/group7_extras  |  2 +-
 2 files changed, 65 insertions(+), 1 deletion(-)
 create mode 100755 checks/check_extra777

diff --git a/checks/check_extra777 b/checks/check_extra777
new file mode 100755
index 00000000..92c9ff94
--- /dev/null
+++ b/checks/check_extra777
@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+
+# Prowler - the handy cloud security tool (copyright 2019) by Toni de la Fuente
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy
+# of the License at http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software distributed
+# under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+# CONDITIONS OF ANY KIND, either express or implied. See the License for the
+# specific language governing permissions and limitations under the License.
+
+CHECK_ID_extra777="7.77"
+CHECK_TITLE_extra777="[extra777] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra777="NOT_SCORED"
+CHECK_TYPE_extra777="EXTRA"
+CHECK_ALTERNATE_check776="extra777"
+
+extra777(){
+    CIDR_THRESHOLD=24
+    RFC1918_REGEX="(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)"
+    textInfo "Looking for VPC security groups with wide-open (</${CIDR_THRESHOLD}) non-RFC1918 IPv4 address ranges in all regions...  "
+
+    check_cidr() {
+        CIDR_IP_LIST=$1
+        DIRECTION=$2
+        regx=$3
+        case ${DIRECTION} in
+            inbound)
+                DIRECTION_FILTER="IpPermissions"
+                DIRECTION_NAME="inbound"
+                ;;
+            outbound)
+                DIRECTION_FILTER="IpPermissionsEgress"
+                DIRECTION_NAME="outbound"
+                ;;
+        esac
+
+        CIDR_IP_LIST=$(aws ec2 describe-security-groups \
+                        --filter "Name=group-id,Values=${SECURITY_GROUP}" \
+                        --query "SecurityGroups[*].IpPermissions[*].IpRanges[*].CidrIp" \
+                        --region ${regx} \
+                        --output text | xargs
+                        )
+        
+        for CIDR_IP in ${CIDR_IP_LIST}; do
+            if [[ ! ${CIDR_IP} =~ ${RFC1918_REGEX} ]]; then
+                CIDR=$(echo ${CIDR_IP} | cut -d"/" -f2 | xargs)
+                if [[ ${CIDR} < ${CIDR_THRESHOLD} ]]; then
+                    textFail "${regx}: ${SECURITY_GROUP} has potential wide-open non-RFC1918 address ${CIDR_IP} in ${DIRECTION_NAME} rule." "${regx}"
+                fi
+            fi
+        done
+    }
+
+    for regx in ${REGIONS}; do
+        SECURITY_GROUP_IDS=$(${AWSCLI} ec2 describe-security-groups --region ${regx} --query 'SecurityGroups[*].GroupId' --output text | xargs)
+        for SECURITY_GROUP in ${SECURITY_GROUP_IDS}; do
+            check_cidr "${SECURITY_GROUP_IDS}" "inbound" "${regx}"
+            check_cidr "${SECURITY_GROUP_IDS}" "outbound" "${regx}"
+        done
+    done
+}
\ No newline at end of file
diff --git a/groups/group7_extras b/groups/group7_extras
index 37aa1d04..76f20a75 100644
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -15,7 +15,7 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras - [extras] **********************************************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra777'
 
 # Extras 759 and 760 (lambda variables and code secrets finder are not included)
 # to run detect-secrets use `./prowler -g secrets`

From 162ff05e424313a2c9db406963895e7a2a416eac Mon Sep 17 00:00:00 2001
From: Philipp Zeuner <philipp.zeuner@posteo.de>
Date: Mon, 2 Mar 2020 22:53:32 +0100
Subject: [PATCH 2/7] Updated check_extra777 to fix CHECK_ALTERNATE variable

---
 checks/check_extra777 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checks/check_extra777 b/checks/check_extra777
index 92c9ff94..2f1a4351 100755
--- a/checks/check_extra777
+++ b/checks/check_extra777
@@ -15,7 +15,7 @@ CHECK_ID_extra777="7.77"
 CHECK_TITLE_extra777="[extra777] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra777="NOT_SCORED"
 CHECK_TYPE_extra777="EXTRA"
-CHECK_ALTERNATE_check776="extra777"
+CHECK_ALTERNATE_check777="extra777"
 
 extra777(){
     CIDR_THRESHOLD=24

From f149fb7535b0f9e9eed4c38a174fdb0f09177561 Mon Sep 17 00:00:00 2001
From: Philipp Zeuner <philipp.zeuner@posteo.de>
Date: Sun, 8 Mar 2020 08:15:20 +0100
Subject: [PATCH 3/7] Refactored check name to check_extra778

---
 checks/{check_extra777 => check_extra778} | 12 ++++++------
 groups/group7_extras                      |  2 +-
 2 files changed, 7 insertions(+), 7 deletions(-)
 rename checks/{check_extra777 => check_extra778} (92%)

diff --git a/checks/check_extra777 b/checks/check_extra778
similarity index 92%
rename from checks/check_extra777
rename to checks/check_extra778
index 2f1a4351..1bae8215 100755
--- a/checks/check_extra777
+++ b/checks/check_extra778
@@ -11,13 +11,13 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 
-CHECK_ID_extra777="7.77"
-CHECK_TITLE_extra777="[extra777] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark)"
-CHECK_SCORED_extra777="NOT_SCORED"
-CHECK_TYPE_extra777="EXTRA"
-CHECK_ALTERNATE_check777="extra777"
+CHECK_ID_extra778="7.77"
+CHECK_TITLE_extra778="[extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark)"
+CHECK_SCORED_extra778="NOT_SCORED"
+CHECK_TYPE_extra778="EXTRA"
+CHECK_ALTERNATE_check778="extra778"
 
-extra777(){
+extra778(){
     CIDR_THRESHOLD=24
     RFC1918_REGEX="(^127\.)|(^10\.)|(^172\.1[6-9]\.)|(^172\.2[0-9]\.)|(^172\.3[0-1]\.)|(^192\.168\.)"
     textInfo "Looking for VPC security groups with wide-open (</${CIDR_THRESHOLD}) non-RFC1918 IPv4 address ranges in all regions...  "
diff --git a/groups/group7_extras b/groups/group7_extras
index 76f20a75..6a0d5f7a 100644
--- a/groups/group7_extras
+++ b/groups/group7_extras
@@ -15,7 +15,7 @@ GROUP_ID[7]='extras'
 GROUP_NUMBER[7]='7.0'
 GROUP_TITLE[7]='Extras - [extras] **********************************************'
 GROUP_RUN_BY_DEFAULT[7]='Y' # run it when execute_all is called
-GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra777'
+GROUP_CHECKS[7]='extra71,extra72,extra73,extra74,extra75,extra76,extra77,extra78,extra79,extra710,extra711,extra712,extra713,extra714,extra715,extra716,extra717,extra718,extra719,extra720,extra721,extra722,extra723,extra724,extra725,extra726,extra727,extra728,extra729,extra730,extra731,extra732,extra733,extra734,extra735,extra736,extra737,extra738,extra739,extra740,extra741,extra742,extra743,extra744,extra745,extra746,extra747,extra748,extra749,extra750,extra751,extra752,extra753,extra754,extra755,extra756,extra757,extra758,extra761,extra762,extra763,extra764,extra765,extra767,extra768,extra769,extra770,extra771,extra772,extra773,extra774,extra775,extra778'
 
 # Extras 759 and 760 (lambda variables and code secrets finder are not included)
 # to run detect-secrets use `./prowler -g secrets`

From f585ca54d1192aaa04d376b903028774aaa92633 Mon Sep 17 00:00:00 2001
From: Philipp Zeuner <philipp.zeuner@posteo.de>
Date: Sun, 8 Mar 2020 09:20:05 +0100
Subject: [PATCH 4/7] Fixed check_extra788 logic bug related to SECURITY_GROUP
 and improved check_cidr() isolation

---
 checks/check_extra778 | 25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

diff --git a/checks/check_extra778 b/checks/check_extra778
index 1bae8215..4de99cf8 100755
--- a/checks/check_extra778
+++ b/checks/check_extra778
@@ -23,32 +23,31 @@ extra778(){
     textInfo "Looking for VPC security groups with wide-open (</${CIDR_THRESHOLD}) non-RFC1918 IPv4 address ranges in all regions...  "
 
     check_cidr() {
-        CIDR_IP_LIST=$1
-        DIRECTION=$2
-        regx=$3
+        local SECURITY_GROUP=$1
+        local DIRECTION=$2
+        local DIRECTION_FILTER=""
+        local REGION=$3
+        
         case ${DIRECTION} in
-            inbound)
+            "inbound")
                 DIRECTION_FILTER="IpPermissions"
-                DIRECTION_NAME="inbound"
                 ;;
-            outbound)
+            "outbound")
                 DIRECTION_FILTER="IpPermissionsEgress"
-                DIRECTION_NAME="outbound"
                 ;;
         esac
 
         CIDR_IP_LIST=$(aws ec2 describe-security-groups \
                         --filter "Name=group-id,Values=${SECURITY_GROUP}" \
-                        --query "SecurityGroups[*].IpPermissions[*].IpRanges[*].CidrIp" \
-                        --region ${regx} \
+                        --query "SecurityGroups[*].${DIRECTION_FILTER}[*].IpRanges[*].CidrIp" \
+                        --region ${REGION} \
                         --output text | xargs
                         )
         
         for CIDR_IP in ${CIDR_IP_LIST}; do
             if [[ ! ${CIDR_IP} =~ ${RFC1918_REGEX} ]]; then
                 CIDR=$(echo ${CIDR_IP} | cut -d"/" -f2 | xargs)
-                if [[ ${CIDR} < ${CIDR_THRESHOLD} ]]; then
-                    textFail "${regx}: ${SECURITY_GROUP} has potential wide-open non-RFC1918 address ${CIDR_IP} in ${DIRECTION_NAME} rule." "${regx}"
+                    textFail "${REGION}: ${SECURITY_GROUP} has potential wide-open non-RFC1918 address ${CIDR_IP} in ${DIRECTION} rule." "${REGION}"
                 fi
             fi
         done
@@ -57,8 +56,8 @@ extra778(){
     for regx in ${REGIONS}; do
         SECURITY_GROUP_IDS=$(${AWSCLI} ec2 describe-security-groups --region ${regx} --query 'SecurityGroups[*].GroupId' --output text | xargs)
         for SECURITY_GROUP in ${SECURITY_GROUP_IDS}; do
-            check_cidr "${SECURITY_GROUP_IDS}" "inbound" "${regx}"
-            check_cidr "${SECURITY_GROUP_IDS}" "outbound" "${regx}"
+            check_cidr "${SECURITY_GROUP}" "inbound" "${regx}"
+            check_cidr "${SECURITY_GROUP}" "outbound" "${regx}"
         done
     done
 }
\ No newline at end of file

From f5d083f781051b70e9dc5f4be4c47aa90f650c45 Mon Sep 17 00:00:00 2001
From: Philipp Zeuner <philipp.zeuner@posteo.de>
Date: Sun, 8 Mar 2020 09:21:17 +0100
Subject: [PATCH 5/7] Updated check_extra778 to exclude 0.0.0.0/0 edge case

---
 checks/check_extra778 | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/checks/check_extra778 b/checks/check_extra778
index 4de99cf8..d6d362ca 100755
--- a/checks/check_extra778
+++ b/checks/check_extra778
@@ -47,6 +47,9 @@ extra778(){
         for CIDR_IP in ${CIDR_IP_LIST}; do
             if [[ ! ${CIDR_IP} =~ ${RFC1918_REGEX} ]]; then
                 CIDR=$(echo ${CIDR_IP} | cut -d"/" -f2 | xargs)
+
+                # Edge case "0.0.0.0/0" for RDP and SSH are checked already by check41 and check42
+                if [[ ${CIDR} < ${CIDR_THRESHOLD} && 0 < ${CIDR} ]]; then
                     textFail "${REGION}: ${SECURITY_GROUP} has potential wide-open non-RFC1918 address ${CIDR_IP} in ${DIRECTION} rule." "${REGION}"
                 fi
             fi

From 1b2b52e6a7eecd691db67b94816f7d30f9735c89 Mon Sep 17 00:00:00 2001
From: Philipp Zeuner <philipp.zeuner@posteo.de>
Date: Sun, 8 Mar 2020 09:22:11 +0100
Subject: [PATCH 6/7] Fixed check_extra778 reference CHECK_ID

---
 checks/check_extra778 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/checks/check_extra778 b/checks/check_extra778
index d6d362ca..d64a343c 100755
--- a/checks/check_extra778
+++ b/checks/check_extra778
@@ -11,7 +11,7 @@
 # CONDITIONS OF ANY KIND, either express or implied. See the License for the
 # specific language governing permissions and limitations under the License.
 
-CHECK_ID_extra778="7.77"
+CHECK_ID_extra778="7.78"
 CHECK_TITLE_extra778="[extra778] Find VPC security groups with wide-open public IPv4 CIDR ranges (non-RFC1918) (Not Scored) (Not part of CIS benchmark)"
 CHECK_SCORED_extra778="NOT_SCORED"
 CHECK_TYPE_extra778="EXTRA"

From cb5858d08a072342a3264f327f211d123abb24d5 Mon Sep 17 00:00:00 2001
From: Philipp Zeuner <philipp.zeuner@posteo.de>
Date: Sun, 8 Mar 2020 09:56:52 +0100
Subject: [PATCH 7/7] Updated check_extra778 to use PROFILE_OPT and AWSCLI

---
 checks/check_extra778 | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/checks/check_extra778 b/checks/check_extra778
index d64a343c..42672348 100755
--- a/checks/check_extra778
+++ b/checks/check_extra778
@@ -37,7 +37,8 @@ extra778(){
                 ;;
         esac
 
-        CIDR_IP_LIST=$(aws ec2 describe-security-groups \
+        CIDR_IP_LIST=$(${AWSCLI} ec2 describe-security-groups \
+                        ${PROFILE_OPT} \
                         --filter "Name=group-id,Values=${SECURITY_GROUP}" \
                         --query "SecurityGroups[*].${DIRECTION_FILTER}[*].IpRanges[*].CidrIp" \
                         --region ${REGION} \
@@ -57,7 +58,12 @@ extra778(){
     }
 
     for regx in ${REGIONS}; do
-        SECURITY_GROUP_IDS=$(${AWSCLI} ec2 describe-security-groups --region ${regx} --query 'SecurityGroups[*].GroupId' --output text | xargs)
+        SECURITY_GROUP_IDS=$(${AWSCLI} ec2 describe-security-groups \
+                              ${PROFILE_OPT} \
+                              --region ${regx} \
+                              --query 'SecurityGroups[*].GroupId' \
+                              --output text | xargs
+                              )
         for SECURITY_GROUP in ${SECURITY_GROUP_IDS}; do
             check_cidr "${SECURITY_GROUP}" "inbound" "${regx}"
             check_cidr "${SECURITY_GROUP}" "outbound" "${regx}"