Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix missing attributes on LDAP SSL sockets #19751

Merged
merged 1 commit into from
Jan 7, 2025

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Dec 19, 2024

Metasploit's LDAP sockets use the SSL wrapping logic provided by the Net::LDAP module. This means the socket gets swapped to an OpenSSL socket when SSL is enabled and the socket doesn't have some attributes that Metasploit expects. When that socket is treated as one used for a session, this missing information gets propagated up and is shown to the user. This is the issue described in #19744.

This change fixes it by extending the SSL socket after it's setup with the Forwardable module and defines delegators for the #localinfo and #peerinfo to come from the underlying socket (@io). This allows the local and peer socket address to be passed up and displayed to the user. Previously, the missing attribute would cause an exception to be raised which would result in an address of 127.0.0.1 being shown to the user for a session.

Verification

  • Start msfconsole
  • Use the ldap/ldap_login module
  • Set CreateSession and SSL to true, enable the SSL session feature if necessary
  • Set the rest of the options to valid values so a session can be opened
  • Run the module and get a session
  • See the correct address information shown in the output instead of 127.0.0.1

Demo (Old and Broken)

metasploit-framework (S:3 J:0) auxiliary(scanner/ldap/ldap_login) > run LDAP::Auth=ntlm
[+] 192.168.159.10:636 - Success: 'smcintyre:Password1!'
[*] LDAP session 4 opened (127.0.0.1 -> 127.0.0.1) at 2024-12-19 13:58:46 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 LDAP session was opened successfully.
[*] Auxiliary module execution completed
metasploit-framework (S:4 J:0) auxiliary(scanner/ldap/ldap_login) >

Demo (New and Fixed)

metasploit-framework (S:1 J:0) auxiliary(scanner/ldap/ldap_login) > run
[+] 192.168.159.10:636 - Success: 'smcintyre:Password1!'
[*] LDAP session 2 opened (192.168.159.128:36377 -> 192.168.159.10:636) at 2024-12-19 15:00:57 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 LDAP session was opened successfully.
[*] Auxiliary module execution completed
metasploit-framework (S:2 J:0) auxiliary(scanner/ldap/ldap_login) >

@smcintyre-r7 smcintyre-r7 added library bug rn-fix release notes fix labels Dec 19, 2024
@jheysel-r7 jheysel-r7 self-assigned this Jan 7, 2025
@jheysel-r7
Copy link
Contributor

Thanks for the fix @zeroSteiner 🙏 Testing was as expected also verified that when SSL is not in use the socket still has the required attributes accessible to it.

Old and Broken

msf6 auxiliary(scanner/ldap/ldap_login) > set domain kerberos.issue
domain => kerberos.issue
msf6 auxiliary(scanner/ldap/ldap_login) > set password N0tpassword!
password => N0tpassword!
msf6 auxiliary(scanner/ldap/ldap_login) > set rhost 172.16.199.200
rhost => 172.16.199.200
msf6 auxiliary(scanner/ldap/ldap_login) > set username Administrator
username => Administrator
msf6 auxiliary(scanner/ldap/ldap_login) > set ssl true
[!] Changing the SSL option's value may require changing RPORT!
ssl => true
msf6 auxiliary(scanner/ldap/ldap_login) > set rport 636
rport => 636
msf6 auxiliary(scanner/ldap/ldap_login) > run
[!] No active DB -- Credential data will not be saved!
[+] 172.16.199.200:636 - Success: 'Administrator:N0tpassword!'
[*] LDAP session 1 opened (127.0.0.1 -> 127.0.0.1) at 2025-01-07 09:33:07 -0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 LDAP session was opened successfully.
[*] Auxiliary module execution completed

New and Improved

msf6 auxiliary(scanner/ldap/ldap_login) > run
[!] No active DB -- Credential data will not be saved!
[+] 172.16.199.200:636 - Success: 'Administrator:N0tpassword!'
[*] LDAP session 1 opened (172.16.199.1:57684 -> 172.16.199.200:636) at 2025-01-07 09:40:18 -0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 LDAP session was opened successfully.
[*] Auxiliary module execution completed

@jheysel-r7 jheysel-r7 merged commit d560a32 into rapid7:master Jan 7, 2025
42 checks passed
@jheysel-r7
Copy link
Contributor

Release Notes

There was an issue present in the ldap library which caused the local and peer socket addresses to be incorrectly reported to the user when a session was created via the ldap_login module when SSL was enabled. This change fixes the issue by extending the SSL socket after it's setup with the Forwardable module and defines delegators for the #localinfo and #peerinfo to come from the underlying socket (@io).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug library rn-fix release notes fix
Projects
Status: Done
Development

Successfully merging this pull request may close these issues.

ldap/ldap_login module reports incorrect IP addresses for sessions
3 participants