post/multi/gather/ssh_creds should verify it has access to a file before reading it

[MangyCoyote]

Steps to reproduce

• if you run module post/multi/gather/ssh_creds as unprivileged user, you might encounter following exception(s) during looting

[*] Looting 3 directories
[+] Downloaded /home/fox/.ssh/authorized_keys -> /root/.msf4/loot/20191119063443_default_10.28.175.104_ssh.authorized_k_668127.txt
[-] Could not load SSH Key: Neither PUB key nor PRIV key
[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_fs_ls: Operation failed: 1
[-] Call stack:
[-] /usr/share/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/fs/dir.rb:62:in entries' [-] /usr/share/metasploit-framework/modules/post/multi/gather/ssh_creds.rb:47:in block in download_loot'
[-] /usr/share/metasploit-framework/modules/post/multi/gather/ssh_creds.rb:43:in each' [-] /usr/share/metasploit-framework/modules/post/multi/gather/ssh_creds.rb:43:in download_loot'
[-] /usr/share/metasploit-framework/modules/post/multi/gather/ssh_creds.rb:38:in `run'

Expected behavior

Should not thrown an exception.
Read permission should be verified before accessing file.

System stuff

Metasploit version

5.0.59-dev

I installed Metasploit with:

• Kali package via apt

OS

What OS are you running Metasploit on?
Kali 2019.4

[bcoles]

The module should use readable? from the Msf::Post::File mixin, or alternatively, rescue and continue.

  #
  # See if +path+ on the remote system exists and is readable
  #
  # @param path [String] Remote path to check
  #
  # @return [Boolean] true if +path+ exists and is readable
  #
  def readable?(path)
    raise "`readable?' method does not support Windows systems" if session.platform == 'windows'

    cmd_exec("test -r '#{path}' && echo true").to_s.include? 'true'
  end

[MangyCoyote]

Okay, did it via cmd_exec on my own. See PR.
If there is an alternative for executable? (required to verify you can access the folder) maybe I can rewrite the PR.
Or code executable? method if it's missing and use it.

[MangyCoyote]

Do not see "executable?" method defined.
Extending module Msf::Post::File with "executable?" method and redo a PR (ssh_creds.rb) might give more sense. Let me know your opinion.

[MangyCoyote]

Two open PRs at the moment.
I prefer second PR to be accepted and first one close.
Up to you now.

[bcoles]

Okay, did it via cmd_exec on my own.

Using the available mixin methods is preferred.

Do not see "executable?" method defined.
Extending module Msf::Post::File with "executable?" method and redo a PR (ssh_creds.rb) might give more sense. Let me know your opinion.

Agree that adding a executable? method makes sense.

However... why is it necessary to check if the directory is executable, rather than readable?

asdf@kali:~$ pwd
/home/asdf
asdf@kali:~$ ls -la
total 32
drwxr-xr-x 3 asdf asdf 4096 Nov 21 05:10 .
drwxr-xr-x 3 root root 4096 Nov 21 05:07 ..
-rw-r--r-- 1 asdf asdf  220 Nov 21 05:07 .bash_logout
-rw-r--r-- 1 asdf asdf 3391 Nov 21 05:07 .bashrc
-rw-r--r-- 1 asdf asdf 3526 Nov 21 05:07 .bashrc.original
-rw------- 1 asdf asdf   34 Nov 21 05:10 .lesshst
-rw-r--r-- 1 asdf asdf  807 Nov 21 05:07 .profile
drw------- 2 root root 4096 Nov 21 05:08 secret
asdf@kali:~$ ls -la /home/asdf/secret/
ls: cannot open directory '/home/asdf/secret/': Permission denied
asdf@kali:~$ test -r /home/asdf/ && echo true
true
asdf@kali:~$ test -r /home/asdf/secret/ && echo true
asdf@kali:~$ test -x /home/asdf/secret/ && echo true
asdf@kali:~$ 

asdf@kali:~$ 
asdf@kali:~$ ls -la
total 32
drwxr-xr-x 3 asdf asdf 4096 Nov 21 05:10 .
drwxr-xr-x 3 root root 4096 Nov 21 05:07 ..
-rw-r--r-- 1 asdf asdf  220 Nov 21 05:07 .bash_logout
-rw-r--r-- 1 asdf asdf 3391 Nov 21 05:07 .bashrc
-rw-r--r-- 1 asdf asdf 3526 Nov 21 05:07 .bashrc.original
-rw------- 1 asdf asdf   34 Nov 21 05:10 .lesshst
-rw-r--r-- 1 asdf asdf  807 Nov 21 05:07 .profile
drwx--x--x 2 root root 4096 Nov 21 05:08 secret
asdf@kali:~$ ls -la /home/asdf/secret/
ls: cannot open directory '/home/asdf/secret/': Permission denied
asdf@kali:~$ test -r /home/asdf/secret/ && echo true
asdf@kali:~$ test -x /home/asdf/secret/ && echo true
true

[MangyCoyote]

The read bit (r) allows the affected user to list the files within the directory
The execute bit (x) allows the affected user to enter the directory, and access files and directories inside (= loot in our case)

fox@kali:~/tmp$ ls -ld .ssh/
drwx------ 2 fox fox 4096 Nov 21 05:32 .ssh/
fox@kali:~/tmp$ ls -l .ssh/
total 4
-rw------- 1 fox fox 11 Nov 21 05:35 authorized_keys
fox@kali:~/tmp$ cat .ssh/authorized_keys
Lore ipsum
fox@kali:~/tmp$ chmod u-x .ssh/
fox@kali:~/tmp$ ls -ld .ssh/
drw------- 2 fox fox 4096 Nov 21 05:32 .ssh/
fox@kali:~/tmp$ cat .ssh/authorized_keys
cat: .ssh/authorized_keys: Permission denied