You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Metasploit's SSH client functionality is provided by the Net::SSH library. In order to streamline and configure it in a somewhat consistent manner for Metasploit's purposes the Msf::Exploit::Remote::SSH mixin defines the #ssh_client_defaults method.
Looking through the current Metasploit modules and libraries, it only appears to be used by the exploit/solaris/ssh/pam_username_bof module. This means that when options to fix bugs such as those proposed in #16318 are made, modules do not consistently get them. This notably means that many modules that use SSH client connections are likely still affected by the KEX issue identified in the aforementioned PR.
We should update SSH client usages to use the defaults to fix bugs like these.
The text was updated successfully, but these errors were encountered:
In addition to the KEX issue, modules are likely having to also configure their own socket factory to ensure that the connections can be made with Metasploit's Rex::Socket subsystem to ensure they can be pivoted. I haven't noticed any modules that fail to do this, but modules shouldn't have to handle that themselves.
Metasploit's SSH client functionality is provided by the Net::SSH library. In order to streamline and configure it in a somewhat consistent manner for Metasploit's purposes the
Msf::Exploit::Remote::SSH
mixin defines the#ssh_client_defaults
method.Looking through the current Metasploit modules and libraries, it only appears to be used by the
exploit/solaris/ssh/pam_username_bof
module. This means that when options to fix bugs such as those proposed in #16318 are made, modules do not consistently get them. This notably means that many modules that use SSH client connections are likely still affected by the KEX issue identified in the aforementioned PR.We should update SSH client usages to use the defaults to fix bugs like these.
The text was updated successfully, but these errors were encountered: