New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add URL scheme and Base64.encode64 checks to msftidy #11361

Merged
merged 1 commit into from Feb 7, 2019

Conversation

Projects
None yet
3 participants
@bcoles
Copy link
Contributor

bcoles commented Feb 4, 2019

A few small updates to msftidy.

  • Now checks for http:// in the license comment header and suggests https://.
  • Makes use of the previously unused fixed method to offer a suggested fix for violations.
  • Also checks for Base64.encode64 and suggests Base64.strict_encode64.

The native Ruby Base64.encode64 method returns \n line wrapping for display, and also terminates the string with \n.

2.3.0 :001 > require 'base64'
 => true 
2.3.0 :002 > Base64.strict_encode64("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
 => "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=" 
2.3.0 :003 > Base64.encode64("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
 => "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFB\nQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=\n" 
2.3.0 :004 > 

This is usually not what we want, and module authors have worked around this by gsubing whitespace:

# grep -rn "Base64.encode64" modules/
modules/exploits/multi/misc/osgi_console_exec.rb:114:    cmd_b64 = Base64.encode64(cmd).gsub(/\s+/, "")
modules/exploits/linux/http/trendmicro_sps_exec.rb:136:      data = Base64.encode64(public_key.public_encrypt(creds))
modules/exploits/linux/http/huawei_hg532n_cmdinject.rb:124:    Base64.encode64(sha256).gsub(/\s+/, "")
modules/auxiliary/admin/aws/aws_launch_instances.rb:110:        opts['UserData'] = URI.encode(Base64.encode64(open(datastore['USERDATA_FILE'], 'r').read).strip)

The check raises an info, rather than warn, because in a small number of situations it may be possible that an author will wish to output line-wrapped Base64 content to the console for easy copypasta. Usually, however, Base64 is used for encoding exploit data for the target.

Rex::Text.encode_base64 could also be used, rather than Base64.strict_encode64, however the check does not advise to use this method, as it's possible that the encoding may be performed outside of Metasploit context, such as within Ruby payload data.

2.3.0 :002 > Rex::Text.encode_base64 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 => "QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUE=" 

@wvu-r7 wvu-r7 changed the title Add URL scheme and Base64.encode64 checks to msftdiy Add URL scheme and Base64.encode64 checks to msftidy Feb 5, 2019

@busterb busterb self-assigned this Feb 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 7, 2019

Looks reasonable to me, thanks.

@busterb busterb merged commit d38e12c into rapid7:master Feb 7, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Feb 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 7, 2019

Release Notes

This adds some more common correctness checks for modules to the msftidy utility.

@bcoles bcoles deleted the bcoles:msftidy branch Feb 7, 2019

busterb added a commit that referenced this pull request Feb 7, 2019

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Feb 7, 2019

Note, added 46d7ab9 which fixed a bug when this actually triggered. I guessed at idx, since that's where it normally is. There are a few modules in master that trigger this, so free commits for someone.

jmartin-r7 added a commit that referenced this pull request Feb 7, 2019

jmartin-r7 added a commit that referenced this pull request Feb 7, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment