New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add additional reliability and stability notes to modules #17634
Add additional reliability and stability notes to modules #17634
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've reviewed a few of these 6 files but already I'm seeing a worrying trend to use the same base template of CRASH_SAFE and REPEATABLE_SESSION for all of these files regardless of the nature of the vulnerability involved. I've noted a few cases here but ideally I think this point needs further consideration and will be pausing my review until we can come to some conclusion on this, as I'd prefer not to be giving people the false impression that these exploits are more reliable than they actually are.
'Notes' => { | ||
'Stability' => [ CRASH_SAFE ], | ||
'SideEffects' => [ IOC_IN_LOGS ], | ||
'Reliability' => [ REPEATABLE_SESSION ] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a good option given it this involves a race condition and two information leaks? Seems to me there is a small chance that the race condition might be lost here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The exploit runs in a loop; so it should be repeatable
metasploit-framework/modules/exploits/windows/scada/rockwell_factorytalk_rce.rb
Lines 205 to 212 in 4cab6cd
racer = Thread.new do | |
loop do | |
res = send_to_factory("/#{@shelly}") | |
if res.code == 200 | |
print_good("#{peer} - We've won the race condition, shell incoming!") | |
break | |
end | |
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's just a loop that the race condition code is trying to execute where it repeatedly tries to access the file we upload until it gets a 200 OK response. Whilst that certainly increases the chances, it doesn't guarantee that it will win the race every time. So long is there is a chance the race might be lost we shouldn't be using REPEATABLE_SESSION
here. I think something inbetween UNRELIABLE_SESSION
and FIRST_ATTEMPT_FAIL
would be great but unfortunately it doesn't look like we have a definition for "might fail more than the first time, but overall not terrible on reliability".
@adfoster-r7 Do you have any updates on the above? Would love to get this landed but have some outstanding concerns. |
Hoping to get this sorted next week-ish 👍 |
4cab6cd
to
4ce22ee
Compare
modules/exploits/multi/browser/chrome_cve_2021_21220_v8_insufficient_validation.rb
Outdated
Show resolved
Hide resolved
modules/exploits/multi/browser/chrome_simplifiedlowering_overflow.rb
Outdated
Show resolved
Hide resolved
'DefaultTarget' => 0, | ||
'Notes' => { | ||
'Stability' => [ CRASH_SAFE ], | ||
'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS ], |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bit conflicted on the CONFIG_CHANGES since technically we aren't modifying a config file here, but we are adding a new bot. I'm not sure if we should remove CONFIG_CHANGES here on that basis.
modules/exploits/windows/http/fortilogger_arbitrary_fileupload.rb
Outdated
Show resolved
Hide resolved
modules/exploits/unix/fileformat/metasploit_libnotify_cmd_injection.rb
Outdated
Show resolved
Hide resolved
Bump, any update on this @adfoster-r7? This looks close to being able to be landed, just needs the issues mentioned above addressed. |
Sending this to the attic due to a lack of updates. We'll get back to this if its still a priority. |
Thanks for your contribution to Metasploit Framework! We've looked at this pull request, and we agree that it seems like a good addition to Metasploit, but it looks like it is not quite ready to land. We've labeled it What does this generally mean? It could be one or more of several things:
We would love to land this pull request when it's ready. If you have a chance to address all comments, we would be happy to reopen and discuss how to merge this! |
66b0e38
to
92758e2
Compare
92758e2
to
621625a
Compare
621625a
to
46f7669
Compare
46f7669
to
094d6ee
Compare
Release NotesReliability and stability notes that have been previously missing have been added to some modules. |
Add additional reliability and stability notes to modules
Verification