add explicit error handling to base login scanner #19252
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
adfoster-r7
reviewed
Jun 11, 2024
| @@ -251,8 +251,13 @@ def scan! | |||
| break if total_error_count >= 10 | |||
| end | |||
| end | |||
| rescue => e | |||
| elog('Attempt may not yield a result', error: e) | |||
| rescue Rex::ConnectionRefused, Rex::SocketError, Rex::HostCommunicationError, Rex::ConnectionError, RuntimeError, NoMethodError, TypeError, Rex::TimeoutError, OpenSSL::Cipher::CipherError, Rex::ConnectionProxyError, Errno::ECONNRESET, Errno::EINTR, Errno::EPIPE, ::SystemCallError, ::EOFError, Errno::ENOTCONN, ::Timeout::Error, Rex::Proto::Kerberos::Model::Error::KerberosEncryptionNotSupported, ::JSON::ParserError, Errno::ECONNRESET, OpenSSL::SSL::SSLError, Rex::StreamClosedError, ::Rex::Proto::Kerberos::Model::Error::KerberosError, Errno::ETIMEDOUT, StandardError => e | |||
There was a problem hiding this comment.
Some of these exceptions are definitely not login related issues, and are more likely exceptions raised by broken modules with Ruby issues - i.e. NoMethodError and RuntimeError and TypeError
Likewise rescue StandardError => e is just the same as rescue => e (details) - I think these code changes might need some more cycles spent on analysing the approach here 🤔
There was a problem hiding this comment.
Good call, I'll take another pass 🫡
zgoldman-r7
force-pushed
the
stop-login-scanner-swallowing-exceptions
branch
from
2f8be32
to
a511729
Compare
adfoster-r7
reviewed
Jun 12, 2024
| rescue => e | ||
| elog('Attempt may not yield a result', error: e) | ||
| rescue Rex::ConnectionRefused, Rex::SocketError, Rex::HostCommunicationError, Rex::ConnectionError, Rex::TimeoutError, OpenSSL::Cipher::CipherError, Rex::ConnectionProxyError, Errno::ECONNRESET, Errno::EINTR, Errno::EPIPE, ::SystemCallError, ::EOFError, Errno::ENOTCONN, ::Timeout::Error, Rex::Proto::Kerberos::Model::Error::KerberosEncryptionNotSupported, ::JSON::ParserError, Errno::ECONNRESET, OpenSSL::SSL::SSLError, Rex::StreamClosedError, ::Rex::Proto::Kerberos::Model::Error::KerberosError, Errno::ETIMEDOUT => e | ||
| framework_module.print_error("Error, scan may not produce results: #{e.message}") |
There was a problem hiding this comment.
Suggested change
| framework_module.print_error("Error, scan may not produce results: #{e.message}") | |
| framework_module.print_error("Error, scan may not produce results: #{e.message}") if framework_module |
There was a problem hiding this comment.
As framework_module might be nil
zgoldman-r7
force-pushed
the
stop-login-scanner-swallowing-exceptions
branch
from
275e80a
to
7b00ae8
Compare
adfoster-r7
reviewed
Jun 26, 2024
| rescue => e | ||
| elog('Attempt may not yield a result', error: e) | ||
| rescue Rex::ConnectionRefused, Rex::SocketError, Rex::ConnectionError, Rex::ConnectionProxyError, Rex::StreamClosedError, Rex::TimeoutError, ::Timeout::Error, Errno::ETIMEDOUT, Errno::ENOTCONN, Errno::ECONNRESET => e | ||
| framework_module.print_warning("Error, scan may not produce results: #{e.message}") if framework_module |
There was a problem hiding this comment.
It would be nice if this logged out the credential details that caused the issue - otherwise it doesn't align with the current output generated by the logging scanner
There was a problem hiding this comment.
diff --git a/lib/metasploit/framework/login_scanner/base.rb b/lib/metasploit/framework/login_scanner/base.rb
index 6b1ba2f820..6d0e5e9c85 100644
--- a/lib/metasploit/framework/login_scanner/base.rb
+++ b/lib/metasploit/framework/login_scanner/base.rb
@@ -251,8 +251,11 @@ module Metasploit
break if total_error_count >= 10
end
end
- rescue Rex::ConnectionRefused, Rex::SocketError, Rex::ConnectionError, Rex::ConnectionProxyError, Rex::StreamClosedError, Rex::TimeoutError, ::Timeout::Error, Errno::ETIMEDOUT, Errno::ENOTCONN, Errno::ECONNRESET => e
- framework_module.print_warning("Error, scan may not produce results: #{e.message}") if framework_module
+ rescue => e
+ if framework_module
+ prefix = framework_module.respond_to?(:peer) ? "#{framework_module.peer} - LOGIN FAILED:" : "LOGIN FAILED:"
+ framework_module.print_warning("#{prefix} #{credential.to_h} - Unhandled error - scan may not produce correct results: #{e.message} - #{e.backtrace}")
+ end
elog("Scan Error: #{e.message}", error: e)
consecutive_error_count += 1
total_error_count += 1
It's a bit verbose; but at least we'd be able to track down any issue that gets reported pretty fast
msf6 auxiliary(scanner/redis/redis_login) > run rhost=127.0.0.1 username=admin password=foo rport=6379
[!] 127.0.0.1:6379 - 127.0.0.1:6379 - LOGIN FAILED: {:private_data=>"foo", :private_type=>:password, :username=>nil, :realm_key=>nil, :realm_value=>nil} - Unhandled error - scan may not produce correct results: undefined method `strip' for nil:NilClass - ["/Users/user/Documents/code/metasploit-framework/modules/auxiliary/scanner/redis/redis_login.rb:110:in `block in run_host'", "/Users/user/Documents/code/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:234:in `block in scan!'", "/Users/user/Documents/code/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:179:in `block in each_credential'", "/Users/user/Documents/code/metasploit-framework/lib/metasploit/framework/credential_collection.rb:94:in `block in each_filtered'", "/Users/user/Documents/code/metasploit-framework/lib/metasploit/framework/credential_collection.rb:111:in `each_unfiltered'", "/Users/user/Documents/code/metasploit-framework/lib/metasploit/framework/credential_collection.rb:91:in `each_filtered'", "/Users/user/Documents/code/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:141:in `each_credential'", "/Users/user/Documents/code/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:205:in `scan!'", "/Users/user/Documents/code/metasploit-framework/modules/auxiliary/scanner/redis/redis_login.rb:83:in `run_host'", "/Users/user/Documents/code/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:128:in `block (2 levels) in run'", "/Users/user/Documents/code/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'"]
7b00ae8
to
4316d52
Compare
Release NotesImproves error logging for unhandled exceptions for login scanners |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Continuation of #17959
This PR addresses a silent catch-all rescue in our base login scanner. Previously, exceptions not caught by whatever login scanner implementation was being used would silently fail:
This adds explicit error catching for known errors.
This exception list is pulled from the exceptions potentially raised by each of the modules, excluding exceptions specific to one module that are already caught.
Verification
List the steps needed to make sure this thing works
msfconsolelogin_scannersuch asmssql_loginraisein the module)