Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SeeRM #8803] Avoid false positives when checking fb_cnct_group #3379

Merged
merged 2 commits into from May 21, 2014

Conversation

jvazquez-r7
Copy link
Contributor

Verification

  • Install Firebird-2.5.2.26540_0_Win32
  • Run the check from the module without this pull request, it should report the service as vulnerable
msf > use exploit/windows/misc/fb_cnct_group
msf exploit(fb_cnct_group) > show options

Module options (exploit/windows/misc/fb_cnct_group):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  3050             yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Windows FB 2.5.2.26539


msf exploit(fb_cnct_group) > set rhost 172.16.158.157
rhost => 172.16.158.157
msf exploit(fb_cnct_group) > check
[+] 172.16.158.157:3050 - The target is vulnerable.
  • Try to exploit it with the Debug target, no crash, the service continues running
msf exploit(fb_cnct_group) > set target 4
target => 4
msf exploit(fb_cnct_group) > rexploit
[*] Reloading module...

[*] Started reverse handler on 172.16.158.1:4444
[*] 172.16.158.157:3050 - Sending Connection Request For C:\qQjFtirEcKHvQ.fdb
[*] Exploit completed, but no session was created.
msf exploit(fb_cnct_group) > check
[+] 172.16.158.157:3050 - The target is vulnerable.
  • Try to check with this pull request change applied, the service shouldn't be reported as vulnerable but detected:
msf exploit(fb_cnct_group) > check
[*] 172.16.158.157:3050 - The target service is running, but could not be validated.

@zeroSteiner
Copy link
Contributor

I think this would still benefit from checking that version is one of the two values to help fingerprint that the service is Firebird. From my testing 0xffff800b is for the 2.1.x versions, while 0xffff800c is for the 2.5.x versions.

So maybe something similar to the following would work:

    opcode = data.unpack("N*")[0]
    version = data.unpack("N*")[1]
    if opcode == 3 # Accept
      if [ 0xffff800b, 0xffff800c ].include?(version)
        return Exploit::CheckCode::Detected
      end
    end

@jvazquez-r7
Copy link
Contributor Author

@zeroSteiner, 2.1.x and 2.5.x are the only branches are affected? If it's the case then your patch have sense. If older versions are also vulnerable I think the proposed:

    if opcode == 3 # Accept
        return Exploit::CheckCode::Detected
    end

is good enough. Don't you think? Or maybe:

    if opcode == 3 && version <= 0xffff800c
        return Exploit::CheckCode::Detected
    end

The only last one has sense if older versions are also vulnerable and the version condition is good enough. I don't know how firefird encodes versions really :S Just trying to solve the false positives (shame... :$)

Let me know your opinion! Thanks for reviewing!

@zeroSteiner
Copy link
Contributor

I took a look at version 1.0.3 and its vulnerable as well and responds with 0x0000000a as it's version. I think your original changes are going to be the best option.

Sorry for the confusion.

With keeping your original changes, setting version in version = data.unpack("N*")[1] on L95 is no longer necessary.

@jvazquez-r7
Copy link
Contributor Author

@zeroSteiner right L95 wasn't needed anymore, deleted!

thanks for review!!

@zeroSteiner
Copy link
Contributor

Thanks @jvazquez-r7 I'll land this once travis approves.

@jvazquez-r7
Copy link
Contributor Author

@zeroSteiner since there is a RM ticket remind to add [FixRM #3379] to the commit message when merging this branch. Thanks!

@zeroSteiner zeroSteiner merged commit b9464e6 into rapid7:master May 21, 2014
@jvazquez-r7
Copy link
Contributor Author

Thanks @zeroSteiner !

@jvazquez-r7 jvazquez-r7 deleted the rm_8803 branch November 18, 2014 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants