Land #8, @hmoore-r7's updates to SM modules

Tod Beardsley · Tod Beardsley · commit ef41dca1f068 · 2013-11-06T14:11:04.000-06:00
diff --git a/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb b/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb
@@ -14,15 +14,16 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'Supermicro Onboard IPMI Buffer Overflow Scanner',
+      'Name'        => 'Supermicro Onboard IPMI CGI Vulnerability Scanner',
       'Description' => %q{
-        This module checks a Supermicro Onboard IPMI web interface against
-        several unauthenticated buffer overflows. The vulnerabilities exist
-        on the login.cgi and close_window.cgi components.
+        This module checks for known vulnerabilities in the CGI applications of 
+        Supermicro Onboard IPMI controllers. These issues currently include
+        several unauthenticated buffer overflows in the login.cgi and close_window.cgi
+        components.
       },
       'Author'       =>
         [
-          'hdm', #Discovery and Metasploit module
+          'hdm', # Discovery and analysis
           'juan vazquez' # Metaspliot module
         ],
       'License'     => MSF_LICENSE,
@@ -118,11 +119,11 @@ def check_login
 
 
   def run_host(ip)
-    vprint_status("#{peer} - Checking if it's a Supermicro web interface...")
+    vprint_status("#{peer} - Checking if it's a Supermicro IPMI web interface...")
     if is_supermicro?
-      vprint_good("#{peer} - Supermicro web interface found")
+      vprint_good("#{peer} - Supermicro IPMI web interface found")
     else
-      vprint_error("#{peer} - Supermicro web interface not found")
+      vprint_error("#{peer} - Supermicro IPMI web interface not found")
       return
     end
 
@@ -139,10 +140,10 @@ def run_host(ip)
       })
     end
 
-    vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi buffer overflow) ...")
+    vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...")
     result = check_close_window
     if result
-      print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi buffer overflow)")
+      print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)")
       report_vuln({
         :host  => rhost,
         :port  => rport,
diff --git a/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb b/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb
@@ -32,18 +32,17 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'        => 'Supermicro Onboard IPMI Static Encryption Key Scanner',
+      'Name'        => 'Supermicro Onboard IPMI Static SSL Certificate Scanner',
       'Description' => %q{
-        This module checks the certificate of the specified web servers. The Supermicro Onboard
-        IPMI firmware ships with harcoded private encryption keys for both the Lighttpd web server
-        SSL interface and the Dropbear SSH daemon. An attacker with access to the publicly available
-        Supermicro firmware can perform man-in-the-middle and offline decryption of communication to
-        the firmware. This module has been on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
-        SMT_X9_214.
+        This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI
+        controllers. An attacker with access to the publicly-available firmware can perform 
+        man-in-the-middle attacks and offline decryption of communication to the controller.
+        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
+        version SMT_X9_214.
       },
       'Author'       =>
         [
-          'hdm', # Discovery and Metasploit module
+          'hdm', # Discovery and analysis
           'juan' # Metasploit module
         ],
       'License'     => MSF_LICENSE,
@@ -76,7 +75,7 @@ def run_host(ip)
     result = cert.verify(pkey)
 
     if result
-      print_good("#{ip}:#{rport} - Found service using Supermicro IPMI static private key to encrypt communications")
+      print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)")
       # Report with the the SSL Private Key hash for the host
       digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")
       report_note(
@@ -91,7 +90,7 @@ def run_host(ip)
         :host  => rhost,
         :port  => rport,
         :proto => 'tcp',
-        :name  => "Supermicro Onboard IPMI Static Encryption Keys",
+        :name  => "Supermicro Onboard IPMI Static SSL Certificate",
         :refs  => self.references
       })
     end
diff --git a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
@@ -15,14 +15,15 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'Supermicro Onboard IPMI Directory Taversal',
+      'Name'        => 'Supermicro Onboard IPMI url_redirect.cgi Authenticated Directory Traversal',
       'Description' => %q{
-        This module abuses a directory traversal on the web interface for Supermicro Onboard IPMI. The
-        vulnerability exists in the url_redirect.cgi CGI application, due to a lack of sanitization
-        of the url_name parameter. This may allow an attacker with a valid, but not necessarily
-        administrator-level account, to access the contents of any file on the system. This includes
-        the /nv/PSBlock file, which contains the cleartext credentials for all configured accounts.
-        This module has been tested on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214.
+        This module abuses a directory traversal vulnerability in the url_redirect.cgi application 
+        accessible through the web interface of Supermicro Onboard IPMI controllers.  The vulnerability
+        is present due to a lack of sanitization of the url_name parameter. This allows an attacker with
+        a valid, but not necessarily administrator-level account, to access the contents of any file
+        on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for
+        all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM) 
+        with firmware version SMT_X9_214.
       },
       'Author'       =>
         [
@@ -57,7 +58,7 @@ def is_supermicro?
         "method"    => "GET"
       })
 
-    if res and res.code == 200 and res.body =~ /ATEN International Co Ltd\./
+    if res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./
       return true
     else
       return false
