Land rapid7#19297, improve redis scanner logic to handle no auth scenario

Author: adfoster-r7

lib/metasploit/framework/login_scanner/redis.rb

@@ -15,12 +15,40 @@ class Redis
         include Metasploit::Framework::LoginScanner::RexSocket
         include Metasploit::Framework::Tcp::Client
 
+        # Required to be able to invoke the scan! method from the included Base module.
+        # We do not use inheritance, so overwriting a method and relying on super does
+        # not work in this case.
+        alias parent_scan! scan!
+
         DEFAULT_PORT          = 6379
         LIKELY_PORTS          = [ DEFAULT_PORT ]
         LIKELY_SERVICE_NAMES  = [ 'redis' ]
         PRIVATE_TYPES         = [ :password ]
         REALM_KEY             = nil
 
+        # Attempt to login with every {Credential credential} in
+        # {#cred_details}, by calling {#attempt_login} once for each.
+        #
+        # If a successful login is found for a user, no more attempts
+        # will be made for that user. If the scanner detects that no
+        # authentication is required, no further attempts will be made
+        # at all.
+        #
+        # @yieldparam result [Result] The {Result} object for each attempt
+        # @yieldreturn [void]
+        # @return [void]
+        def scan!(&block)
+          first_credential = to_enum(:each_credential).first
+          result = attempt_login(first_credential)
+          result.freeze
+
+          if result.status == Metasploit::Model::Login::Status::NO_AUTH_REQUIRED
+            yield result if block_given?
+          else
+            parent_scan!(&block)
+          end
+        end
+
         # This method can create redis command which can be read by redis server
         def redis_proto(command_parts)
           return if command_parts.blank?
@@ -45,17 +73,25 @@ def attempt_login(credential)
             service_name: 'redis'
           }
 
-          disconnect if self.sock
+          disconnect if sock
 
           begin
             connect
             select([sock], nil, nil, 0.4)
 
-            command = redis_proto(['AUTH', credential.private.to_s])
+            # Skip this call if we're dealing with an older redis version.
+            response = authenticate(credential.public.to_s, credential.private.to_s) unless @older_redis
 
-            sock.put(command)
+            # If we're dealing with an older redis version or the previous call failed,
+            # try the backwards compatibility call instead.
+            # We also set the @older_redis to true if we haven't as we might be entering this
+            # block from the match response.
+            if @older_redis || (response && response.match(::Rex::Proto::Redis::Base::Constants::WRONG_ARGUMENTS_FOR_AUTH))
+              @older_redis ||= true
+              response = authenticate_pre_v6(credential.private.to_s)
+            end
 
-            result_options[:proof] = sock.get_once
+            result_options[:proof] = response
             result_options[:status] = validate_login(result_options[:proof])
           rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
             result_options.merge!(
@@ -64,13 +100,36 @@ def attempt_login(credential)
             )
           end
 
-          disconnect if self.sock
+          disconnect if sock
 
           ::Metasploit::Framework::LoginScanner::Result.new(result_options)
         end
 
         private
 
+        # Authenticates against Redis using the provided credentials arguments.
+        # Takes either a password, or a username and password combination.
+        #
+        # @param [String] username The username to authenticate with, defaults to 'default'
+        # @param [String] password The password to authenticate with.
+        # @return [String] The response from Redis for the AUTH command.
+        def authenticate(username, password)
+          command = redis_proto(['AUTH', username.blank? ? 'default' : username, password])
+          sock.put(command)
+          sock.get_once
+        end
+
+        # Authenticates against Redis using the provided password.
+        # This method is for older Redis instances of backwards compatibility.
+        #
+        # @param [String] password The password to authenticate with.
+        # @return [String] The response from Redis for the AUTH command.
+        def authenticate_pre_v6(password)
+          command = redis_proto(['AUTH', password])
+          sock.put(command)
+          sock.get_once
+        end
+
         # Validates the login data received from Redis and returns the correct Login status
         # based upon the contents Redis sent back:
         #

lib/rex/proto/redis/base.rb

@@ -6,10 +6,11 @@ module Redis
       # and include the constants from there, or use the functionality defined there.
       module Base
         module Constants
-          AUTHENTICATION_REQUIRED = /(?<auth_response>NOAUTH Authentication required)/i
-          NO_PASSWORD_SET         = /(?<auth_response>ERR Client sent AUTH, but no password is set)/i
-          WRONG_PASSWORD          = /(?<auth_response>ERR invalid password)/i
-          OKAY                    = /\+OK/i
+          AUTHENTICATION_REQUIRED   = /(?<auth_response>NOAUTH Authentication required)/i
+          NO_PASSWORD_SET           = /(?<auth_response>ERR Client sent AUTH, but no password is set)/i
+          WRONG_PASSWORD            = /(?<auth_response>ERR invalid password)/i
+          WRONG_ARGUMENTS_FOR_AUTH  = /(?<auth_response>ERR wrong number of arguments for 'auth' command)/i
+          OKAY                      = /\+OK/i
         end
       end
     end

spec/lib/metasploit/framework/login_scanner/redis_spec.rb

@@ -4,9 +4,9 @@
 RSpec.describe Metasploit::Framework::LoginScanner::Redis do
   let(:socket) { double('Socket') }
 
-  def update_socket_res(res)
+  def update_socket_res(*res)
     allow(socket).to receive(:put)
-    allow(socket).to receive(:get_once).and_return(res)
+    allow(socket).to receive(:get_once).and_return(*res)
     allow(subject).to receive(:sock).and_return(socket)
   end
 
@@ -40,6 +40,21 @@ def update_socket_res(res)
     end
 
     context 'with Redis version < 6' do
+      context 'when server returns incorrect arguments' do
+        let(:res) do
+          [
+            "-ERR wrong number of arguments for 'auth' command",
+            '+OK'
+          ]
+        end
+
+        before { update_socket_res(*res) }
+
+        it 'successfully retries and gets the correct response' do
+          expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::SUCCESSFUL)
+        end
+      end
+
       context 'when server returns no password is set' do
         let(:res) { '-ERR Client sent AUTH, but no password is set' }