MS-9454 Redis Scanner: Support versions

Updating the Redis Login Scanner to properly support all versions of Redis and their implementations to handle the `AUTH` command.

Author: adeherdt-r7

documentation/modules/auxiliary/scanner/redis/redis_login.md

@@ -4,10 +4,19 @@ database with optional durability. Redis supports different kinds of abstract da
 such as strings, lists, maps, sets, sorted sets, HyperLogLogs, bitmaps, streams, and spatial indexes.
 
 This module is login utility to find the password of the Redis server by bruteforcing the login portal.
-Note that Redis does not require a username to log in; login is done purely via supplying a valid password.
 
 A complete installation guide for Redis can be found [here](https://redis.io/topics/quickstart)
 
+### Redis Authentication
+
+Redis has several ways to support secure connections to the in-memory database:
+
+* Prior to Redis 6, the `requirepass` directive could be set, setting a master password for all connections.
+  This requires the usage of the `AUTH <password>` command before executing any commands on the cluster.
+* After Redis 6, the `requirepass` directive sets a password for the default user `default`
+  * The `AUTH` command now takes two arguments instead of one: `AUTH <username> <password>`
+  * The `AUTH` command still accepts a single arguments, but defaults to the user `default`
+
 ## Setup
 
 Run redis in docker without auth:

lib/metasploit/framework/login_scanner/redis.rb

@@ -1,6 +1,7 @@
 require 'metasploit/framework/login_scanner/base'
 require 'metasploit/framework/login_scanner/rex_socket'
 require 'metasploit/framework/tcp/client'
+require 'rex/proto/redis'
 
 module Metasploit
   module Framework
@@ -19,11 +20,6 @@ class Redis
         LIKELY_SERVICE_NAMES  = [ 'redis' ]
         PRIVATE_TYPES         = [ :password ]
         REALM_KEY             = nil
-        OLD_PASSWORD_NOT_SET  = /but no password is set/i
-        PASSWORD_NOT_SET      = /without any password configured/i
-        WRONG_PASSWORD_SET    = /^-WRONGPASS/i
-        INVALID_PASSWORD_SET  = /^-ERR invalid password/i
-        OK                    = /^\+OK/
 
         # This method can create redis command which can be read by redis server
         def redis_proto(command_parts)
@@ -84,15 +80,23 @@ def attempt_login(credential)
         def validate_login(data)
           return if data.nil?
 
-          return Metasploit::Model::Login::Status::NO_AUTH_REQUIRED if data =~ OLD_PASSWORD_NOT_SET
-          return Metasploit::Model::Login::Status::NO_AUTH_REQUIRED if data =~ PASSWORD_NOT_SET
-          return Metasploit::Model::Login::Status::INCORRECT if (data =~ INVALID_PASSWORD_SET) == 0
-          return Metasploit::Model::Login::Status::INCORRECT if (data =~ WRONG_PASSWORD_SET) == 0
-          return Metasploit::Model::Login::Status::SUCCESSFUL if (data =~ OK) == 0
+          return Metasploit::Model::Login::Status::NO_AUTH_REQUIRED if no_password_set?(data)
+          return Metasploit::Model::Login::Status::INCORRECT if invalid_password?(data)
+          return Metasploit::Model::Login::Status::SUCCESSFUL if data.match(::Rex::Proto::Redis::Base::Constants::OKAY)
 
           nil
         end
 
+        def no_password_set?(data)
+          data.match(::Rex::Proto::Redis::Base::Constants::NO_PASSWORD_SET) ||
+            data.match(::Rex::Proto::Redis::Version6::Constants::NO_PASSWORD_SET)
+        end
+
+        def invalid_password?(data)
+          data.match(::Rex::Proto::Redis::Base::Constants::WRONG_PASSWORD) ||
+            data.match(::Rex::Proto::Redis::Version6::Constants::WRONG_PASSWORD)
+        end
+
         # (see Base#set_sane_defaults)
         def set_sane_defaults
           self.connection_timeout ||= 30

lib/msf/core/auxiliary/redis.rb

@@ -10,12 +10,9 @@ module Auxiliary::Redis
     include Auxiliary::Scanner
     include Auxiliary::Report
 
-    REDIS_UNAUTHORIZED_RESPONSE = /(?<auth_response>ERR operation not permitted|NOAUTH Authentication required)/i
-
     #
     # Initializes an instance of an auxiliary module that interacts with Redis
     #
-
     def initialize(info = {})
       super
       register_options(
@@ -52,12 +49,14 @@ def redis_command(*commands)
         vprint_error("No response to '#{command_string}'")
         return
       end
-      if match = command_response.match(REDIS_UNAUTHORIZED_RESPONSE)
+      if (match = authentication_required?(command_response))
         auth_response = match[:auth_response]
+
         fail_with(::Msf::Module::Failure::BadConfig, "#{peer} requires authentication but Password unset") unless datastore['Password']
         vprint_status("Requires authentication (#{printable_redis_response(auth_response, false)})")
+
         if (auth_response = send_redis_command('AUTH', datastore['PASSWORD']))
-          unless auth_response =~ /\+OK/
+          unless auth_response =~ Rex::Proto::Redis::Base::Constants::OKAY
             vprint_error("Authentication failure: #{printable_redis_response(auth_response)}")
             return
           end
@@ -87,6 +86,13 @@ def printable_redis_response(response_data, convert_whitespace = true)
 
     private
 
+    # Verifies whether the response indicates if authentication is required
+    # @return [RESPParser] Returns a matched response if a hit is there; otherwise nil.
+    def authentication_required?(response)
+      response.match(Rex::Proto::Redis::Base::Constants::AUTHENTICATION_REQUIRED) ||
+        response.match(Rex::Proto::Redis::Version6::Constants::AUTHENTICATION_REQUIRED)
+    end
+
     def redis_proto(command_parts)
       return if command_parts.blank?
       command = "*#{command_parts.length}\r\n"

lib/rex/proto/redis.rb

@@ -0,0 +1,13 @@
+require 'rex/proto/redis/base'
+require 'rex/proto/redis/version6'
+
+module Rex
+  module Proto
+    # Protocol module inside the Rex namespace to support Redis.
+    # Because the behavior of Redis changes between certain versions,
+    # dedicated submodules exist for each version
+    module Redis
+
+    end
+  end
+end

lib/rex/proto/redis/base.rb

@@ -0,0 +1,17 @@
+module Rex
+  module Proto
+    module Redis
+      # Module containing the constants and functionality for any Redis version.
+      # When a behavior changes, check whether a more recent version module exits
+      # and include the constants from there, or use the functionality defined there.
+      module Base
+        module Constants
+          AUTHENTICATION_REQUIRED = /(?<auth_response>NOAUTH Authentication required)/i
+          NO_PASSWORD_SET         = /(?<auth_response>ERR Client sent AUTH, but no password is set)/i
+          WRONG_PASSWORD          = /(?<auth_response>ERR invalid password)/i
+          OKAY                    = /\+OK/i
+        end
+      end
+    end
+  end
+end

lib/rex/proto/redis/version6.rb

@@ -0,0 +1,15 @@
+module Rex
+  module Proto
+    module Redis
+      # Module containing the required constants and functionality
+      # specifically for Redis 6 and newer.
+      module Version6
+        module Constants
+          AUTHENTICATION_REQUIRED = /(?<auth_response>NOAUTH Authentication required)/i
+          NO_PASSWORD_SET         = /(?<auth_response>ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?)/i
+          WRONG_PASSWORD          = /(?<auth_response>WRONGPASS invalid username-password pair or user is disabled)/i
+        end
+      end
+    end
+  end
+end

modules/auxiliary/scanner/redis/redis_login.rb

@@ -6,6 +6,11 @@
 require 'metasploit/framework/login_scanner/redis'
 require 'metasploit/framework/credential_collection'
 
+# Metasploit Module - Redis Login Scanner
+#
+# @example
+#   use auxiliary/scanner/redis/login
+#
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::Tcp
   include Msf::Auxiliary::Scanner
@@ -45,7 +50,12 @@ def initialize(info = {})
   def requires_password?(_ip)
     connect
     command_response = send_redis_command('INFO')
-    !(command_response && REDIS_UNAUTHORIZED_RESPONSE !~ command_response)
+
+    ## Check against the old and new password required response to support all Redis versions
+    !(
+      (command_response && Rex::Proto::Redis::Base::Constants::AUTHENTICATION_REQUIRED !~ command_response) ||
+        (command_response && Rex::Proto::Redis::Version6::Constants::AUTHENTICATION_REQUIRED !~ command_response)
+    )
   end
 
   def run_host(ip)

spec/lib/metasploit/framework/login_scanner/redis_spec.rb

@@ -2,9 +2,9 @@
 require 'metasploit/framework/login_scanner/redis'
 
 RSpec.describe Metasploit::Framework::LoginScanner::Redis do
+  let(:socket) { double('Socket') }
 
   def update_socket_res(res)
-    socket = double('Socket')
     allow(socket).to receive(:put)
     allow(socket).to receive(:get_once).and_return(res)
     allow(subject).to receive(:sock).and_return(socket)
@@ -39,45 +39,79 @@ def update_socket_res(res)
       allow(subject).to receive(:select)
     end
 
-    context 'when server returns no password is set' do
-      let(:res) do
-        'but no password is set'
-      end
+    context 'with Redis version < 6' do
+      context 'when server returns no password is set' do
+        let(:res) { '-ERR Client sent AUTH, but no password is set' }
 
-      before do
-        update_socket_res(res)
-      end
+        before do
+          update_socket_res(res)
+        end
 
-      it 'returns NO_AUTH_REQUIRED' do
-        expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::NO_AUTH_REQUIRED)
+        it 'returns NO_AUTH_REQUIRED' do
+          expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::NO_AUTH_REQUIRED)
+        end
       end
-    end
 
-    context 'when server returns invalid password' do
-      let(:res) do
-        '-ERR invalid password'
-      end
+      context 'when server returns invalid password' do
+        let(:res) { '-ERR invalid password' }
 
-      before do
-        update_socket_res(res)
+        before do
+          update_socket_res(res)
+        end
+
+        it 'returns INCORRECT' do
+          expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::INCORRECT)
+        end
       end
 
-      it 'returns INCORRECT' do
-        expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::INCORRECT)
+      context 'when server returns OK' do
+        let(:res) { '+OK' }
+
+        before do
+          update_socket_res(res)
+        end
+
+        it 'returns SUCCESSFUL' do
+          expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::SUCCESSFUL)
+        end
       end
     end
 
-    context 'when server returns OK' do
-      let(:res) do
-        '+OK'
+    context 'with Redis version > 6' do
+      context 'when server returns no password is set' do
+        let(:res) { '-ERR AUTH <password> called without any password configured for the default user. Are you sure your configuration is correct?' }
+
+        before do
+          update_socket_res(res)
+        end
+
+        it 'returns NO_AUTH_REQUIRED' do
+          expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::NO_AUTH_REQUIRED)
+        end
       end
 
-      before do
-        update_socket_res(res)
+      context 'when server returns invalid password' do
+        let(:res) { '-WRONGPASS invalid username-password pair or user is disabled' }
+
+        before do
+          update_socket_res(res)
+        end
+
+        it 'returns INCORRECT' do
+          expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::INCORRECT)
+        end
       end
 
-      it 'returns SUCCESSFUL' do
-        expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::SUCCESSFUL)
+      context 'when server returns OK' do
+        let(:res) { '+OK' }
+
+        before do
+          update_socket_res(res)
+        end
+
+        it 'returns SUCCESSFUL' do
+          expect(subject.attempt_login(credential).status).to eq(Metasploit::Model::Login::Status::SUCCESSFUL)
+        end
       end
     end
   end