Land rapid7#19283, MS-9445 Fix Redis Service Reporting

Author: adfoster-r7

lib/metasploit/framework/login_scanner/redis.rb

@@ -9,21 +9,26 @@ module LoginScanner
       # This is the LoginScanner class for dealing with REDIS.
       # It is responsible for taking a single target, and a list of credentials
       # and attempting them. It then saves the results.
-
       class Redis
         include Metasploit::Framework::LoginScanner::Base
         include Metasploit::Framework::LoginScanner::RexSocket
         include Metasploit::Framework::Tcp::Client
 
-        DEFAULT_PORT         = 6379
-        LIKELY_PORTS         = [ DEFAULT_PORT ]
-        LIKELY_SERVICE_NAMES = [ 'redis' ]
-        PRIVATE_TYPES        = [ :password ]
-        REALM_KEY            = nil
+        DEFAULT_PORT          = 6379
+        LIKELY_PORTS          = [ DEFAULT_PORT ]
+        LIKELY_SERVICE_NAMES  = [ 'redis' ]
+        PRIVATE_TYPES         = [ :password ]
+        REALM_KEY             = nil
+        OLD_PASSWORD_NOT_SET  = /but no password is set/i
+        PASSWORD_NOT_SET      = /without any password configured/i
+        WRONG_PASSWORD_SET    = /^-WRONGPASS/i
+        INVALID_PASSWORD_SET  = /^-ERR invalid password/i
+        OK                    = /^\+OK/
 
         # This method can create redis command which can be read by redis server
         def redis_proto(command_parts)
           return if command_parts.blank?
+
           command = "*#{command_parts.length}\r\n"
           command_parts.each do |p|
             command << "$#{p.length}\r\n#{p}\r\n"
@@ -50,40 +55,50 @@ def attempt_login(credential)
             connect
             select([sock], nil, nil, 0.4)
 
-            command = redis_proto(['AUTH', "#{credential.private}"])
-            sock.put(command)
-            result_options[:proof] = sock.get_once
+            command = redis_proto(['AUTH', credential.private.to_s])
 
-            # No password      - ( -ERR Client sent AUTH, but no password is set\r\n )
-            # Invalid password - ( -ERR invalid password\r\n )
-            # Valid password   - (+OK\r\n)
-
-            if result_options[:proof] && result_options[:proof] =~ /but no password is set/i
-              result_options[:status] = Metasploit::Model::Login::Status::NO_AUTH_REQUIRED
-            elsif result_options[:proof] && result_options[:proof] =~ /^-ERR invalid password/i
-              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
-            elsif result_options[:proof] && result_options[:proof][/^\+OK/]
-              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
-            end
+            sock.put(command)
 
+            result_options[:proof] = sock.get_once
+            result_options[:status] = validate_login(result_options[:proof])
           rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
             result_options.merge!(
               proof: e,
               status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
             )
           end
+
           disconnect if self.sock
+
           ::Metasploit::Framework::LoginScanner::Result.new(result_options)
         end
 
         private
 
+        # Validates the login data received from Redis and returns the correct Login status
+        # based upon the contents Redis sent back:
+        #
+        # No password      - ( -ERR Client sent AUTH, but no password is set\r\n )
+        # Invalid password - ( -ERR invalid password\r\n )
+        # Valid password   - (+OK\r\n)
+        def validate_login(data)
+          return if data.nil?
+
+          return Metasploit::Model::Login::Status::NO_AUTH_REQUIRED if data =~ OLD_PASSWORD_NOT_SET
+          return Metasploit::Model::Login::Status::NO_AUTH_REQUIRED if data =~ PASSWORD_NOT_SET
+          return Metasploit::Model::Login::Status::INCORRECT if (data =~ INVALID_PASSWORD_SET) == 0
+          return Metasploit::Model::Login::Status::INCORRECT if (data =~ WRONG_PASSWORD_SET) == 0
+          return Metasploit::Model::Login::Status::SUCCESSFUL if (data =~ OK) == 0
+
+          nil
+        end
+
         # (see Base#set_sane_defaults)
         def set_sane_defaults
-          self.connection_timeout  ||= 30
-          self.port                ||= DEFAULT_PORT
-          self.max_send_size       ||= 0
-          self.send_delay          ||= 0
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
         end
       end
     end

lib/msf/core/db_manager/vuln.rb

@@ -84,7 +84,8 @@ def has_vuln?(name)
   # opts can contain
   # +:info+::   a human readable description of the vuln, free-form text
   # +:refs+::   an array of Ref objects or string names of references
-  # +:details:: a hash with :key pointed to a find criteria hash and the rest containing VulnDetail fields
+  # +:details+:: a hash with :key pointed to a find criteria hash and the rest containing VulnDetail fields
+  # +:sname+:: the name of the service this vulnerability relates to, used to associate it or create it.
   #
   def report_vuln(opts)
     return if not active
@@ -150,6 +151,7 @@ def report_vuln(opts)
         case opts[:proto].to_s.downcase # Catch incorrect usages, as in report_note
         when 'tcp','udp'
           proto = opts[:proto]
+          sname = opts[:sname]
         when 'dns','snmp','dhcp'
           proto = 'udp'
           sname = opts[:proto]
@@ -158,7 +160,9 @@ def report_vuln(opts)
           sname = opts[:proto]
         end
 
-        service = host.services.where(port: opts[:port].to_i, proto: proto).first_or_create
+        services = host.services.where(port: opts[:port].to_i, proto: proto)
+        services = services.where(name: sname) if sname.present?
+        service = services.first_or_create
       end
 
       # Try to find an existing vulnerability with the same service & references