Land rapid7#19114, Better enforce types to prevent nil values from causing stack traces

bwatters-r7 · bwatters-r7 · commit c6fc5ad2e11f · 2024-04-19T16:21:22.000-05:00
Merge branch 'land-19114' into upstream-master
diff --git a/lib/metasploit/framework/ldap/client.rb b/lib/metasploit/framework/ldap/client.rb
@@ -82,8 +82,8 @@ def ldap_auth_opts_kerberos(opts)
         def ldap_auth_opts_ntlm(opts)
           auth_opts = {}
           ntlm_client = RubySMB::NTLM::Client.new(
-            opts[:username],
-            opts[:password],
+            (opts[:username].nil? ? '' : opts[:username]),
+            (opts[:password].nil? ? '' : opts[:password]),
             workstation: 'WORKSTATION',
             domain: opts[:domain].blank? ? '.' : opts[:domain],
             flags:
diff --git a/lib/msf/core/exploit/remote/ms_icpr.rb b/lib/msf/core/exploit/remote/ms_icpr.rb
@@ -390,7 +390,7 @@ def get_cert_msext_sid(cert)
   # @param [OpenSSL::X509::Certificate] cert
   # @return [Array<String>] The UPNs if any were found.
   def get_cert_msext_upn(cert)
-    return unless (san = get_cert_san(cert))
+    return [] unless (san = get_cert_san(cert))
 
     san[:GeneralNames].value.select do |gn|
       gn[:otherName][:type_id]&.value == OID_NT_PRINCIPAL_NAME
@@ -415,7 +415,7 @@ def get_cert_san(cert)
   # @param [OpenSSL::X509::Certificate] cert
   # @return [Array<String>] The DNS names if any were found.
   def get_cert_san_dns(cert)
-    return unless (san = get_cert_san(cert))
+    return [] unless (san = get_cert_san(cert))
 
     san[:GeneralNames].value.select do |gn|
       gn[:dNSName].value?
@@ -430,7 +430,7 @@ def get_cert_san_dns(cert)
   # @param [OpenSSL::X509::Certificate] cert
   # @return [Array<String>] The E-mail addresses if any were found.
   def get_cert_san_email(cert)
-    return unless (san = get_cert_san(cert))
+    return [] unless (san = get_cert_san(cert))
 
     san[:GeneralNames].value.select do |gn|
       gn[:rfc822Name].value?
diff --git a/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb b/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb
@@ -140,9 +140,6 @@ def query_ldap_server(raw_filter, attributes, base_prefix: nil)
     returned_entries = @ldap.search(base: full_base_dn, filter: filter, attributes: attributes, controls: controls)
     query_result_table = @ldap.get_operation_result.table
     validate_query_result!(query_result_table, filter)
-
-    return nil if returned_entries.empty?
-
     returned_entries
   end
 
@@ -184,8 +181,8 @@ def convert_sids_to_human_readable_name(sids_array)
       attributes = ['sAMAccountName', 'name']
       base_prefix = 'CN=Configuration'
       sid_entry = query_ldap_server(raw_filter, attributes, base_prefix: base_prefix) # First try with prefix to find entries that may be group specific.
-      sid_entry = query_ldap_server(raw_filter, attributes) if sid_entry.blank? # Retry without prefix if blank.
-      if sid_entry.blank?
+      sid_entry = query_ldap_server(raw_filter, attributes) if sid_entry.empty? # Retry without prefix if blank.
+      if sid_entry.empty?
         print_warning("Could not find any details on the LDAP server for SID #{sid}!")
         output << [sid, nil, nil] # Still want to print out the SID even if we couldn't get additional information.
       elsif sid_entry[0][:samaccountname][0]
@@ -350,7 +347,7 @@ def find_enrollable_vuln_certificate_templates
       attributes = ['cn', 'dnsHostname', 'ntsecuritydescriptor']
       base_prefix = 'CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration'
       enrollment_ca_data = query_ldap_server(certificate_enrollment_raw_filter, attributes, base_prefix: base_prefix)
-      next if enrollment_ca_data.blank?
+      next if enrollment_ca_data.empty?
 
       enrollment_ca_data.each do |ca_server|
         begin
