Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update create session default values #19069

Merged
merged 1 commit into from
Apr 9, 2024
Merged

Update create session default values #19069

merged 1 commit into from
Apr 9, 2024

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Apr 9, 2024
edited
Loading

Updates the Metasploit RPC functionality to not open new SMB, Postgres, MySQL, MSSQL sessions by default.

The issue is caused by Metasploit's RPC exposing an options API with a default CreateSession value of true. The RPC functionality does not take into consideration the Module's DefaultOptions key:

      # some overrides from authbrute since there is a default username and a blank password
      'DefaultOptions' =>
        {
          'USERNAME' => 'sa',
          'BLANK_PASSWORDS' => true,
          'CreateSession' => false
        }

There will be a separate effort to update the RPC layer to expose the default options to users correctly, but for now let's swap the default value in the module options itself

Verification

  • Ensure tests pass
  • Ensure the module's option metadata still shows the CreateSession option as false

zgoldman-r7
zgoldman-r7 approved these changes Apr 9, 2024
View reviewed changes
Copy link
Contributor

@zgoldman-r7 zgoldman-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes seem to reflect in the options locally 👍

@zgoldman-r7 zgoldman-r7 merged commit b8176e1 into rapid7:master Apr 9, 2024
45 checks passed
@smcintyre-r7 smcintyre-r7 added library bug rn-fix release notes fix labels Apr 10, 2024
@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Apr 10, 2024
edited by adfoster-r7
Loading

Release Notes

Fixes an edgecase present in clients that programatically interacted with Metasploit's remote procedure call (RPC) functionality that caused the login modules for SMB, Postgres, MySQL, and MSSQL to open a new session by default instead of it being opt in behavior.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zgoldman-r7 zgoldman-r7 zgoldman-r7 approved these changes

Assignees
No one assigned
Labels
bug library rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@adfoster-r7 @smcintyre-r7 @zgoldman-r7