Rename, change titles/descriptions, fix minor bugs

2013-11-06 13:45:40 -06:00 · 2013-11-06 13:45:40 -06:00 · 6b43d94c72
parent b9caf091d4
commit 6b43d94c72
3 changed files with 29 additions and 28 deletions
--- a/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb
+++ b/modules/auxiliary/scanner/http/smt_ipmi_cgi_scanner.rb
@ -14,15 +14,16 @@ class Metasploit3 < Msf::Auxiliary

  def initialize(info = {})
    super(update_info(info,
-      'Name'        => 'Supermicro Onboard IPMI Buffer Overflow Scanner',
+      'Name'        => 'Supermicro Onboard IPMI CGI Vulnerability Scanner',
      'Description' => %q{
-        This module checks a Supermicro Onboard IPMI web interface against
-        several unauthenticated buffer overflows. The vulnerabilities exist
-        on the login.cgi and close_window.cgi components.
+        This module checks for known vulnerabilities in the CGI applications of 
+        Supermicro Onboard IPMI controllers. These issues currently include
+        several unauthenticated buffer overflows in the login.cgi and close_window.cgi
+        components.
      },
      'Author'       =>
        [
-          'hdm', #Discovery and Metasploit module
+          'hdm', # Discovery and analysis
          'juan vazquez' # Metaspliot module
        ],
      'License'     => MSF_LICENSE,
@ -118,11 +119,11 @@ class Metasploit3 < Msf::Auxiliary


  def run_host(ip)
-    vprint_status("#{peer} - Checking if it's a Supermicro web interface...")
+    vprint_status("#{peer} - Checking if it's a Supermicro IPMI web interface...")
    if is_supermicro?
-      vprint_good("#{peer} - Supermicro web interface found")
+      vprint_good("#{peer} - Supermicro IPMI web interface found")
    else
-      vprint_error("#{peer} - Supermicro web interface not found")
+      vprint_error("#{peer} - Supermicro IPMI web interface not found")
      return
    end

@ -139,10 +140,10 @@ class Metasploit3 < Msf::Auxiliary
      })
    end

-    vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi buffer overflow) ...")
+    vprint_status("#{peer} - Checking CVE-2013-3623 (close_window.gi Buffer Overflow) ...")
    result = check_close_window
    if result
-      print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi buffer overflow)")
+      print_good("#{peer} - Vulnerable to CVE-2013-3623 (close_window.cgi Buffer Overflow)")
      report_vuln({
        :host  => rhost,
        :port  => rport,
--- a/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb
+++ b/modules/auxiliary/scanner/http/smt_ipmi_static_cert_scanner.rb
@ -32,18 +32,17 @@ class Metasploit3 < Msf::Auxiliary

  def initialize
    super(
-      'Name'        => 'Supermicro Onboard IPMI Static Encryption Key Scanner',
+      'Name'        => 'Supermicro Onboard IPMI Static SSL Certificate Scanner',
      'Description' => %q{
-        This module checks the certificate of the specified web servers. The Supermicro Onboard
-        IPMI firmware ships with harcoded private encryption keys for both the Lighttpd web server
-        SSL interface and the Dropbear SSH daemon. An attacker with access to the publicly available
-        Supermicro firmware can perform man-in-the-middle and offline decryption of communication to
-        the firmware. This module has been on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
-        SMT_X9_214.
+        This module checks for a static SSL certificate shipped with Supermicro Onboard IPMI
+        controllers. An attacker with access to the publicly-available firmware can perform 
+        man-in-the-middle attacks and offline decryption of communication to the controller.
+        This module has been on a Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware
+        version SMT_X9_214.
      },
      'Author'       =>
        [
-          'hdm', # Discovery and Metasploit module
+          'hdm', # Discovery and analysis
          'juan' # Metasploit module
        ],
      'License'     => MSF_LICENSE,
@ -76,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
    result = cert.verify(pkey)

    if result
-      print_good("#{ip}:#{rport} - Found service using Supermicro IPMI static private key to encrypt communications")
+      print_good("#{ip}:#{rport} - Vulnerable to CVE-2013-3619 (Static SSL Certificate)")
      # Report with the the SSL Private Key hash for the host
      digest = OpenSSL::Digest::SHA1.new(pkey.public_key.to_der).to_s.scan(/../).join(":")
      report_note(
@ -91,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
        :host  => rhost,
        :port  => rport,
        :proto => 'tcp',
-        :name  => "Supermicro Onboard IPMI Static Encryption Keys",
+        :name  => "Supermicro Onboard IPMI Static SSL Certificate",
        :refs  => self.references
      })
    end
--- a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
+++ b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
@ -15,14 +15,15 @@ class Metasploit3 < Msf::Auxiliary

  def initialize(info = {})
    super(update_info(info,
-      'Name'        => 'Supermicro Onboard IPMI Directory Taversal',
+      'Name'        => 'Supermicro Onboard IPMI url_redirect.cgi Authenticated Directory Traversal',
      'Description' => %q{
-        This module abuses a directory traversal on the web interface for Supermicro Onboard IPMI. The
-        vulnerability exists in the url_redirect.cgi CGI application, due to a lack of sanitization
-        of the url_name parameter. This may allow an attacker with a valid, but not necessarily
-        administrator-level account, to access the contents of any file on the system. This includes
-        the /nv/PSBlock file, which contains the cleartext credentials for all configured accounts.
-        This module has been tested on Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214.
+        This module abuses a directory traversal vulnerability in the url_redirect.cgi application 
+        accessible through the web interface of Supermicro Onboard IPMI controllers.  The vulnerability
+        is present due to a lack of sanitization of the url_name parameter. This allows an attacker with
+        a valid, but not necessarily administrator-level account, to access the contents of any file
+        on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for
+        all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM) 
+        with firmware version SMT_X9_214.
      },
      'Author'       =>
        [
@ -57,7 +58,7 @@ class Metasploit3 < Msf::Auxiliary
        "method"    => "GET"
      })

-    if res and res.code == 200 and res.body =~ /ATEN International Co Ltd\./
+    if res and res.code == 200 and res.body.to_s =~ /ATEN International Co Ltd\./
      return true
    else
      return false