Give warning on invalid config (SSL and REQUIRE_SIGNING both set to t…

…rue)
smashery · Apr 24, 2024 · 68966b8 · 68966b8
1 parent ec44cb1
commit 68966b8
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/lib/msf/core/exploit/remote/ldap.rb b/lib/msf/core/exploit/remote/ldap.rb
@@ -90,7 +90,18 @@ def get_connect_opts
         framework_module: self
       }
 
-      ldap_connect_opts(rhost, rport, datastore['LDAP::ConnectTimeout'], ssl: datastore['SSL'], opts: opts)
+      result = ldap_connect_opts(rhost, rport, datastore['LDAP::ConnectTimeout'], ssl: datastore['SSL'], opts: opts)
+
+      # Now that the options have been resolved (including auto possibly resolving to NTLM), check whether this is a valid config
+      if result[:auth][:method] == :sasl &&
+         result[:auth][:mechanism] == 'GSS-SPNEGO' &&
+         datastore['SSL'] &&
+         datastore['REQUIRE_SIGNING']
+        # Domain Controllers don't seem to support signing and connection over SSL. Gotta pick one or the other.
+        fail_with(Msf::Module::Failure::BadConfig, 'SSL not supported with signing. Set either SSL or REQUIRE_SIGNING, but not both.')
+      end
+
+      result
     end
 
     # @see #ldap_open

diff --git a/lib/rex/proto/ldap.rb b/lib/rex/proto/ldap.rb
@@ -164,6 +164,7 @@ def setup(wrap_read, wrap_write)
   module ConnectionSaslIO
     # Provide the encryption wrapper for the caller to set up
     def wrap_read_write(wrap_read, wrap_write)
+      @conn.extend(SocketSaslIO)
       @conn.setup(wrap_read, wrap_write)
     end
 
@@ -197,7 +198,6 @@ def initialize(server)
 
       # Set up read/write wrapping
       self.extend(ConnectionSaslIO)
-      @conn.extend(SocketSaslIO)
     rescue SocketError
       raise Net::LDAP::LdapError, 'No such address or other socket error.'
     rescue Errno::ECONNREFUSED