Metasploit Kerberos get_ticket Certificate Parsing Vulnerability

漏洞信息

漏洞名称: Metasploit Kerberos get_ticket Certificate Parsing Vulnerability

漏洞类型: 其他

漏洞等级: 中危

漏洞描述: Metasploit Framework是一个广泛使用的渗透测试工具,它提供了丰富的模块来测试和利用各种安全漏洞。Kerberos是微软Active Directory环境中常用的认证协议,Metasploit中的admin/kerberos/get_ticket模块用于获取Kerberos票据。该模块在处理PKCS12格式的证书文件时,存在一个解析漏洞,导致在尝试加载特定格式的证书文件时抛出NoMethodError异常,无法正确执行后续操作。

漏洞的技术根源在于extract_user_and_realm方法中,对证书数据的处理不当,尝试调用downcase方法于一个OpenSSL::ASN1::ASN1Data对象上,而该对象并不支持此方法。这表明在证书解析逻辑中存在类型检查不足的问题,未能正确处理证书中的某些数据结构。

此漏洞的影响在于,当攻击者尝试使用特定的证书文件进行Kerberos认证时,模块会因异常而终止,无法完成预期的票据获取操作。虽然这不会直接导致远程代码执行或数据泄露,但会妨碍安全研究人员或渗透测试人员利用该模块进行合法的安全测试。需要注意的是,此漏洞的利用不需要Kerberos密钥分发中心(KDC)在线,因为它发生在证书解析阶段。此外,漏洞的利用需要攻击者能够提供特定的证书文件,且模块的配置中必须指定该文件。

产品厂商: Rapid7

产品名称: Metasploit Framework

来源: https://github.com/rapid7/metasploit-framework/issues/20427

类型: rapid7/metasploit-framework:github issues

来源概述

Try loading this certificate and see a stack trace. You don’t need a KDC online to reproduce the issue because it occurs during the parsing.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
msf6 auxiliary(admin/kerberos/get_ticket) > show options 

Module options (auxiliary/admin/kerberos/get_ticket):

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   AES_KEY                         no        The AES key to use for Kerberos authentication in hex string. Supported keys: 128 or 256 bits
   CERT_FILE      bad.pfx          no        The PKCS12 (.pfx) certificate file to authenticate with
   CERT_PASSWORD                   no        The certificate file's password
   DOMAIN         msflab.local     no        The Fully Qualified Domain Name (FQDN). Ex: mydomain.local
   NTHASH                          no        The NT hash in hex string. Server must support RC4
   PASSWORD                        no        The domain user's password
   RHOSTS         127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT          88               yes       The target port
   Timeout        10               yes       The TCP timeout to establish Kerberos connection and read data
   USERNAME       DC$              no        The domain user


   When ACTION is GET_TGS:

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   IMPERSONATE                   no        The user on whose behalf a TGS is requested (it will use S4U2Self/S4U2Proxy to request the ticket)
   Krb5Ccname                    no        The Kerberos TGT to use when requesting the service ticket. If unset, the database will be checked
   SPN                           no        The Service Principal Name, format is service_name/FQDN. Ex: cifs/dc01.mydomain.local


Auxiliary action:

   Name     Description
   ----     -----------
   GET_TGT  Request a Ticket-Granting-Ticket (TGT)



View the full module info with the info, or info -d command.

msf6 auxiliary(admin/kerberos/get_ticket) >
msf6 auxiliary(admin/kerberos/get_ticket) > set CERT_FILE bad.pfx
CERT_FILE => bad.pfx
msf6 auxiliary(admin/kerberos/get_ticket) > run
[*] Running module against 127.0.0.1
[-] Auxiliary failed: NoMethodError undefined method `downcase' for an instance of OpenSSL::ASN1::ASN1Data
[-] Call stack:
[-]   /home/smcintyre/Repositories/metasploit-framework/lib/msf/core/exploit/remote/kerberos/client/pkinit.rb:113:in `map'
[-]   /home/smcintyre/Repositories/metasploit-framework/lib/msf/core/exploit/remote/kerberos/client/pkinit.rb:113:in `block in extract_user_and_realm'
[-]   /home/smcintyre/Repositories/metasploit-framework/lib/msf/core/exploit/remote/kerberos/client/pkinit.rb:113:in `map'
[-]   /home/smcintyre/Repositories/metasploit-framework/lib/msf/core/exploit/remote/kerberos/client/pkinit.rb:113:in `extract_user_and_realm'
[-]   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/admin/kerberos/get_ticket.rb:108:in `validate_options'
[-]   /home/smcintyre/Repositories/metasploit-framework/modules/auxiliary/admin/kerberos/get_ticket.rb:143:in `run'
[*] Auxiliary module execution completed
msf6 auxiliary(admin/kerberos/get_ticket) >

Use the attached certificate and just base64 decode it.

bad.pfx.b64.txt

Github Poc
#rapid7/metasploit-framework:github issues #其他
Metasploit Kerberos get_ticket Certificate Parsing Vulnerability
http://example.com/2025/07/31/github_671704198/
作者
lianccc
发布于
2025年7月31日
许可协议