search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.86k stars 13.93k forks source link

Evil-WinRM OpenSSL: initialization error #255276

Open ca5ua1 opened 1 year ago

ca5ua1 commented 1 year ago

Describe the bug

Evil-WinRM package fails to login to remote windows machine

Steps To Reproduce

Steps to reproduce the behavior:

  1. nix-shell -p evil-winrm
  2. evil-winrm -i IP_WINDOWS_MACHINE -u administrator -p pass

Expected behavior

Successful login to Windows machine

Screenshots

$ evil-winrm -i 10.129.19.184 -u administrator -p badminton

Evil-WinRM shell v3.3

Info: Establishing connection to remote endpoint

Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

Error: Exiting with code 1

Additional context

Installing via gem install evil-winrm produce same error

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.5.2-zen1, NixOS, 23.11 (Tapir), 23.11.20230908.db9208a`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.17.0`
 - channels(root): `"nixos-23.05, nixpkgs"`
 - channels(casual): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
joranvar commented 11 months ago

May be of interest: I get a similar error when using bolt to connect to a server (that gives the same error when using evil-winrm):

$ nix run nixpkgs#puppet-bolt -- command run 'pwd' --targets winrm://10.10.9.89 --user Administrator --password-prompt --no-ssl
Please enter your password:
Started on winrm://10.10.9.89...
Failed on winrm://10.10.9.89:
  Failed to connect to http://10.10.9.89:5985/wsman: Digest initialization failed: initialization error
Failed on 1 target: winrm://10.10.9.89
Ran on 1 target in 0.14 sec
$ nix-info -m
 - system: `"x86_64-linux"`
 - host os: `Linux 6.6.0, NixOS, 23.05 (Stoat), 23.05.20231101.34bdaaf`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.15.3`
 - channels(root): `"nixos"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
joranvar commented 10 months ago

It seems that openssl has moved md4 to legacy. I can enable md4 from the command line (nix run nixpkgs#openssl -- -provider legacy md4), but I have not yet found a way to enable it in the openssl.cnf or settings being used inside the evil-winrm derivation.

joranvar commented 10 months ago

Workaround found. Create a file with the following contents (which enables automatically loading the legacy provider):

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

Now call evil-winrm with OPENSSL_CONF set to the name of the file just created, and the md4 hash can be used.

Mag1cByt3s commented 3 months ago

Here is a workaround to fix this issue:

{ config, lib, pkgs, modulesPath, ... }:

{
  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    (let
      openssl_conf = pkgs.writeText "openssl.conf" ''
        openssl_conf = openssl_init

        [openssl_init]
        providers = provider_sect

        [provider_sect]
        default = default_sect
        legacy = legacy_sect

        [default_sect]
        activate = 1

        [legacy_sect]
        activate = 1
      '';
    in
    pkgs.evil-winrm.overrideAttrs (o: {
      nativeBuildInputs = o.nativeBuildInputs ++ [ pkgs.makeWrapper ];
      postFixup =
        (o.postFixup or "")
        + ''
          wrapProgram $out/bin/evil-winrm \
            --prefix OPENSSL_CONF : ${openssl_conf.outPath}
        '';
    }))
  ];
}

It might be a better idea to create a nix overlay for this tho.

Mag1cByt3s commented 3 months ago

This issue can be fixed via the following pull request: https://github.com/NixOS/nixpkgs/pull/324530

Mag1cByt3s commented 3 months ago

I just turned the fix into an overlay

final: prev:
{
  evil-winrm-patched = prev.evil-winrm.overrideAttrs (oldAttrs: rec {
    nativeBuildInputs = oldAttrs.nativeBuildInputs or [] ++ [ prev.makeWrapper ];

    openssl_conf = prev.writeText "openssl.conf" ''
      openssl_conf = openssl_init

      [openssl_init]
      providers = provider_sect

      [provider_sect]
      default = default_sect
      legacy = legacy_sect

      [default_sect]
      activate = 1

      [legacy_sect]
      activate = 1
    '';

    postFixup = ''
      ${oldAttrs.postFixup or ""}
      wrapProgram $out/bin/evil-winrm \
        --prefix OPENSSL_CONF : ${openssl_conf}
    '';
  });
}