search

rapid7 / metasploitable3

Metasploitable3 is a VM that is built from the ground up with a large amount of security vulnerabilities.
Other
4.78k stars 1.15k forks source link

dotnet download is no longer available via http #575

Closed jmartin-tech closed 1 year ago

jmartin-tech commented 2 years ago

Issue Description

During initial OS installation dotnet framework 4.5 is installed to meet minimum requirements for the rest of the build. However the http url now redirects to an https download that requires TLS 1.2 that the install is depending on dotnet 4.5 to provide. This causes all downloads that require TLS 1.2 further in the build process to fail as well.

PS C:\Users\vagrant> (New-Object System.Net.WebClient).DownloadFile('http://download.microsoft.com/download/1/6/7/167F0D79-9317-48AE-AEDB-17120579F8E2/NDP451-KB2858728-x86-x64-AllOS-ENU.exe', 'C:\Windows\Temp\dotnet.exe')
Exception calling "DownloadFile" with "2" argument(s): "The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."
At line:1 char:47
+ (New-Object System.Net.WebClient).DownloadFile <<<< ('http://download.microsoft.com/download/1/6/7/167F0D79-9317-48AE-AEDB-17120579F8E2/NDP451-KB2858728-x86-x64-AllOS-ENU.exe', 'C:\Windows\Temp\dotnet.exe')
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DotNetMethodException

Host System

adfoster-r7 commented 2 years ago

I briefly looked into this article https://support.microsoft.com/en-gb/topic/update-to-add-support-for-tls-1-1-and-tls-1-2-in-windows-server-2008-sp2-windows-embedded-posready-2009-and-windows-embedded-standard-2009-b6ab553a-fa8f-3f5e-287c-e752eb3ce5f4

None of the stand-alone package installers from https://www.catalog.update.microsoft.com/Search.aspx?q=KB4019276 worked for me though

jmartin-tech commented 2 years ago

I have worked through a couple scenarios here and I believe I will need to shift downloads performed during autounattend.xml segment of the build into a later provisioner with either a pre-downloaded package provided from the host system or an alternate provisioner task that can preform download with TLS 1.2.

I am considering adding a pre-download script for all intermediate downloads needed during the build however in the interest of not putting more intentionally vulnerable code on the build host this idea may need adjustment.

Ideas are in the works.