search

rapid7 / ruby_smb

A native Ruby implementation of the SMB Protocol Family
Other
80 stars 80 forks source link

Unsupported RC4 cipher #251

Open hasenberg41 opened 1 year ago

hasenberg41 commented 1 year ago

(Sorry for my english) In my system and in docker i try use RubySMB::Client and receive error: .../ruby_smb-3.2.5/lib/ruby_smb/ntlm/client.rb:33:in 'initialize': unsupported (OpenSSL::Cipher::CipherError) This line contains code rc4 = OpenSSL::Cipher.new("rc4") OpenSSL::Cipher.ciphers show me what rc4 already exists in a list of ciphers

I try recompile openssl for my linux with enable-weak-ssl-ciphers parameter - its not help I try install openssl version 1.1.1f - it`s not help too Also i fetch last version OpenSSL gem, change ssl.rb file - return RC4 ciphers to list back (I forgot commit which delete this). And its not help too

cdelafuente-r7 commented 1 year ago

Hi, thank you for reporting this.

Please, could give me more information about your environment. I was not able to reproduce this error.

Do you get the same error in a IRB session?

3.0.2 :001 > require 'openssl'
 => true
3.0.2 :002 > OpenSSL::Cipher.new("rc4")
 => #<OpenSSL::Cipher:0x00007ff2a7a4ec68>

If not, would you mind sending the output of the following commands in IRB?

OpenSSL::OPENSSL_LIBRARY_VERSION
OpenSSL::OPENSSL_VERSION
OpenSSL::OPENSSL_VERSION_NUMBER
OpenSSL::VERSION
RUBY_VERSION
RUBY_PATCHLEVEL

Also, could you also try using bundle from the ruby_smb root directory?

bundle update
bundle exec irb
adfoster-r7 commented 1 year ago

Please, could give me more information about your environment. I was not able to reproduce this error.

It replicates on a default Ubuntu 22.04 box with OpenSSL 3; If you were testing on a Kali environment or rvm compiled with its OpenSSL 1.1.1 package, it won't replicate. Kali ships global OpenSSL config to enable weak cyphers - for my env it's in /usr/share/kali-defaults/etc/ssl/openssl.cnf

Example of replication with Ubuntu 22.04:

3.1.2 :001 > require 'openssl'
 => true 
3.1.2 :002 > rc4 = OpenSSL::Cipher.new("rc4")
(irb):2:in `initialize': unsupported (OpenSSL::Cipher::CipherError)
        from (irb):2:in `new'                                                         
        from (irb):2:in `<main>'                                                      
        from /home/a/.rvm/gems/ruby-3.1.2/gems/irb-1.6.3/exe/irb:9:in `<top (required)>'
        from /home/a/.rvm/gems/ruby-3.1.2/bin/irb:25:in `load'                        
        from /home/a/.rvm/gems/ruby-3.1.2/bin/irb:25:in `<main>'                      
        from /home/a/.rvm/gems/ruby-3.1.2/bin/ruby_executable_hooks:22:in `eval'      
        from /home/a/.rvm/gems/ruby-3.1.2/bin/ruby_executable_hooks:22:in `<main>'

To work around this issue, as part of ruby_smb's test suite we've added config to load the weak cyphers by default: https://github.com/rapid7/ruby_smb/pull/234

For instance if you set the OpenSSL config setting to RubySMB's test config file before loading the OpenSSL library, things would work:

~/ruby_smb$ irb
3.1.2 :001 > ENV['OPENSSL_CONF'] = File.expand_path(File.join(File.dirname(__FILE__), 'spec', 'support', 'openssl.conf'))
 => "/home/a/ruby_smb/spec/support/openssl.conf" 
3.1.2 :002 > require 'openssl'
 => true 
3.1.2 :003 > rc4 = OpenSSL::Cipher.new("rc4")
 => #<OpenSSL::Cipher:0x00007f3eb0648e08>

It would obviously be rude for the ruby_smb library to globally set weak ciphers, so it should be enabled in your app in a way that is aligned with your security requirements. There's also the possibility of us updating ruby_smb to use a native Ruby rc4 implementation etc similar to https://github.com/WinRb/rubyntlm/pull/53 but I haven't done an audit for all of the legacy cyphers that we'd need to have native implementations for

cdelafuente-r7 commented 1 year ago

Thanks @adfoster-r7 ! I would prefer a native Ruby implementation as you suggested.