Skip to content

Adds SSL support to the postgres_login module #20517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

Adds SSL support to the postgres_login module #20517

wants to merge 2 commits into from
+115 −22

Conversation

cgranleese-r7
Copy link
Contributor

This PR adds SSL support to the postgres_login module. This was spotted as part of a separate issue, then I couldn't think of a reason why the module shouldn't have SSL support to be more in line with our other login scanners.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use scanner/postgres/postgres_login
  • Verify that when ssl=true is set that we see Change Cipher Spec as part of our Wireshark packets when filtering by that string
  • Verify we get sessions and can interact with them when SSL is set

@cgranleese-r7 cgranleese-r7 marked this pull request as draft September 4, 2025 14:26
@cgranleese-r7 cgranleese-r7 force-pushed the adds-postgres-ssl-support branch 2 times, most recently from 09e9629 to 63cccde Compare September 4, 2025 14:50
adfoster-r7
adfoster-r7 reviewed Sep 4, 2025
View reviewed changes
adfoster-r7
adfoster-r7 reviewed Sep 4, 2025
View reviewed changes
adfoster-r7
adfoster-r7 reviewed Sep 4, 2025
View reviewed changes
lib/postgres/postgres-pr/connection.rb
if response == 'S'
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_socket = OpenSSL::SSL::SSLSocket.new(@conn, ssl_context)
ssl_socket.sync_close = true
Copy link
Contributor

@adfoster-r7 adfoster-r7 Sep 4, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any context on why this is needed? 👀

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://ruby-doc.org/stdlib-2.6.1//libdoc/openssl/rdoc/OpenSSL/SSL/SSLSocket.html

sync_close[RW]
Whether to close the underlying socket as well, when the SSL/TLS connection is shut down. This defaults to false.

I assumed this was required to sync that the Rex socket would be closed together.

adfoster-r7
adfoster-r7 reviewed Sep 4, 2025
View reviewed changes
adfoster-r7
adfoster-r7 reviewed Sep 4, 2025
View reviewed changes
@cgranleese-r7 cgranleese-r7 force-pushed the adds-postgres-ssl-support branch from 63cccde to e603880 Compare September 11, 2025 14:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adfoster-r7 adfoster-r7 adfoster-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cgranleese-r7 @adfoster-r7