Sign upLogin

rapid7/metasploit-framework

View on GitHub
Star
modules/post/windows/gather/credentials/solarwinds_orion_dump.rb

Summary

Maintainability
F
5 days
Test Coverage

File solarwinds_orion_dump.rb has 526 lines of code (exceeds 250 allowed). Consider refactoring.
Open

require 'metasploit/framework/credential_collection'

class MetasploitModule < Msf::Post
  include Msf::Post::Common
  include Msf::Post::File
Severity: Major
Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 1 day to fix

    Method orion_secret_decrypt has a Cognitive Complexity of 25 (exceeds 5 allowed). Consider refactoring.
    Open

      def orion_secret_decrypt(ciphertext)
    if ciphertext.start_with?('<') # This is XMLSEC
      unless @orion_rsa_key
        print_warning('RSA key unavailable, cannot decrypt XMLSEC ciphertext')
        vprint_warning("Ciphertext: #{ciphertext}")
    Severity: Minor
    Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 3 hrs to fix

    Cognitive Complexity

    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

    A method's cognitive complexity is based on a few simple rules:

    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
    • Code is considered more complex for each "break in the linear flow of the code"
    • Code is considered more complex when "flow breaking structures are nested"

    Further reading

    Method decrypt_orion_db has a Cognitive Complexity of 23 (exceeds 5 allowed). Consider refactoring.
    Open

      def decrypt_orion_db(csv_dataset)
    fail_with(Msf::Exploit::Failure::Unknown, 'Dataset contains no column values') unless csv_dataset

    current_row = 0
    decrypted_rows = 0
    Severity: Minor
    Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 3 hrs to fix

    Cognitive Complexity

    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

    A method's cognitive complexity is based on a few simple rules:

    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
    • Code is considered more complex for each "break in the linear flow of the code"
    • Code is considered more complex when "flow breaking structures are nested"

    Further reading

    Method decrypt_orion_db has 71 lines of code (exceeds 25 allowed). Consider refactoring.
    Open

      def decrypt_orion_db(csv_dataset)
    fail_with(Msf::Exploit::Failure::Unknown, 'Dataset contains no column values') unless csv_dataset

    current_row = 0
    decrypted_rows = 0
    Severity: Major
    Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 2 hrs to fix

      Method get_orion_certificate has a Cognitive Complexity of 19 (exceeds 5 allowed). Consider refactoring.
      Open

        def get_orion_certificate
    print_status('Extract SolarWinds Orion SSL Certificate Private Key ...')
    if datastore['RSA_KEY_FILE']
      return nil unless ::File.file?(datastore['RSA_KEY_FILE'])
      Severity: Minor
      Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 2 hrs to fix

      Cognitive Complexity

      Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

      A method's cognitive complexity is based on a few simple rules:

      • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
      • Code is considered more complex for each "break in the linear flow of the code"
      • Code is considered more complex when "flow breaking structures are nested"

      Further reading

      Method initialize has 64 lines of code (exceeds 25 allowed). Consider refactoring.
      Open

        def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'SolarWinds Orion Secrets Dump',
      Severity: Major
      Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 2 hrs to fix

        Class MetasploitModule has 22 methods (exceeds 20 allowed). Consider refactoring.
        Open

        class MetasploitModule < Msf::Post
  include Msf::Post::Common
  include Msf::Post::File
  include Msf::Post::Windows::MSSQL
  include Msf::Post::Windows::Powershell
        Severity: Minor
        Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 2 hrs to fix

          Method init_orion_db has 58 lines of code (exceeds 25 allowed). Consider refactoring.
          Open

            def init_orion_db(orion_path)
    if datastore['MSSQL_INSTANCE'] && datastore['MSSQL_DB']
      print_status('MSSQL_INSTANCE and MSSQL_DB advanced options set, connect to SQL using SSPI')
      db_instance_path = datastore['MSSQL_INSTANCE']
      db_name = datastore['MSSQL_DB']
          Severity: Major
          Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 2 hrs to fix

            Method init_orion_db has a Cognitive Complexity of 15 (exceeds 5 allowed). Consider refactoring.
            Open

              def init_orion_db(orion_path)
    if datastore['MSSQL_INSTANCE'] && datastore['MSSQL_DB']
      print_status('MSSQL_INSTANCE and MSSQL_DB advanced options set, connect to SQL using SSPI')
      db_instance_path = datastore['MSSQL_INSTANCE']
      db_name = datastore['MSSQL_DB']
            Severity: Minor
            Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 1 hr to fix

            Cognitive Complexity

            Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

            A method's cognitive complexity is based on a few simple rules:

            • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
            • Code is considered more complex for each "break in the linear flow of the code"
            • Code is considered more complex when "flow breaking structures are nested"

            Further reading

            Method orion_secret_decrypt has 46 lines of code (exceeds 25 allowed). Consider refactoring.
            Open

              def orion_secret_decrypt(ciphertext)
    if ciphertext.start_with?('<') # This is XMLSEC
      unless @orion_rsa_key
        print_warning('RSA key unavailable, cannot decrypt XMLSEC ciphertext')
        vprint_warning("Ciphertext: #{ciphertext}")
            Severity: Minor
            Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 1 hr to fix

              Method get_orion_certificate has 38 lines of code (exceeds 25 allowed). Consider refactoring.
              Open

                def get_orion_certificate
    print_status('Extract SolarWinds Orion SSL Certificate Private Key ...')
    if datastore['RSA_KEY_FILE']
      return nil unless ::File.file?(datastore['RSA_KEY_FILE'])
              Severity: Minor
              Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 1 hr to fix

                Method init_orion_encryption has a Cognitive Complexity of 11 (exceeds 5 allowed). Consider refactoring.
                Open

                  def init_orion_encryption
    print_status('Init SolarWinds Crypto ...')
    if datastore['AES_KEY']
      unless datastore['AES_KEY'].match?(/^[0-9a-f]+$/i) && datastore['AES_KEY'].length == 64
        fail_with(Msf::Exploit::Failure::BadConfig, 'Provided AES key is not valid 256-bit / 64-byte hexidecimal data')
                Severity: Minor
                Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 1 hr to fix

                Cognitive Complexity

                Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                A method's cognitive complexity is based on a few simple rules:

                • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                • Code is considered more complex for each "break in the linear flow of the code"
                • Code is considered more complex when "flow breaking structures are nested"

                Further reading

                Method read_csv_file has a Cognitive Complexity of 10 (exceeds 5 allowed). Consider refactoring.
                Open

                  def read_csv_file(file_name)
    fail_with(Msf::Exploit::Failure::NoTarget, "CSV file #{file_name} not found") unless ::File.file?(file_name)

    csv_rows = ::File.binread(file_name)
    csv = ::CSV.parse(
                Severity: Minor
                Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 1 hr to fix

                Cognitive Complexity

                Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                A method's cognitive complexity is based on a few simple rules:

                • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                • Code is considered more complex for each "break in the linear flow of the code"
                • Code is considered more complex when "flow breaking structures are nested"

                Further reading

                Method run has a Cognitive Complexity of 10 (exceeds 5 allowed). Consider refactoring.
                Open

                  def run
    init_module
    current_action = action.name.downcase
    if current_action == 'export' || current_action == 'dump'
      print_status('Performing export of SolarWinds Orion SQL database to CSV file')
                Severity: Minor
                Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 1 hr to fix

                Cognitive Complexity

                Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                A method's cognitive complexity is based on a few simple rules:

                • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                • Code is considered more complex for each "break in the linear flow of the code"
                • Code is considered more complex when "flow breaking structures are nested"

                Further reading

                Method init_orion_encryption has 26 lines of code (exceeds 25 allowed). Consider refactoring.
                Open

                  def init_orion_encryption
    print_status('Init SolarWinds Crypto ...')
    if datastore['AES_KEY']
      unless datastore['AES_KEY'].match?(/^[0-9a-f]+$/i) && datastore['AES_KEY'].length == 64
        fail_with(Msf::Exploit::Failure::BadConfig, 'Provided AES key is not valid 256-bit / 64-byte hexidecimal data')
                Severity: Minor
                Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 1 hr to fix

                  Method decrypt has 26 lines of code (exceeds 25 allowed). Consider refactoring.
                  Open

                    def decrypt(csv_file)
    csv = read_csv_file(csv_file)
    total_rows = csv.count
    print_good("#{total_rows} rows loaded, #{@orion_total_secrets} unique CredentialIDs")
    result = decrypt_orion_db(csv)
                  Severity: Minor
                  Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 1 hr to fix

                    Method dpapi_decrypt has a Cognitive Complexity of 9 (exceeds 5 allowed). Consider refactoring.
                    Open

                      def dpapi_decrypt(b64, entropy)
    unless b64.match?(%r{^[-A-Za-z0-9+/]*={0,3}$})
      print_error('DPAPI decrypt: invalid Base64 ciphertext')
      return nil
    end
                    Severity: Minor
                    Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 55 mins to fix

                    Cognitive Complexity

                    Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                    A method's cognitive complexity is based on a few simple rules:

                    • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                    • Code is considered more complex for each "break in the linear flow of the code"
                    • Code is considered more complex when "flow breaking structures are nested"

                    Further reading

                    Avoid too many return statements within this method.
                    Open

                        return nil
                    Severity: Major
                    Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 30 mins to fix

                      Avoid too many return statements within this method.
                      Open

                          return nil
                      Severity: Major
                      Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 30 mins to fix

                        Method aes_cbc_decrypt has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
                        Open

                          def aes_cbc_decrypt(ciphertext_bytes, aes_key, aes_iv)
    return nil unless aes_iv.length == 16

    case aes_key.length
    when 16
                        Severity: Minor
                        Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 25 mins to fix

                        Cognitive Complexity

                        Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                        A method's cognitive complexity is based on a few simple rules:

                        • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                        • Code is considered more complex for each "break in the linear flow of the code"
                        • Code is considered more complex when "flow breaking structures are nested"

                        Further reading

                        Method init_module has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
                        Open

                          def init_module
    orion_hostname = get_env('COMPUTERNAME')
    print_status("Hostname #{orion_hostname} IPv4 #{rhost}")
    require_sql = action.name.downcase == 'export' || action.name.downcase == 'dump' # only need to be concerned with SQL if doing these actions
    if require_sql
                        Severity: Minor
                        Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 25 mins to fix

                        Cognitive Complexity

                        Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                        A method's cognitive complexity is based on a few simple rules:

                        • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                        • Code is considered more complex for each "break in the linear flow of the code"
                        • Code is considered more complex when "flow breaking structures are nested"

                        Further reading

                        Method dump_orion_db has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
                        Open

                          def dump_orion_db
    # CONVERT(VARBINARY()) is an awful hack to get around sqlcmd's equally awful support for CSV output
    sql_query = 'SET NOCOUNT ON;SELECT c.ID AS CredentialID,
      CONVERT(VARBINARY(1024),c.Name) Name,
      CONVERT(VARBINARY(1024),c.Description) Description,
                        Severity: Minor
                        Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 25 mins to fix

                        Cognitive Complexity

                        Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                        A method's cognitive complexity is based on a few simple rules:

                        • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                        • Code is considered more complex for each "break in the linear flow of the code"
                        • Code is considered more complex when "flow breaking structures are nested"

                        Further reading

                        Method decrypt has a Cognitive Complexity of 6 (exceeds 5 allowed). Consider refactoring.
                        Open

                          def decrypt(csv_file)
    csv = read_csv_file(csv_file)
    total_rows = csv.count
    print_good("#{total_rows} rows loaded, #{@orion_total_secrets} unique CredentialIDs")
    result = decrypt_orion_db(csv)
                        Severity: Minor
                        Found in modules/post/windows/gather/credentials/solarwinds_orion_dump.rb - About 25 mins to fix

                        Cognitive Complexity

                        Cognitive Complexity is a measure of how difficult a unit of code is to intuitively understand. Unlike Cyclomatic Complexity, which determines how difficult your code will be to test, Cognitive Complexity tells you how difficult your code will be to read and comprehend.

                        A method's cognitive complexity is based on a few simple rules:

                        • Code is not considered more complex when it uses shorthand that the language provides for collapsing multiple statements into one
                        • Code is considered more complex for each "break in the linear flow of the code"
                        • Code is considered more complex when "flow breaking structures are nested"

                        Further reading

                        There are no issues that match your filters.

                        Category
                        Status