FS#76653 - MD4 missing in openssl config causing evil-winrm not to work

Attached to Project: Arch Linux
Opened by Diogo F (DFKiller) - Thursday, 24 November 2022, 11:39 GMT
Last edited by Toolybird (Toolybird) - Thursday, 24 November 2022, 21:42 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description:
Unable to to run evil-winrm and winrm in arch due to MD4 missing in the openssl.cnf file

Additional info:
* package version(s) 3.0.7
* config and/or log files etc.
* link to upstream bug report, if any
https://github.com/BlackArch/blackarch/issues/3593
Steps to reproduce:
evil-winrm -u Jareth -p sarah -i 10.10.79.152

Evil-WinRM shell v3.4

Info: Establishing connection to remote endpoint

Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

Error: Exiting with code 1

Issue has been fixed by adding the following to etc/ssl/openssl.cnf and under
[openssl_init]
providers = provider_sect
[provider_sect]
default = default_sect
add:
legacy = legacy_sect
so it shows as
[provider_sect]
default = default_sect
legacy = legacy_sect
than
search for
[default_sect]
#activate = 1
remove the # and under that line add
[legacy_sect]
activate = 1
save the file and evil-winrm will work again
Cause of issue. openssl was missing md4
Please add these lines to the openssl.cnf file as winrm and evil-winrm is not working at all on nay arch distro
This task depends upon

Closed by  Toolybird (Toolybird)
Thursday, 24 November 2022, 21:42 GMT
Reason for closing:  Won't fix
Additional comments about closing:  See comments
Comment by loqs (loqs) - Thursday, 24 November 2022, 14:53 GMT
NTLM v1 Authentication uses md4 [1]. The ruby ntlm gem as used by winrm uses the openssl gem to provide md4 [2]. With OpenSSSL 3 md4 in the legacy provider which is not enabled by default.
The ruby openssl gem does not currently provide a method to load a provider [3] so the provider has to be loaded using OpenSSL's configuration file.
Assuming evil-winrm / winrm are not run set-user-ID or set-group-ID the environment variable the environment variable OPENSSL_CONF can be used to specify an alternate location for OpenSSL's config. This avoids changing the default configuration. The variable can in set in a script file that then calls the real executable.

[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/464551a8-9fc4-428e-b3d3-bc5bfb2e73a5?redirectedfrom=MSDN
[2] https://github.com/macks/ruby-ntlm/blob/323ef447c04e130a31940fa6dabe96607677c22b/lib/ntlm/util.rb#L77
[3] https://github.com/ruby/openssl/issues/567
Comment by Toolybird (Toolybird) - Thursday, 24 November 2022, 21:42 GMT
Thanks for the detailed investigation @loqs. Seeing as Arch is now on openssl-3.0.x and is not going to enable legacy openssl providers by default (e.g. md4), my understanding is that upstream pkgs and downstream distros need to adapt.

Loading...