Merge pull request rapid7#20431 from Wopseeion/problem-fi

Fix NoMethodError in kerberos/get_ticket by properly decoding ASN.1 OctetString in certificate SAN parsing for ticket reuqest --> "rapid7#20427"

Author: smcintyre-r7

lib/msf/core/exploit/remote/kerberos/client/pkinit.rb

@@ -67,7 +67,7 @@ def extract_user_and_realm(certificate, username, realm)
               certificate.extensions.select { |ext| ext.oid == 'subjectAltName' }.each do |san_extension|
                 begin
                   asn_san = OpenSSL::ASN1.decode(san_extension)
-                  asn_san_value = asn_san.value.find {|value| value.is_a? OpenSSL::ASN1::OctetString }
+                  asn_san_value = asn_san.value.find { |value| value.is_a? OpenSSL::ASN1::OctetString }
 
                   if asn_san_value.nil?
                     raise ArgumentError, 'Invalid certificate provided: unable to decode SAN'
@@ -95,7 +95,7 @@ def extract_user_and_realm(certificate, username, realm)
                   elsif san_entry.tag == 2 # dNSName
                     parts = san_entry.value.split('.')
                     if parts.length == 1
-                      user = san_entry
+                      user = san_entry.value  # Corrected to extract string value
                       domain = ''
                     else
                       user = parts[0] + '$'
@@ -110,15 +110,26 @@ def extract_user_and_realm(certificate, username, realm)
               end
 
               unless realm.nil? # and also username, since it's both or neither
-                unless results.map { |x| x.map(&:downcase) }.include?([username.downcase, realm.downcase])
-                  # If we've been provided an override but can't find them in a SAN, give a warning
+                normalized_results = results.map do |pair|
+                  pair.map do |value|
+                    if value.is_a?(String)
+                      value.downcase
+                    elsif value.is_a?(OpenSSL::ASN1::ASN1Data) && value.respond_to?(:value)
+                      val = value.value
+                      val.is_a?(String) ? val.downcase : val.to_s.downcase
+                    else
+                      value.to_s.downcase
+                    end
+                  end
+                end
+
+                unless normalized_results.include?([username.downcase, realm.downcase])
                   print_warning("Warning: Provided principal and realm (#{username}@#{realm}) do not match entries in certificate:")
                   results.each do |cert_username, cert_realm|
                     print_warning("  * #{cert_username}@#{cert_realm}")
                   end
                 end
 
-                # But hey, they've overridden it, so off we go
                 return [username, realm]
               end
 
@@ -220,16 +231,21 @@ def build_pa_pk_as_req(pfx, dh, dh_nonce, request_body, opts)
                 client_dh_nonce: RASN1::Types::OctetString.new(value: dh_nonce)
               )
 
+
               auth_pack[:client_public_value][:subject_public_key].bit_length = pub_key_encoded.length * 8
 
+
               signed_auth_pack = sign_auth_pack(auth_pack, pfx.key, certificate)
 
+
               pa_as_req = Rex::Proto::Kerberos::Model::PreAuthPkAsReq.new
 
+
               pa_as_req.signed_auth_pack = signed_auth_pack
 
+
               Rex::Proto::Kerberos::Model::PreAuthDataEntry.new(type: Rex::Proto::Kerberos::Model::PreAuthType::PA_PK_AS_REQ,
-                                                                value: pa_as_req.to_der)
+                                                                  value: pa_as_req.to_der)
             end
 
             # Calculate the cryptographic signatures over the AuthPack, and create the appropriate