Timeline

Vulnerabilities in Metasploit Pro were found that allowed users to escalate their privileges, from the web interface, to a privileged local operating system user.

Description

Metasploit Pro is a toolkit for the exploitation of other machines. A number of modules within Metasploit make unsafe calls using the system() function as they do not validate user input. This vulnerability does not affect the Framework as any user who has access via the Remote Procedure Call mechanism is trusted to call system commands. The Community edition only has a single user, the administrator, who can enable ‘allow_console_access’ to get raw access to the console and run commands. Metasploit Pro provides a multi user model which is the only trust model where this finding is an issue.

Impact

Successful exploitation allows remote code execution on the framework host as the root user.

Cause

This issue is caused by a failure to validate user supplied input in module options.

Interim Workaround

Remove the modules/auxiliary/scanner/http/sqlmap.rb and modules/post/windows/screen_spy.rb

Solution

Upgrade to v4.9.0.

Technical Details

This issue can be replicated by running the Windows post module screen_spy module against a session with the following settings:

VIEW_CMD: touch /tmp/mwr

The vulnerable code:

77 cmd = “#{datastore[‘VIEW_CMD’]}#{screenshot}”

…

108 system(cmd) if cmd

There are two paths in the sqlmap module. Specify an additional command line option, OPT, —eval which will execute arbitrary code:

67 opts = datastore[‘OPTS’]

…

90 if opts

91 cmd << opts

92 end

…

101 system(*cmd

Or point the module to an sqlmap.py file of your choice with the SQLMAP_PATH option:

59 sqlmap = File.join(datastore[‘SQLMAP_PATH’], ‘sqlmap.py’)

…

96 cmd = [ sqlmap ]

…

101 system(*cmd)