[framework] msfweb "refang" security update
H D Moore
hdm at metasploit.com
Sun Jul 24 16:49:31 CDT 2005
Hello,
The "defanged" flag (-D) causes msfweb to reject all attempts to use the
"Exploit" and "Check" commands. This can be useful if you want to share
your payloads online, but do not want people to relay attacks through
your server.
Dino Dai Zovi reported a security flaw in msfweb that would allow a remote
user to bypass the "defanged" mode flag. This flaw affects any users who
run a publicly exposed instance of msfweb with the -D option.
This problem is caused by the StateToOptions() function in msfweb, which
will overwrite the temporary environment variables with user-supplied
values. The msfweb service will check for the "_Defanged" environment
option before allowing the "Exploit" command, but only after
StateToOptions() has already allowed user to change its value.
The fix has been pushed to msfupdate, the 2.4 snapshot, and will be
included in version 2.5 (released within the next month hopefully). A
patch was made to msfweb that rejects all user-supplied environment
variables that have a leading underscore character (the specifier for
"system" options). The msfweb service will be completely rewritten in
version 3.0 and these hacks will no longer be needed.
As the documentation states, exposing a msfweb instance to the world is a
security risk, especially if you do not run in "defanged" mode. Besides
being able to relay exploits through your system, an attacker could abuse
some of the payload features to manipulate local files and eventually run
arbitrary commands.
Thanks again to Dino for finding and reporting this bug, not many people
are brave enough to audit the msfweb source :-)
-HD
More information about the framework
mailing list