[framework] msfweb "refang" security update

H D Moore hdm at metasploit.com
Sun Jul 24 16:49:31 CDT 2005


The "defanged" flag (-D) causes msfweb to reject all attempts to use the 
"Exploit" and "Check" commands. This can be useful if you want to share 
your payloads online, but do not want people to relay attacks through 
your server. 

Dino Dai Zovi reported a security flaw in msfweb that would allow a remote 
user to bypass the "defanged" mode flag. This flaw affects any users who 
run a publicly exposed instance of msfweb with the -D option. 

This problem is caused by the StateToOptions() function in msfweb, which 
will overwrite the temporary environment variables with user-supplied 
values. The msfweb service will check for the "_Defanged" environment 
option before allowing the "Exploit" command, but only after 
StateToOptions() has already allowed user to change its value. 

The fix has been pushed to msfupdate, the 2.4 snapshot, and will be 
included in version 2.5 (released within the next month hopefully). A 
patch was made to msfweb that rejects all user-supplied environment 
variables that have a leading underscore character (the specifier for 
"system" options). The msfweb service will be completely rewritten in 
version 3.0 and these hacks will no longer be needed.

As the documentation states, exposing a msfweb instance to the world is a 
security risk, especially if you do not run in "defanged" mode. Besides 
being able to relay exploits through your system, an attacker could abuse 
some of the payload features to manipulate local files and eventually run 
arbitrary commands. 

Thanks again to Dino for finding and reporting this bug, not many people 
are brave enough to audit the msfweb source :-)


More information about the framework mailing list