Metasploit Pro Root Privilege Escalation

    Type

  • Metasploit Pro – Privilege Escalation (root)

    • Severity

  • High

    • Affected products

  • Metasploit Pro

    • Affected Versions

  • Vendor

  • Rapid7

    • Vendor Response

  • Fixed

    • Authors

  • Ben Campbell, MWR Labs

    • CVE Reference

  • N/A
Timeline
15/02/2014Issue reported to Rapid7
15/02/2014Acknowledgement by Rapid7, R7 issue number assigned: R7-2014-05
22/02/2014Update from Rapid7 estimated patch in 2 weeks
03/03/2014Update from Rapid7 with suggested fix
25/03/2014Fix landed to framework
26/03/2014v4.9.0 released
28/03/2014
Rapid7 Publish Advisory:  
 https://community.rapid7.com/community/metasploit/blog/2014/03/28/r7-2014-05-vulnerability-in-metasploit-modules-fixed 

Vulnerabilities in Metasploit Pro were found that allowed users to escalate their privileges, from the web interface, to a privileged local operating system user.

Description

Metasploit Pro is a toolkit for the exploitation of other machines. A number of modules within Metasploit make unsafe calls using the system() function as they do not validate user input. This vulnerability does not affect the Framework as any user who has access via the Remote Procedure Call mechanism is trusted to call system commands. The Community edition only has a single user, the administrator, who can enable ‘allow_console_access’ to get raw access to the console and run commands. Metasploit Pro provides a multi user model which is the only trust model where this finding is an issue.

Impact

Successful exploitation allows remote code execution on the framework host as the root user.

Cause

This issue is caused by a failure to validate user supplied input in module options.

Interim Workaround

Remove the modules/auxiliary/scanner/http/sqlmap.rb and modules/post/windows/screen_spy.rb

Solution

Upgrade to v4.9.0.

Technical Details

This issue can be replicated by running the Windows post module screen_spy module against a session with the following settings:

VIEW_CMD: `touch /tmp/mwr`

The vulnerable code:

77 cmd = “#{datastore[‘VIEW_CMD’]}#{screenshot}”

108 system(cmd) if cmd

There are two paths in the sqlmap module. Specify an additional command line option, OPT, —eval which will execute arbitrary code:

67 opts = datastore[‘OPTS’]

90 if opts

91 cmd << opts

92 end

101 system(*cmd

Or point the module to an sqlmap.py file of your choice with the SQLMAP_PATH option:

59 sqlmap = File.join(datastore[‘SQLMAP_PATH’], ‘sqlmap.py’)

96 cmd = [ sqlmap ]

101 system(*cmd)