shuckins

R7-2017-16 | CVE-2017-5244: Lack of CSRF protection for stopping tasks in Metasploit Pro, Express, and Community editions (FIXED)

Blog Post created by shuckins Employee on Jun 14, 2017

Summary

A vulnerability in Metasploit Pro, Express, and Community was patched in Metasploit v4.14.0 (Update 2017061301). Routes used to stop running tasks (either particular ones or all tasks) allowed GET requests. Only POST requests should have been allowed, as the stop/stop_all routes change the state of the service. This could have allowed an attacker to stop currently-running Metasploit tasks by getting an authenticated user to execute JavaScript (example below). As of Metasploit 4.14.0 (Update 2017061301), the routes for stopping tasks only allow POST requests, which validate the presence of a secret token to prevent CSRF attacks.

 

CVE-2017-5244 is classified as CWE-352 (Cross-Site Request Forgery), and its CVSSv3 base score is 3.1. This is a lower severity issue due to the complexity of deployment and the lack of data exposure, but we nevertheless strongly encourage Metasploit users to update their instances using the steps outlined under “Remediation” below. In addition, Rapid7 will be doing further review of other important routes to verify they properly restrict access.

 

Credit

Rapid7 warmly thanks Mohamed A. Baset (Founder and Cyber Security Advisor at Seekurity.com SAS de C.V. Mexico; @SymbianSyMoh) for reporting this vulnerability to us, as well as providing information to help us resolve the issue and protect Metasploit users. You can read his report on the issue here.

 

Am I affected?

Versions of Metasploit Pro, Express, and Community editions before 4.14.0 (Update 2017061301) are vulnerable to CVE-2017-5244, regardless of operating system.

 

Additional details and exploitation

While POST requests go through normal Rails anti-CSRF verification, this doesn’t apply to GET requests. Routes that aren’t idempotent (i.e. they make changes) need to be limited to POST only. Since that was not the case before this patch, and the stop action could be triggered through GET requests, an attacker able to trick an authenticated user to request a URL which runs JavaScript could trigger the same action. It may also be possible to exploit this vulnerability by injecting network traffic impersonating the same request. This video shows the reporter exploiting this vulnerability to stop a running discovery scan.

 

Example exploitation Javascript calling the affected route after 5 seconds:

<script> 
setInterval(function(){ window.location.replace("https://127.0.0.1:3790/tasks/stop_all"); }, 5000); 
</script>

 

Regardless of vector, the result of that route being called by an authenticated user would be to stop all running tasks (e.g. discovery scans, report generation). This should show up in UI notifications and task logs. In terms of impact, while some tasks can be replayed (i.e. restarted with the same configuration), there’s no way to resume the stopped tasks; thus data limited to that task may be not be saved to the database, and therefore lost.

 

Remediation

We strongly encourage Metasploit users to update their instances to the latest version (Metasploit 4.14.0 (Update 2017061301) or above). You can find detailed update steps here. Release notes and offline installers are available here.

 

Disclosure Timeline

  • Sat, May 27, 2017: Vulnerability reported to Rapid7 by Mohamed A. Baset
  • Tue, May 30, 2017: Vulnerability confirmed by Rapid7
  • Fri, June 9, 2017: Vulnerability fixed by Rapid7
  • Sun, June 11, 2017: Rapid7 assigned CVE-2017-5244 to this vulnerability
  • Wed, June 14, 2017: Rapid7 released patch; public disclosure
  • Wed, June 14, 2017: Rapid7 reported vulnerability to MITRE

Outcomes