
Pre-auth Remote Code Execution Vulnerability in Metasploit - pimterry
https://github.com/justinsteven/advisories/blob/master/2016_metasploit_rce_static_key_deserialization.md
======
dogma1138
This is hardly the first time, Acunetix still has a few vulnerabilities which
you can exploit by configuring your website to respond with a specific header
to the scan. SANS' GUI version of SleuthKit was vulnerable to HPP which could
lead to persistent XSS/RCE.

Overall it's highly likely that most if not all security testing tools are
vulnerable to some attacks, and I have a pretty strong suspicion that
governments do work on movie like "counter hacks" by identifying RCE
vulnerabilities in common network/port scanners, vulnerability scanners, and
other enumeration tools.

~~~
rando444
Since I am not familiar with this, I'm very curious to know if something like
that is possible and ever been done before? As in counter-hacking a
vulnerability scanner by sending a malformed packet back, or something like
that.

In this case, this is a bug in the web interface, so you'd have to be on the
same network as this person, or have access to their interface for exploiting
this to be practical.

I'm more curious to know if anyone has ever been able to 'counter-hack' a
scanner by sending an unexpected response back.

Anyone ever heard of anything like this?

~~~
jburgess777
At the LAN level it is possible to detect hosts whose NIC is operating in
promiscuous mode, which is likely for someone sniffing network traffic:

[http://security.stackexchange.com/questions/3630/how-to-
find...](http://security.stackexchange.com/questions/3630/how-to-find-out-
that-a-nic-is-in-promiscuous-mode-on-a-lan)

~~~
dogma1138
That only works on "switch" level mostly, on a modern network you also are
likely to trigger on your own switches since they run in a pseudo-promiscious
(usually marketed as IP Helper, Broadcast Helper, Broadcast Redirect, DNS
Helper etc.) mode to facilitate DNS and other protocols that rely on
broadcasts to pass through the switch (or VLAN) boundary.

This is however more in relation to intrusion detection not active
countermeasures.

------
StavrosK
"A standalone module that exploits this issue has been submitted for inclusion
in Metasploit Framework"

You have to love things like this.

~~~
qubex
Metametasploitsploit.

------
_forestfortrees
Fun stuff. Serious question though: if you know the cookie signing key, can't
you just mint yourself an admin session? Is the YAML vuln required to exploit
this issue?

~~~
spydum
I suspect no: you can sign cookies, but hopefully cookie only carries a
session identifier. You'd still need to obtain a valid admin session..

------
tedunangst
Wait, it's just a bug in the web UI?

------
eric_bullington
So it's a metametasploit?

~~~
CoryG89
Maybe it's a metasploitsploit?

~~~
termaltx
We need to go deeper!

------
tptacek
This is a particularly bad editorialized title, since nobody familiar with
Metasploit or tools like it would assume it to be secure code.

The right title is the boring one, "Pre-auth Remote Code Execution
Vulnerability in Metasploit".

The rule on HN is, if you want to put your own spin on a story, like "This bug
will delight irony lovers everywhere", you put that in a comment like everyone
else. Submitters don't own the stories and don't get to editorialize their
titles.

~~~
sctb
That's just right. We've updated the title from “RCE exploit found in
Metasploit itself, delighting irony lovers everywhere”.

------
0xdeadbeefbabe
So? You know what metasploit is for, right? Who cares?

~~~
wybiral
We're all just here to giggle at the beauty of it.

~~~
0xdeadbeefbabe
This is so meta

