Metasploit Pro, Community, and Express users are urged to update to the latest version of Metasploit to receive the patch for the described vulnerability. Kali Linux users should use the normal 'apt-get update' method of updating, while other Metasploit Pro, Community, and Express users can use the in-application Administration : Software Updates button.

A remote privilege escalation vulnerability has been discovered by Ben Campbell of MWR InfoSecurity and subsequently patched in recent versions of Rapid7's Metasploit Pro, Community, and Express penetration testing software.

Vulnerability Details

By providing specially-crafted datastore options to certain Metasploit modules, a remote, authenticated user can leverage a lack of input sanitation to gain privileged access to the underlying operating system on systems running Metasploit 4.8 or prior. The issue was resolved in the Metasploit 4.9.0 release as of commit 460a1f551ca6916dedab6a6788a2aa63f70eaa31. The vulnerable Metasploit modules were:

     modules/auxiliary/scanner/http/sqlmap.rb

     modules/post/windows/gather/screen_spy.rb

The screen_spy module was updated to no longer allow direct command access to users. The sqlmap module was removed from Metasploit, since Metasploit does not ship a version of sqlmap, and it appears impossible to effectively patch this module given the design of sqlmap.

It's important to note that this avenue of attack is only available to users who already have a username and password for the Metasploit Pro, Community, or Express application, or who can run Metasploit locally. In most installations, we've found that these Metasploit users already have root/Administrator access to the machine Metasploit is running on.

Affected Versions

All versions of Metasploit prior to 4.9.0 are affected. Metasploit 4.9.0 was released Wednesday, March 26, 2014, and is not affected by the vulnerability.

Note that users who are able to run Metasploit with elevated privileges on a local console are already assumed to have those elevated privileges for normal operation. This is the case with the vast majority of Metasploit Community and Express users, and the entire userbase of Metasploit Framework.

Workarounds

Best practices for Metasploit Pro users is to take care to only expose the Metasploit UI on trusted interfaces connected to internal networks, and only grant user access to trusted users. Therefore, sensible user and network access policies are an effective workaround for this vulnerability.

Users unable to update to 4.9.0 may manually delete the affected modules with no other ill effects (other than the loss of of use of those modules). After locating and deleting the modules, restart Metasploit Pro to clear the module cache. The appropriate paths to these modules are discoverable with a local 'find' or 'search' command, depending on the operating system.

Credit

R7-2014-05 was first reported by Ben Campbell of MWR InfoSecurity, who worked with Rapid7 to disclose this vulnerability.

Disclosure Timeline

Feb 15, 2014 (Sun): Initial disclosure from Ben Campbell on sqlmap.rb

Mar 03, 2014 (Mon): Workarounds discussed, screen_spy.rb reported with similar issue

Mar 12, 2014 (Wed): Patch to screen_spy and deletion strategy for sqlmap developed

Mar 25, 2014 (Tue): Fix landed to 4.9.0 final branch

Mar 26, 2014 (Wed): Metasploit 4.9.0 released

Mar 28, 2014 (Fri): Rapid7 disclosure published, release note DOC-2706 updated.