Re: Question about MSF web interface

From: H D Moore (sflist@digitaloffense.net)
Date: Mon Feb 06 2006 - 23:23:32 EST


On Wednesday 01 February 2006 08:38, barcajax@gmail.com wrote:
> Does the above warning apply to a Win XP SP2 machine that has Zonealarm
> firewall installed and running?

You really don't want to use msfweb on Windows at all - it wastes
something like 150Mb of memory to handle a single connection due to how
Cygwin handles a process fork (no copy-on-write).

> How about msfweb within Pentoo running
> as a virtual machine?

The security problems with msfweb are:

1) Anyone able to execute an exploit would be able to manipulate the local
file system or even execute commands on the system with the privileges of
your user account. This is somewhat by design - many of the interesting
payloads can be used to upload or download files - a malicious msfweb
user could abuse this to overwrite your .ssh/authorized_keys using a
meterpreter session to a system they control (or upload one of your files
to their system, etc).

2) No authentication. By default, msfweb will only listen on your loopback
interface, but any local user could abuse one of the previously stated
issues to access your user account.

3) No referrer checks. If you have a msfweb instance running and someone
sends redirects your browser to a URL that points back to your msfweb
service, they could cause an exploit to launch and then abuse one of the
previously mentioned issues to gain access to your system.

-HD

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:27 EDT