config.yaml can enable priv escalation ??

[begadwael]

I was not able to find my beef creds so I checked out the config.yaml file and it did not need sudo privileges to open

by running this command gedit /usr/share/beef-xss/config.yaml

in the file it clearly stated my sudo creds which can enable local privilege escalation

shouldn't that file need sudo privileges to open?

I know that it can be changed but the default password is the devices sudo password (and its stated in clear text in the config file)

[bcoles]

Possibly. This is an issue with the beef-xss package on your system. The configuration file should not be world readable.

For example, /etc/beef-xss/config.yaml appears to be world readable on Kali (albeit a bit out of date).

[2021-12-14 15:47:47] root@kali:~/Desktop/metasploit-framework# ls -la  /usr/share/beef-xss/config.yaml
lrwxrwxrwx 1 root root 25 Nov 26 02:49 /usr/share/beef-xss/config.yaml -> /etc/beef-xss/config.yaml
[2021-12-14 15:47:49] root@kali:~/Desktop/metasploit-framework# ls -la /etc/beef-xss/config.yaml
-rw-r--r-- 1 root root 6659 May 29  2019 /etc/beef-xss/config.yaml

Knowledge of the password would allow access to the web UI and REST interface.

There's probably a way to privesc this to gain beef-xss privileges.

[2021-12-14 15:51:56] root@kali:~/Desktop/metasploit-framework# grep User /lib/systemd/system/beef-xss.service
User=beef-xss

[bcoles]

The /usr/share/beef-xss application directory is also world readable.

# ls -la /usr/share/ | grep beef
drwxr-xr-x    9 root root   4096 Dec 10 13:56 beef-xss

This would allow reading configuration credentials. For example, credentials for the Metasploit extension (not enabled by default) would allow access to msfrpcd, which allows code execution by design.

# grep metasploit: -A 10 /usr/share/beef-xss/extensions/metasploit/config.yaml 
        metasploit:
            name: 'Metasploit'
            enable: false
            # Metasploit msgrpc connection options
            host: "127.0.0.1"
            port: 55552
            user: "msf"
            pass: "abc123"
            uri: '/api'
            ssl: true
            ssl_version: 'TLS1'

[bcoles]

I know that it can be changed but the default password is the devices sudo password (and its stated in clear text in the config file)

What operating system are you using? The default password for BeEF is beef but this is a placeholder. BeEF will refuse to run if the password is beef, requiring you to configure a password.

Are you sure you didn't set the password? On Kali, when you run beef-xss it will prompt you to set a password:

[2021-12-14 16:15:25] root@kali:~# beef-xss
[-] You are using the Default credentials
[-] (Password must be different from "beef")
[-] Please type a new password for the beef user: 

The config.yaml file is then automatically updated with whatever password you provide.

[begadwael]

oh yeah

i checked other kali VMs that are not yet set-up with beef
the default was beef:beef ( i must have forgotten that i set the password as my sudo password ( sorry ))

but the config is still readable is both kali and parrot os (fresh installs)

anyways i think it should not be readable as you mentioned it can privesc beef-xss privileges

also this comment made me think it was from the software

[bcoles]

anyways i think it should not be readable as you mentioned it can privesc beef-xss privileges

Unfortunately this is outside the control of the project team.

I've asked the devs to ping the kali/parrot package maintainers. Both the config file and application directory should not be world readable.

Thanks for the report.

[DeezyE]

Nice report, thanks!

[begadwael]

Thanks

[DeezyE]

@begadwael if you'd like to join the Beef dev discord https://discord.gg/25wT2P8pwx we'd like to have your input