Penetration Testing mailing list archives

Re: Question about MSF web interface

From: H D Moore <sflist () digitaloffense net>
Date: Mon, 6 Feb 2006 22:23:32 -0600

On Wednesday 01 February 2006 08:38, barcajax () gmail com wrote:

Does the above warning apply to a Win XP SP2 machine that has Zonealarm
firewall installed and running?


You really don't want to use msfweb on Windows at all - it wastes 
something like 150Mb of memory to handle a single connection due to how 
Cygwin handles a process fork (no copy-on-write).

How about msfweb within Pentoo running 
as a virtual machine?


The security problems with msfweb are:

1) Anyone able to execute an exploit would be able to manipulate the local 
file system or even execute commands on the system with the privileges of 
your user account. This is somewhat by design - many of the interesting 
payloads can be used to upload or download files - a malicious msfweb 
user could abuse this to overwrite your .ssh/authorized_keys using a 
meterpreter session to a system they control (or upload one of your files 
to their system, etc).

2) No authentication. By default, msfweb will only listen on your loopback 
interface, but any local user could abuse one of the previously stated 
issues to access your user account.

3) No referrer checks. If you have a msfweb instance running and someone 
sends redirects your browser to a URL that points back to your msfweb 
service, they could cause an exploit to launch and then abuse one of the 
previously mentioned issues to gain access to your system.

-HD

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Question about MSF web interface barcajax (Feb 04)
- Re: Question about MSF web interface H D Moore (Feb 06)
- <Possible follow-ups>
- Re: Question about MSF web interface kish_pent (Feb 05)
  - Re: Question about MSF web interface Neil (Feb 06)