Penetration Testing mailing list archives
Re: Question about MSF web interface
From: H D Moore <sflist () digitaloffense net>
Date: Mon, 6 Feb 2006 22:23:32 -0600
On Wednesday 01 February 2006 08:38, barcajax () gmail com wrote:
Does the above warning apply to a Win XP SP2 machine that has Zonealarm firewall installed and running?
You really don't want to use msfweb on Windows at all - it wastes something like 150Mb of memory to handle a single connection due to how Cygwin handles a process fork (no copy-on-write).
How about msfweb within Pentoo running as a virtual machine?
The security problems with msfweb are: 1) Anyone able to execute an exploit would be able to manipulate the local file system or even execute commands on the system with the privileges of your user account. This is somewhat by design - many of the interesting payloads can be used to upload or download files - a malicious msfweb user could abuse this to overwrite your .ssh/authorized_keys using a meterpreter session to a system they control (or upload one of your files to their system, etc). 2) No authentication. By default, msfweb will only listen on your loopback interface, but any local user could abuse one of the previously stated issues to access your user account. 3) No referrer checks. If you have a msfweb instance running and someone sends redirects your browser to a URL that points back to your msfweb service, they could cause an exploit to launch and then abuse one of the previously mentioned issues to gain access to your system. -HD ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Question about MSF web interface barcajax (Feb 04)
- Re: Question about MSF web interface H D Moore (Feb 06)
- <Possible follow-ups>
- Re: Question about MSF web interface kish_pent (Feb 05)
- Re: Question about MSF web interface Neil (Feb 06)