Remove the DRuby remote code execution module #14335
Conversation
|
@zeroSteiner Is there a reason for the module deletion? I'm happy to ship this PR - just wanting to lay breadcrumbs down for historical context 😄 |
|
A vulnerability was disclosed to use regarding this module. While #14300 fixed instances where an arbitrary third party attacker could exploit Metasploit Framework users who had run this module and inadvertently started a DRuby service of their own, I failed to address the scenario where the server targeted by the Metasploit Framework user was malicious. In this second case, this module poses a threat in that the malicious server that is targeted could exploit the running instance of Metasploit to gain code execution within the context of the user running Metasploit. I looked into fixing it without removing the module but was unable to find a way to configure an allowlist of input items for processing. It's likely that a proper solution would involve a lower level implementation of the DRuby stack that's not easily provided through Ruby's API. This didn't seem like it was worth the effort and time it would take for this particular module as the vulnerability would still be present while that development was underway. |
|
Say, can you peek at rapid7/cvelist#39 and see if that description and title reads right to you, @zeroSteiner and/or @bwatters-r7 ? |
This removes the DRuby RCE module (
exploit/linux/misc/drb_remote_codeexec).Verification
List the steps needed to make sure this thing works
msfconsole