Re: New VA Modules: OpenVAS: 1, MSF: 5, Nessus: 13

[Daniel Miller <bonsaiviking () gmail com>]

On 07/18/2012 12:00 PM, New VA Module Alert Service wrote:
> == Metasploit modules (5) ==
>
>
> r15649http://metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/unix/local/setuid_nmap.rb
> setuid nmap "exploit"

Setuid Nmap has been a major no-no for years, but this week, Metasploit 
added a framework for local exploits (mostly geared around privilege 
escalation, natch), and one of the 3 flagship exploits is an exploit for 
setuid installs of Nmap, via os.execute() in a NSE script.

There are a few approaches we could take on this issue (I won't say "in 
response," since the issue has been around long before this addition to 
Metasploit, and our projects are mutually beneficial, not comptetitors):

1. Do nothing.

2. Add a runtime check for EUID != UID and either complain or die. 
Here's a patch for a warning without terminating execution:

> diff --git a/main.cc b/main.cc
> index 08a1b02..aba32f8 100644
> --- a/main.cc
> +++ b/main.cc
> @@ -148,6 +148,14 @@ int main(int argc, char *argv[]) {
>
>    set_program_name(argv[0]);
>
> +#ifndef WIN32
> +  int euid;
> +  euid = geteuid();
> +  if (euid == 0 && euid != getuid()) {
> +      error("WARNING! Nmap should never be installed suid-root! This 
> exposes your system to privilege escalation.");
> +  }
> +#endif
> +
>  #ifdef __amigaos__
>         if(!OpenLibs()) {
>                 error("Couldn't open TCP/IP Stack Library(s)!");

3. Remove support for os.execute() from NSE. This likely won't solve all 
issues, and may lead to a false sense of security.

The floor is open for discussion!

Dan

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/