CVE-2017-5235 in Metasploit Framework
Summary
by MITRE
Rapid7 Metasploit Pro installers prior to version 4.13.0-2017022101 contain a DLL preloading vulnerability, wherein it is possible for the installer to load a malicious DLL located in the current working directory of the installer.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/21/2020
The vulnerability identified as CVE-2017-5235 affects Rapid7 Metasploit Pro installers versions prior to 4130-2017022101, representing a critical DLL preloading flaw that exploits the installer's improper handling of dynamic link library loading mechanisms. This vulnerability stems from the installer's failure to explicitly specify the full path when loading required DLLs, creating an opportunity for malicious actors to execute arbitrary code through crafted malicious DLL files placed in the installer's working directory. The flaw specifically manifests during the installation process when the system attempts to load dependent libraries without proper path validation, allowing for privilege escalation and code execution attacks.
This vulnerability maps directly to CWE-426 Untrusted Search Path, which describes the condition where software searches for libraries in untrusted directories or fails to properly validate library paths during loading operations. The attack vector leverages the Windows DLL loading mechanism where the system searches for required libraries in a specific order including the current working directory, making the installer susceptible to malicious DLL injection. The flaw is particularly dangerous because it occurs during installation when the installer typically runs with elevated privileges, potentially allowing attackers to execute malicious code with system-level permissions.
The operational impact of this vulnerability extends beyond simple code execution, as it provides attackers with a potential pathway for privilege escalation and persistent system compromise. When an unsuspecting user runs the vulnerable installer from a directory containing a malicious DLL, the system loads the attacker-controlled library instead of the legitimate one, enabling arbitrary code execution. This vulnerability affects organizations that rely on Metasploit Pro for penetration testing and security assessments, as attackers could potentially compromise the testing environment during legitimate installation processes. The attack requires minimal user interaction beyond running the installer, making it particularly effective in social engineering scenarios where users might encounter the installer in compromised directories.
Mitigation strategies for CVE-2017-5235 primarily focus on immediate patching of affected Metasploit Pro installations to version 4.13.0-2017022101 or later, which addresses the DLL preloading vulnerability through proper path resolution mechanisms. Organizations should also implement strict access controls on installation directories and enforce secure installation practices by running installers from trusted locations only. The remediation aligns with ATT&CK technique T1059.001 Command and Scripting Interpreter and T1068 Exploitation for Privilege Escalation, as attackers could leverage this vulnerability to establish persistent access or escalate privileges. Additional defensive measures include network monitoring for suspicious DLL loading patterns, implementation of application whitelisting policies, and ensuring that installation processes are executed in secure environments where directory contents cannot be tampered with by unauthorized users.