On February 1st, Eduardo Prado of Secumania notified us of a privilege escalation vulnerability on multi-user Windows installations of the Metasploit Framework. The problem was due to inherited permissions that allowed an unprivileged user to write files in the Metasploit installation directory. Today we are releasing version 3.5.2 to fix this vulnerability. The new installers fix this issue through two changes: first, we've moved the default installation to %ProgramFiles%, which does not normally allow non-admin write access; second, we explicitly remove any inherited permissions for the "Users" and "Authenticated Users" groups. For users who prefer not to re-install Metasploit, you can use the following commands to fix the problem:
Vista and newer:
icacls c:\framework /inheritance:d /t icacls c:\framework /remove *S-1-5-32-545 /t icacls c:\framework /remove *S-1-5-11 /t
For systems older than Vista, you will need the xcacls.vbs tool available from Microsoft
xcacls.vbs c:\framework /E /R SID#S-1-5-32-545 /T
Note that the "Authenticated Users" group doesn't exist before Vista, so you only need to remove "Users".
This issue is mitigated by the fact that it only affects multi-user Windows installations with low-privileged accounts, a scenario we believe to be a small percentage of our users.
In addition to fixing this vulnerability, the 3.5.2 release fixes over 50 bugs and contains 39 new modules. Also included in this release is a revamped WMAP courtesy of Efrain Torres, improvements to Meterpreter's railgun extension thanks to chao-mu, and a fledgling version of Post Exploitation modules (a more powerful replacement for Meterpreter scripts). Raphael Mudge's Armitage was also integrated in this release. Post modules are still in their infancy and will likely be much improved in the next release.