# CVE-2026-5463

## Summary

pymetasploit3 command injection

## Description

CRITICAL COMMAND INJECTION - CVE-2026-5463 pymetasploit3 <= 1.0.6

## VULNERABILITY SUMMARY
Unauthenticated remote attackers can inject arbitrary commands into Metasploit console via newline injection in module options.

## ROOT CAUSE ANALYSIS
The run_module_with_output() function in pymetasploit3/msfrpc.py builds Metasploit console commands unsafely:

VULNERABLE CODE (v1.0.6 and earlier):
for k in opts.keys():
    options_str += 'set {} {}\n'.format(k, opts[k])  // NO SANITIZATION

When user-controlled option values (like RHOSTS) contain newlines, they break command structure:

set RHOSTS 192.168.1.1\n; cat /etc/passwd\n
This terminates the set command and injects arbitrary Metasploit console commands.

## EXPLOITATION PATH
1. Install pymetasploit3 1.0.6: pip install pymetasploit3==1.0.6
2. Connect to Metasploit RPC (requires msfrpcd running)
3. Create exploit module with malicious option:
   console.run_module_with_output(exploit, options={'RHOSTS': '192.168.1.1\n; cat /etc/passwd\n'})
4. Newline breaks command parsing, executes cat /etc/passwd

## PROOF OF CONCEPT (PAYLOAD)
Inject via any module option like RHOSTS, RPORT, etc.:
- 192.168.1.1\n; id - Execute id command
- 192.168.1.1\n; workspace -a pwned - Create workspace
- 192.168.1.1\n; resource /tmp/backdoor.rc - Load resource file

## SUCCESS CRITERIA
PROVE command injection (not just error/crash)
FAILURE: Script errors or connection issues
SUCCESS: Demonstrate arbitrary command execution within Metasploit console context

## IMPACT
- Unauthenticated command injection into Metasploit framework
- Session manipulation
- Lateral movement
- Full compromise of Metasploit server

## BLAST RADIUS
- 406 GitHub stars
- PyPI package: pip install pymetasploit3
- Used by penetration testers and red teams
- Affects all pymetasploit3 <= 1.0.6

## TECHNICAL DETAILS
- CWE: CWE-77 (Command Injection)
- CVSS 4.0: 9.3 CRITICAL
- CVSS 3.1: 8.6 HIGH
- Affected: versions through 1.0.6
- Fixed: version 1.0.7+

## REPOSITORY
https://github.com/DanMcInerney/pymetasploit3

## REQUIRED FOR REPRO
- Python 3.x
- Metasploit with msfrpcd running
- pip install pymetasploit3==1.0.6

## REFERENCES
- https://nvd.nist.gov/vuln/detail/CVE-2026-5463
- https://github.com/DanMcInerney/pymetasploit3
- https://dbugs.ptsecurity.com/vulnerability/PT-2026-29988

## PATCH DETAILS
Fixed in 1.0.7 by sanitizing newlines in option values before command construction.

## Metadata

- Product: pymetasploit3
- Severity: critical
- Status: open