Yo Dawg, I Heard You Like 0-Day
As you may have heard, on Monday we rolled out a special update to Metasploit to include the new Internet Explorer use-after-free exploit, aka, CVE-2012-4969. Last night, while scrolling through my RSS feed for security news, I saw this NetworkWorld story about how someone is using this vulnerability to install Poison Ivy, a RAT / backdoor. Of course, astute readers of this blog will know that Poison Ivy itself is vulnerable to a stack buffer overflow condition.
Let's think about this for a second. Internet criminals are using an unpatched IE vulnerability to deliver software which is controlled by software that also has an unpatched vulnerability.
So, if you happen across a vulnerable client during a penetration test, it would behoove you to check to see if anyone is connected to Poison Ivy's listening socket, TCP/3460. From there, you should be able to discover if any /other/ assets that are in scope for your test are already controlled. Exact details of how to accomplish that are left as an exercise for the reader. (:
By the way, if you haven't yet had a chance to test the Metasploit module for the Internet Explorer vulnerability, here's a video of Eric Romang taking it for a spin. Huge thanks again to Eric and @binjo for throwing in on all this. Getting the word out on these high-value bugs really does kill their usability for the bad guys.
Of course, there's more in this update than just a refresh of the MSIE exploit. Egypt has a nice new local exploit for Linux's udev, discovered by kcope, which is pretty nifty. So, here's the list -- for details and usage, follow the links to our Exploit Database.
- Linux udev Netlink Local Privilege Escalation by egyp7, Jon Oberheide, and kcope exploits CVE-2009-1185
- qdPM v7 Arbitrary PHP File Upload Vulnerability by sinn3r and loneferret exploits OSVDB-82978
- Webmin /file/show.cgi Remote Command Execution by juan vazquez and unknown exploits CVE-2012-2982
- Microsoft Internet Explorer execCommand Use-After-Free Vulnerability by sinn3r, juan vazquez, binjo, eromang, and unknown exploits OSVDB-85532
- Oracle Business Transaction Management FlashTunnelService Remote Code Execution by sinn3r, juan vazquez, and rgod exploits OSVDB-85087
- Novell File Reporter Agent Arbitrary File Delete by juan vazquez and Luigi Auriemma exploits CVE-2011-2750
- Webmin edit_html.cgi file Parameter Traversal Arbitrary File Access by juan vazquez and unknown exploits CVE-2012-2983
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.