Android WebView Exploit, 70% Devices Vulnerable
This week, the biggest news I think we have is the release this week of Joe Vennix and Josh @jduck Drake's hot new/old Android WebView exploit. I've been running it for the last day or so out on the Internet, with attractive posters around the Rapid7 offices (as seen here) in an attempt to pwn something good. I've popped a couple shells, I guess I didn't make my QR Code attractive enough.
Seriously, though, this vulnerability is kind of a huge deal. I'm hopeful that by publishing an E-Z-2-Use Metasploit module that exploits it, we can maybe push some vendors toward ensuring that single-click vulnerabilities like this don't last for 93+ weeks in the wild. Don't believe me that this thing is that old? Just take a look at the module's references if you don't believe me.
It should be noted that the bug only ("only," he says!) affects versions of Android below 4.2 (early Jellybean). In a completely unsurprising twist, I did a quick survey of the phones available today on the no-contract rack at a couple big-box stores, and every one that I saw were vulnerable out of the box. And yes, that's here in the U.S., not some far-away place like Moscow, Russia. This lines up with what Android Central reports, in that while Android 4.4 (KitKat) has achieved 1.8% penetration, the same chart indicates that over 70% of all Android devices out there are vulnerable to this bug, with the plurarilty of devices at 4.0 and 4.1.
There's a lot more to say here, so expect more on this in the coming days. We've slapped together a quick video, but feel free to make a better one and grab all the Internet infamy for yourself. The video should open in a new window.
As you can see, the attack shown here -- QR code on a Metasploit exploit -- is a pretty dang effective way to get a shell on a target Android device, assuming your QR marketing skills are better than mine.
Incidentally, who do you lean on to get this patched? The big box retailer who sold it to you? The manufacturer of the phone hardware? The cell phone service provider? Google? It may seem a little spurious, but it's a question that's going to be asked by journalists, wonks, and (hopefully) consumer protection groups in the coming weeks.
Item two on this week's release is Wei @_sinn3r Chen's rework of how Metasploit exploits use the "check" functionality. You can read up on it over at sinn3r's blog post about how it all works -- really, go read it, it's good. I'll wait.
Now that you've got the background and it's out in this week's release, you no longer need to guess at how many of your in-scope Windows machines really are vulnerable to MS08-067 before you try to tag them. This is not to say that Metasploit is suddenly a proper vulnerability scanner. We're not, and never really will be. This "check" functionality is much more focused on target acquisition than compliance checking or risk management or anything like that. So, good for penetration testers, maybe not so good for your day-to-day vuln scanning duties.
Meterpreter Clipboard Monitor
Also on this release (dang, this is a pretty good one this week), is the new clipboard monitor functionality for Meterpreter, thanks in large part to OJ @TheColonial Reeves. OJ got a nice little writeup over at CSO Online wherein TheColonial explains how the clipboard-erasing protections of KeePass are completely obliterated.
This makes me sad, as I'm an avid KeepassX user and have been for years and years. Oh well, I guess I just better make sure that I'm not already owned when I go checking The Facebook for my friends cat-and-baby pictures.
But, alas, moving security forward isn't just about me and what software I use. The fact of the matter is, passwords suck. Period. You're left with the choice of a) keeping easy to remember passwords in your head (easy to guess), b) use a clipboard-based password manager and hope nothing's watching your clipboard, c) use some hand-typing system of password management and hope you're not getting your keystrokes logged, or d) use a browser-based autofill system and hope you're not a recent victim of a universal, persistent XSS bug. Time to take another look at your two-factor authentication (2FA) choices.
Incidentally, we'll have more on the UXSS thing in the next couple weeks. You're welcome, in advance.
Including the WebView exploit the above, we're shipping six new exploits and seven new auxiliary and post modules. Most of the aux material this week revolves around IBM Sametime, an enterprise social-media-in-a-box offering, all from the cruelly-named Kicks4Kittens.
- Kloxo SQL Injection and Remote Code Execution by juan vazquez and Unknown
- Pandora FMS Remote Code Execution by xistence
- KingScada kxClientDownload.ocx ActiveX Remote Code Execution by juan vazquez and Andrea Micalizzi exploits ZDI-14-011
- Windows TrackPopupMenuEx Win32k NULL Page by Dan Zentner, Matias Soler, Seth Gibson, and Spencer McIntyre exploits CVE-2013-3881
- Windows Command Shell Upgrade (Powershell) by Ben Campbell
Auxiliary and post modules
- IBM Lotus Sametime WebPlayer DoS by Chris John Riley and kicks4kittens exploits CVE-2013-3986
- DoliWamp 'jqueryFileTree.php' Traversal Gather Credentials by Brendan Coles
- IBM Lotus Notes Sametime User Enumeration by kicks4kittens
- IBM Lotus Notes Sametime Room Name Bruteforce by kicks4kittens
- IBM Lotus Sametime Version Enumeration by kicks4kittens
- A10 Networks AX Loadbalancer Directory Traversal by xistence exploits OSVDB-102657
- Windows Gather Active Directory User Comments by Ben Campbell
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.