Attacking Security Infrastructure
This week, one module stands out for me: the Symantec Endpoint Protection Manager Remote Command Execution by xistence, who built on the proof-of-concept code from Chris Graham, who turned that out after Stefan Viehbock's disclosure from last week. You can read the full disclosure text from SEC Consult Vulnerability Lab, and get an idea of the scope of this thing. But, here's the TL;dr: attackers who can communicate with Symantec's Endpoint Protection Manager can turn this central management server into a command-and-control node of an entirely coopted botnet. Pretty good find for an on-site penetration tester... or a disgruntled employee.
Obviously, this is kind of a big deal, and while I don't want to beat up on Symantec (too much), this is the kind of catastrophic failure condition that makes people (rightfully) sketchy about their add-on security infrastructure. This is not just a story about a security vulnerability in some server-side component; it's a story about a security vulnerability in a product designed to manage the security posture of an organization.
On top of this, the vulnerability disclosure happened to be released over RSA week. You can be sure there was much schadenfreude to be had on the expo floor.
As a handler of vulnerability data, I'm also really digging this module's backstory, since it highlights the effectiveness of reasonable disclosure. Kudos to SEC Consult for disclosing this to Symantec back in December, and kudos to Symantec for not doing too much foot-dragging on getting a fix out in a reasonable amount of time. While the effects of the vulnerabilities in question are pretty much total disaster, this is a story with a happy ending: The vulnerability was uncovered, reported to the vendor and various CERTs, a fix was released, and a Metasploit module showed up to validate the fixes, all in the space of a little more than two months.
Oh, and if it's not obvious to you by now: if you have this product environment, you need to patch this thing YESTERDAY.
Contributing to Security Infrastructure
In Metasploit development news, we just refreshed our own CONTRIBUTING.md file for (as you might expect) Metasploit Contributors. I don't remember the last time we were below 60 outstanding pull requests, which kind of sucks. We generate more than our share of sore feelings about leaving some pull requests out there to rot, and that troubles me, personally, a lot. Like, a lot a lot. With this update from William Vu, we've laid down some some mostly common sense advice for folks who want to contribute meaningfully to the Metasploit Framework.
These "rules" are absolutely not set in stone. They may be crazy stupid and overly fascist. All we are trying to do here is to set up you, the open source security practitioner, for a pleasant experience with our backlog and ultimately a successful contribution.
However, if this misses the mark, then by Shuckins' beard, let us know how we can improve. Turns out, the best part of encoding our rulesy desires in CONTRIBUTING.md is that suggestions for changes are but a Pull Request away; so if you want to see something changed in that policy doc, change it how you'd like to see it and we can talk about it on the PR issue.
It's like democracy, but with forks and branches and pulls and stuff. I kinda wish real-world legislation worked this way.
Metasploit at RootedCon
If you happen to be in the vicinity of Madrid, and, you know, didn't have any plans, you should swing by RootedCon and see Metasploit's own Juan Vazquez and Julian Villas kick the stuffing out of some SCADA gear. Really, you should go, even if you already had something else planned. I hear that @corelanc0d3r is giving his mighty training at RootedCon as well, which is chock full of revealed wisdom about Metasploit exploit dev.
This week's release has five new modules including the lolsy Symantec issue mentioned above.
- Symantec Endpoint Protection Manager Remote Command Execution by Chris Graham, Stefan Viehbock, and xistence exploits CVE-2013-5015
- Total Video Player 1.3.1 (Settings.ini) - SEH Buffer Overflow by Fr330wn4g3 and Mike Czumak exploits OSVDB-100619
- GE Proficy CIMPLICITY gefebt.exe Remote Code Execution by juan vazquez, Z0mb1E, and amisto0x07 exploits ZDI-14-015
Auxiliary and post modules
- Linksys WRT120N tmUnblock Stack Buffer Overflow by Craig Heffner and Michael Messner exploits OSVDB-103521
- Apache Commons FileUpload and Apache Tomcat DoS by Unknown and ribeirux exploits CVE-2014-0050
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 7-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already usign Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.