And we're back!
So, full disclosure: I haven't written an update blog post in almost a month. I'm a terrible person, I know. The reasons are many, of course -- we had a Metasploit 4.9 release at the tail end of March, and then we had this Heartbleed thing happen in early April which still continues to dominate the thoughts and action of everyone I know. Yeah, I don't know many people outside of security. I'm kind of a loser like that.
That said, the Metasploit juggernaught stops for no single bug. The exploit elves have been hard at work bringing in new non-Heartbleed exploits, so let's take a look at what's actually new this week. But first...
I promise I won't say Heartbleed again
But give me one or two more paragraphs just to get it out of my system. Today's release has both an updated Heartbleed server-side module as well as the new Heartbleed client-side module. Since it's client-side, you can't just "scan" your infrastructure for this vulnerability; you need to get your network users to at least click a link. Lucky for you, though, you don't need to direct them to some site out on the Internet (and give away your security intelligence in the process).
Using the Metasploit module, it's pretty trivial to fire it up and test out your existing client software that you use and trust for SSL communications. Does your phone's browser link against a vulnerable version of OpenSSL? Are you sure? How about that curl-based cron job you've been running for the last six months to snag the latest Dogecoin prices and triggers your buy and sell orders? Software like that is notoriously difficult to identify, let alone test, but hopefully with this module you can at least solve that testing part.
I promise, I'll shut my yap about Heartbleed now, and just be thankful for the continued job security that it's providing for me and all my friends.
More Firefox skulduggery
People download crap from the Internet all the time. This is a demonstrable fact which causes no end of frustration to IT administrators and security-minded family members alike. "But I'm no dummy," your users (or mother) might say, "I don't use MSIE on Windows -- I use Firefox on a Mac! Totally safe and virus free!"
Well, Rapid7's own Joe Vennix has been on a tear with Firefox lately. He's got three more post modules for unlucky Firefox users -- a cookie stealer (actually, released with 4.9.2), a browser history revealer, and, best of all, a saved password dumper. These all get really useful if you happen to have a browser exploit that can take advantage of the Firefox privileged payloads. Oh, and by "exploit," you can take that to also mean, "a malicious add-on that the user opted into."
What this all boils down to is, the crafty penetration tester can use these Metasploit post-exploit modules to help illustrate the true risk to an organization from a Firefox-based compromise. That's a nice win.
We have eight new modules this week for you, including the ones mentioned above. You know what to do.
- eScan Web Management Console Command Injection by juan vazquez and Joxean Koret
- Sophos Web Protection Appliance Interface Authenticated Arbitrary Command Execution by Brandon Perry exploits ZDI-14-069
- Vtiger Install Unauthenticated Remote Command Execution by Jonathan Borgeaud exploits CVE-2014-2268
- MS14-017 Microsoft Word RTF Object Confusion by Haifei Li, Spencer McIntyre, and unknown exploits CVE-2014-1761
Auxiliary and post modules
- OpenSSL Heartbeat (Heartbleed) Client Memory Exposure by hdm, Antti, Matti, Neel Mehta, and Riku exploits CVE-2014-0160
- Windows Gather Enumerate Active Domain Users by Ben Campbell and Etienne Stalmans
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.