Scary-Sounding Flash Exploits
That last bit is why these exploits deserve a special mention. These modules implement the attacks wrought by "Operation Snowman," and "LadyBoyle," two of the cooler-sounding names I've heard in a while. They allow for penetration testers to tell a story of True Crime, Ripped from the Headlines, Real True Story style. As we saw last week, vulnerabilities with human-memorable names and some effort made at marketing makes for great attention-grabbers. It's no different for exploits. While hands-on security folks talk about "MS08-067 NetAPI" a lot, it's really not all that attention-grabbing for someone who's only partly dialed in to security. Heck, hardly anyone remembers MS03-026, but lots of people remember "The Blaster worm."
In fact, I'd say that their spycraft-sounding names can only help you in your mission to convince management folks that the threats facing their organizations aren't "merely theoretical" (hat-tip to the l0pht), or some boring old list of CVE numbers. The fact is, the techniques used by these exploits started public life "in the wild" as "zero-day exploits." Dang, that sounds scary. Better ensure your Flash is up to date!
Re-engineering exploits like this is kind of the bread and butter of Metasploit, to be honest. Locally discovered vulnerabilities are great and all. Everyone loves them. But, while it might be a little less sexy in InfoSec, replicating known, proven criminal behavior in the form of a safe and reliable Metasploit module can really help move a security program along, with at least as much urgency as the not-yet-patched or recently-patched vulnerability.
Metasploit UK Meetup
In other news, I'm going to be in London, UK, next week. I'll be in town partly for Infosecurity Europe 2014, partly for Security BSides London, and partly for a secret mission I cannot disclose at this time. So, if you're a Metasploit contributor who happens to be in town (or lives there) for these events, we should organize something. My twitters will work for meetups. If nothing else, you can make fun of my provincial beer tastes and the way I just spelt "organise."
In any case, it'll be a fun time. Rapid7 will have a stand at InfosecEU, which I will be close to for much of my time in England. If you're a contributor or user of Metasploit, please swing by and say hi!
We have four whole new modules this week, half of which are the Flash exploits from Juan's band of thieves. We were a little busy last week with some particular bug on the Internet that I promised I wouldn't mention by name again in this blog post, at least until next week.
- Adobe Flash Player Regular Expression Heap Overflow by juan vazquez, Boris "dukeBarman" Ryutin, and Unknown exploits CVE-2013-0634
- MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free by juan vazquez, Jean-Jamil Khalife, and Unknown exploits CVE-2014-0322
Auxiliary and post modules
- Oracle Demantra Database Credentials Leak by Oliver Gruskovnjak exploits CVE-2013-5880
- Windows Manage Change Password by Ben Campbell
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.