Skip navigation
All Places > Metasploit > Blog > 2014 > June
2014

The Android Exploit Mixin

E5uQKvf.jpgThis week, Rapid7's Joe Vennix refactored our tried and true methods for exploiting the addJavascriptInterface vulnerability, which happens to be present on a ton of consumer Android devices and Google Play store-approved apps, which means a couple things for Android exploit developers. First, there's now a testable library for adding new and exciting Android exploit techniques, which is nice from a developer standpoint.

 

Also, this refactoring enabled the creation of the Adobe PDF Reader version of the exploit. Yep, it turns out that Adobe's mobile app was vulnerable to the addJavascriptInterface issue until about mid-April of 2014. I wonder how many other apps with over a million downloads are exposed to this vulnerability?

 

If you're wondering the same thing, I suggest picking up the quite excellent Android Hacker's Handbook by Josh jduck Drake, Zach Lanier, Collin Mulliner, Pau Oliva Fora, Stephen A. Ridley, and Georg Wicherski. With this tome in hand, you can get down to the business of exploring Android as a target. We have a place to stash more exploit techniques now, we provided a functioning Meterpreter payload for Android devices, and many of the authors of the Handbook are already familiar with Metasploit module writing. With all these elements in place, I'm looking forward to a summer of Android exploits.

 

iPhone Meterpreter?

In other news, Metasploit contributor Anwar Mohamed has indicated that he's starting work on an iPhone version of Meterpreter, starting with a couple posts to the metasploit-hackers mailing list. If you're interested in helping out there, I'm sure he'd take it. After all, I don't want to give the impression that Metasploit is only interested in beating up on Android. We're happy to target pretty much any device that's hanging around on the Internet.

 

New Modules

In addition to the above-mentioned Android file format exploit, we have a new exploit for the Easy File Management Web Server, as well as a handy new scanner module which tests for the OpenSSL ChangeCipherSpec vulnerability announced a couple weeks ago, and a slew of other auxiliary modules. Check 'em out below:

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.

Everyone knows about SQL injections. They are classic, first widely publicized by Rain Forest Puppy, and still widely prevalent today (hint: don't interpolate query string params with SQL).

 

But who cares? SQL injections are so ten years ago. I want to talk about a vulnerability I hadn't run into before that I recently had a lot of fun exploiting. It was a NoSQL injection.

 

The PHP application was using MongoDB, and MongoDB has a great feature that allows you to filter the documents using Javascript queries. You pass a Javascript function in a string to the $where variable when calling find(). This function should return a boolean value, determining whether the given document should be returned in the dataset or not.

 

A natural progression to this is to make these dynamic, based on user input. Great, this gives me a possible opportunity to inject arbitrary Javascript (into a fairly limited sandbox) and dictate what the result set contains. It isn't super useful though at face value. Maybe you could extract data by defining new boolean clauses that would evaluate to true when 'this.username' == 'admin'.

 

Given the un-named application is un-named, I wanted to write a module that the framework devs could easily test, so I decided to write a small PHP script that was vulnerable to a few different vectors of NoSQL injection in a similar way to this application. Doing some research into this kind of vulnerability, I found a very useful post that included a PDF of a talk given at BlackHat a few years ago. It is the basis for the techniques used in the module.

 

Basically, in versions of MongoDB prior to 2.4, there was a 'db' variable available in the context of the javascript that ran in the $where variable. This 'db' variable lets you do a lot of really cool things, I chose to write a module that easily shows the exploitability of the vulnerability. It will perform boolean injections to extract the collections available in the database. I also knew that Javascript could allow for injections in a few places, so I took this into account, requiring slight syntax tweaks (much like SQL injections). The vulnerable script is available here.

 

Let's see some code. In this example PHP script, the programmer is going to look up people based on their age:

 

<?php

$m = new MongoClient("mongodb://127.0.0.1:27017");

$m->selectDB('foo');

$collection = $m->selectCollection('test', 'phpmanual');

 

if ($_GET["age"] != "") {

     $js = 'function(){if(this.name == "Joe"||this.age=='.$_GET["age"].')return true;}';

     $cursor = $collection->find(array('$where' => $js));

     foreach($cursor as $doc) {

          var_dump($doc);

     }

}

?>

 

If you look closely, the programmer is just dropping the GET parameter into the Javascript. What if, instead of putting "8", we put "8||true". Magically, every single document in the collection has been dumped. I love magic. But let's extrapolate on this.

 

Remember that 'db' variable we have? It has some pretty good methods available, such as getCollectionNames(). This returns an array of strings. An introduction to boolean attacks is in order before going much further.

 

If you aren't 100% sure what a boolean attack is, hopefully this will clarify it. A boolean attack allows an attacker to gain information from a system by asking a series of true or false questions. Many times, you use "metadata" such as what the response was when you ask a 'false' question and the response of a 'true' question to glean information. You don't care what the data is in these responses, you just care that they are predictably different. Unless you have great wordlists, this is generally done a byte at a time. A time-based SQL injection is actually another example of a boolean attack, except the "metadata" used is temporal to determine whether a query was true or false.

 

In the above code example, in order to exploit it efficiently, I need information about what exactly 'getCollectionNames()' is returning, such as how many strings it is returning. I can find this out easily using a boolean attack. Let's say I pass in "8||db.getCollectionNames().length == 1", but I get my 'false' response back. This means that whatever 'db.getCollectionNames().length is returning does not equal one. But when I pass "8||db.getCollectionNames().length == 2", I get my 'true' response, every document in the collection. This tells me that there are two collection names being returned by the method.

 

Now I can take the attack further. I pass in "8||db.getCollectionNames()[0][0] == 'a'" and I get a 'false' response back. I am asking the server if the zeroth character of the zeroth string is 'a'.  That sucks, and this is really tedious. I know enough now though to automate actually getting the collection names. By incrementing the name and character indexes and asking boolean questions (is the char 'a'? is it 'b'? etc...), I can easily exfiltrate the collection names available to demonstrate and fully exercise the vulnerability.

 

msf auxiliary(nosql_injection_collection_enum) > run

[*] Testing "'||this||'

[*] Testing "';return+true;var+foo='

[*] Testing '"||this||"

[*] Testing '";return+true;var+foo="

[*] Testing ||this

[*] Looks like ||this works

[*] 2 collections are available

[*] Length of collection 0's name is 9

[*] Collections 0's name is phpmanual

[*] Length of collection 1's name is 14

[*] Collections 1's name is systemindexes

[*] Auxiliary module execution completed

msf auxiliary(nosql_injection_collection_enum) >

 

As previously stated, this will only work on injections in versions of MongoDB prior to 2.4. This module was tested against 2.2.7. Version 2.4 removed the 'db' variable completely from the javascript context. My module was submitted as Pull Request 3430, was landed to the main development branch of Metasploit last night, and will be available as part of the next Metasploit Update. If you don't yet have Metasploit, might I suggest taking a few moments to download it? It's free, after all.

Meterpreter Updates

 

This week, we saw another slew of updates to Metepreter to make your post-exploit experience all the more pleasant, and are pushing forward with some core release changes to hopefully make installing Metasploit a more sane, Ruby-like experience. Here's the rundown of what you'll see with this update, and what you can expect Real Soon Now.

 

Android Meterpreter

webcam-kitkat-maxthon.jpgThe long promised/threatened Android Metepreter is now shipping, thanks largely to the heroic efforts from mihi, Anwar, and Tim, as well as testing support from the usual Metasploit suspects. It's been in the dev tree for a little while now, and was captured in the screenshot pictured at right. The Android Metepreter is farmore pleasant to use than the (rather hobbled) Linux shell I used to have to use to control compromised Android devices, so I'm pretty ecstatic about this.

 

Python Meterpreter

Metasploit community committer Spencer McIntyre banged out an updated Python Meterpreter compatable with Python 3.3 and 3.4, which greatly expands the usability of Python as a post-exploit environment.  You can read about all the details in the now-closed PR #3411. As you may or may not know, Python is part of the Linux Standard Base, and is quite common to find on production systems, so this is a huge move forward.

 

Windows Meterpreter

Finally, everyone's favorite Meterpreter, the Windows Meterpreter, got a refresh in order to protect against the recent spate of OpenSSL vulnerabilities. Incidentally, Meterpreter for Windows also recently picked up new functionality in the form of the Kiwi extension, which is quite thrilling (see PR #3121 for details) as well as some new sandbox escape funcitonality useful for more recent Internet Explorer exploits (see Meterpreter PR #84). In other news, we are just about to start shipping Meterpreter binaries as a Ruby gem; this will make development life about a million times easier for Meterpreter developers, since it won't require a whole lot of inter-pull request coordination to ensure that the Meterpreter binaries are compiled against a particular commit -- instead, all developers will need to do is increment the version of the meterperter_bins in Metasploit's Gemfile. You should see that switchover land early next week, and hit the weekly update the week after that.

 

New Modules

Aside from the Meterpreter work, we have one new auxiliary module this week -- it's a nice one, though, since it's a handy demonstration of the recent OpenSSL memory corruption bug. It's only a DoS today, but there is active investigation into how to tease this into a proper RCE exploit. Race ya!

 

Auxiliary and post modules

 

In addition to this, we do also have a new hidden TCP bind module from community contrbutor Borja Merino, that's pretty nifty. It's hidden in the sense that you supply the IP address you expect to connect to the shell from, and if a connection comes in from any other IP address, the bind shell will reply with a RST packet, acting like a closed port.  These kinds of networking tricks to obfuscate listening shells just warm my heart, so thanks Borja!

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

 

For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes (also last week's).

Metasploit 4.9.2 and earlier vulnerable to OpenSSL vulnerabilities

 

The OpenSSL team today published a security advisory containing several critical vulnerabilities. The Metasploit editions Metasploit Pro, Metasploit Express, Metasploit Community and Metasploit Framework in versions 4.9.2 or earlier are vulnerable to these OpenSSL vulnerabilities, most notably CVE-2014-0224 and CVE-2014-0221. CVE-2014-0224 is exploited by Man-in-the-Middle (MITM) attacks that reduce the encryption strength of an SSL connection and therefore potentially expose transmitted data. CVE-2014-0221 is most likely to be limited to crashing systems using OpenSSL and is therefore a lesser concern.

 

Rapid7 is currently working on a security update and will announce its availability in this blog post as soon as it becomes available. To get alerted when this blog post is updated, please click the "Follow in" and select the "Email Update" option; please ensure that your Security Street preferences are set so that Security Street messages are forwarded to your email inbox.

 

How can I protect myself until an update is available?

 

Until the update is available and has been applied, Metasploit users should:

  • Only access the Metasploit web interface from a non-vulnerable browser. For the MITM attack to be successful, both the server and the client have to be vulnerable. The browsers officially supported by Metasploit are all non-vulnerable (see System Requirements), making the MITM attack fail even if the server is vulnerable.
  • Refrain from opening sessions since the communication between Meterpreter and Metasploit uses OpenSSL encryption.

 

We are continuing to research the impact these vulnerabilities may have on users and the industry. Once an update is available and you have applied it, you should cycle Metasploit user passwords.

 

Which Metasploit components are affected?

 

The following Metasploit components are affected :

  • Nginx
  • Ruby & Rails
  • Nmap
  • Postgres
  • Meterpreter

 

Is the Metasploit team working on modules to exploit these vulnerabilities?

 

You bet. Unfortunately, Tod broke our time machine last week so we were unable to release our exploits at the same time as the vulnerability disclosure but we're doing our best to catch up. If you have successfully written a module addressing any of these vulnerabilities, please create a pull request. We also accept Dogecoin donations to contribute towards our deductible for the time machine insurance policy. We'll update this blog post as modules become available.

 

UPDATE: Metasploit 4.9.3 available, addresses OpenSSL vulnerabilities (Updated 6/6/14, 2pm EST)

 

Metasploit release 4.9.3 is now available, addressing these vulnerabilities. Release notes: Metasploit 4.9.3 (Update 2014060501)

 

Recommended update procedure:

 

  • Update Metasploit and its dependencies to a non-vulnerable version
    • If you installed Metasploit using the binary installer from Rapid7.com
      • Enter the Metasploit Web UI at https://<METASPLOIT_IP>:3790/
      • Go to the Administration menu and choose the Software Update option.
      • Follow the instructions on your screen to update the software to version 4.9.3 or higher.
    • If you are using the pre-installed Metasploit version on Kali Linux
      • NOTE: The dependencies nmap, Ruby on Rails, and Postgres are provided by Kali Linux and beyond our control. Please check the Kali Linux website for more info.
      • On the command line, run: apt-get update && apt-get dist-upgrade
      • Kali Linux synchronizes its repositories with Debian every 6 hours
      • Verify that Nginx, Ruby, nmap and Postgres have updated to non-vulnerable versions
    • If you have used GitHub to install Metasploit Framework
      • Update using msfupdate command.
      • Update your local dependencies of Ruby, nmap, and Postgres to non-vulnerable versions
  • Change all Metasploit Pro/Express/Community user passwords that may have been compromised

 

If you have questions on this topic, please post a comment under this blog post or open a new discussion topic. If you are a Rapid7 customer, please feel free to contact our technical support team or your account executive for assistance.

 

New Modules

 

Incidentally, Metasploit 4.9.3 also includes some new modules since the last release. We've been kind of up to our eyeballs with patching and researching vectors for the new OpenSSL issues, so here's a quick update of new material since the end of May.

 

Exploit modules

 

Auxiliary and post modules

Filter Blog

By date: By tag: