Skip navigation
All Places > Metasploit > Blog > 2016 > September
2016
egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Sep 30, 2016

Extra Usability

 

Commandline tools in general are powerful, but come with a learning curve. When you've been using a tool for a long time, that curve becomes a status quo that embeds itself in your fingers. That isn't always a good thing because it tends to make you blind to how things can be better and it takes an effort of introspection to notice inefficiencies. Even then, you weigh those inefficiencies against the effort required to improve.

 

An example of that is msfconsole's route command, which gets a bit of a spruce up this week. Instead of showing help output when given no arguments, it now shows the current routing table. In addition, it now supports using a session id of "-1" to indicate the most recent session, just like you can do for the SESSION option in post modules.

 

Extra privilege escalation

 

In the last few years, privilege escalation has become more important in the Windows world but it has always been a staple on Unix operating systems. This update brings two privilege escalation modules, one for the Linux kernel and one for NetBSD's /usr/libexec/mail.local, for your rooting pleasure.

 

Extra Meta Metasploitation

 

2ENTk2K2.pngAs I mentioned in the last wrapup, we've landed @justinsteven's modules for attacking Metasploit from Metasploit. The first, metasploit_static_secret_key_base, exploits the way Rails cookies are serialized and the fact that an update would step on the randomly generated secret key with a static one. Check out the full detailsif you're interested in how that works.

 

The second, metasploit_webui_console_command_execution, isn't a vulnerability as such. Rather, it takes advantage of the fact that admin users can run msfconsole in the browser, and therefore run commands on the server. This is the sort of thing that can't be patched without just removing the functionality altogether; it's literally a feature, not a bug. Authenticated administrators can do administrator things, as you might expect.

 

Extra Android Exploit

 

Stagefright_bug_logo.pngAt Derbycon last week, long-time friend of the Metasploit family, @jduck, released his latest version of Stagefright, an exploit for Android's libstagefright. He demo'd exploiting a Nexus device, but lots of other stuff is vulnerable too. Due to the rampant fragmentation in the Android world, this year-old bug is probably going to be showing up on new phones sitting on store shelves for quite a while yet.

 

Extra Bacon

Kevin_Bacon_2_SDCC_2014.jpg

And last but not least, this week brings a module for exploiting EXTRABACON, the Cisco ASA vulnerability made public by the Shadowbroker leak a few weeks ago. The bug is a buffer overflow in SNMP object id strings. The module does exactly what the Equation Group exploit does -- it disables authentication on the victim device and allows you to login to ssh or telnet with no password. This module was a collaboration between lots of folks and improves on the coverage in the original exploit, even adding targets for some 9.x devices that the advisory says are not affected.

 

This democratization of exploits through open source continues to show that being open and transparent leads to better exploits, more public knowledge, and better patches.

 

New Modules

 

Exploit modules (7 new)

 

Auxiliary and post modules (1 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.25...4.12.28

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

A number of important security issues were resolved in Metasploit (Pro, Express, and Community editions) this week. Please update as soon as possible.

 

 

Issue 1: Localhost restriction bypass

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)

 

On initial install, the Metasploit web interface displays a page for setting up an initial administrative user. After this initial user is configured, you can login and use the Metasploit web UI for the first time. Since this initial screen is unauthenticated, it can only be accessed via a local user (e.g. hitting the localhost hostname or loopback IP address 127.0.0.1).

 

Until the most current release, the initial setup page access restriction does not work properly in Metasploit 4.12.0 releases. Instead, on initial install, the page for setting up the initial administrative user is accessible from all addresses on the host running Metasploit.  An attacker might be able to 'race' a fresh Metasploit installation and become the first to create an administrative user.

 

Mitigation:

For users who are planning on using Metasploit with the web interface, it is important to isolate the machine from hostile networks until initial configuration is complete, or be sure to use the latest Metasploit installer in which this issue is resolved.

 

Thanks to Brandon Perry for discovering and reporting this issue.

 

Issue 2: Predictable session cookies

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)

 

Metasploit uses a randomized secret key to protect session cookies from forgeries. On installation, it randomizes the secret key and stores it in a local configuration file.

 

As of Metasploit 4.12.0, the update packages inadvertently include a static version of this secret key file, which overwrites the randomly-generated one. The effect of this is that some Metasploit installations will all have the same hard-coded base session token, leading to forgeable session cookies, allowing an unauthenticated user to perform remote code execution via another object deserialization bug.

 

Mitigation:

On startup, Metasploit will identify 'bad' static secret keys that may be installed, and if found, the base secret key is regenerated. If this fix is needed, and if a user is applying the latest update via the web UI, the UI may appear to hang during the update, though it will complete successfully in the background. In this case, simply refresh the web UI after 10-20 minutes. If it loads a login screen, the update applied successfully.

 

Users who updated from 4.11.0 or earlier builds are not affected, but are still encouraged to update.

 

Thanks to Justin Steven for discovering and reporting this issue.

 

Issue 3: `config.action_dispatch.cookies_serializer` is set to `:hybrid`

    (affects versions 4.12.0-2016061501 through 4.12.0-2016083001)

 

Metasploit versions 4.11.x and earlier use the default 'marshal' cookie type, which is vulnerable to remote object instantiation / remote code injection for a user who has the ability to generate a signed session cookie.

 

Mitigation:

The Metasploit 4.12.0 point release switched to the 'hybrid' type, which gives an update path for users to the safer 'json' type. The latest release switches entirely to 'json' cookie serialization method.

 

Thanks to Justin Steven for discovering and reporting this issue.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Sep 16, 2016

Security is hard

 

I usually focus exclusively on the Metasploit Framework here on these wrapups, but this week is a little special. This week the Metasploit commercial products (Pro, Express, and Community) come with a fix for a couple of vulnerabilities. You heard that right, remotely exploitable vulns in Metasploit. Our lovely engineering manager, Brent Cook, helpfully wrote up the details yesterday.

 

TL;DR - Three bugs, two of which work together: 1) the filter restricting the creation of the first admin account to localhost was broken. As has always been the case having an admin account on Metasploit lets you run commands on the server. And 2) the randomly generated session key got stepped on by a static one whenever updates were applied, so the same key was used for every Metasploit installation. Because of 3) session cookies are serialized ruby, so that's code exec, too.

 

Security is hard and even experts like us screw it up some times. But in true Metasploit fashion, we're not content to just patch the vuln. There is currently a Pull Request in review that will get you shells on Metasploit if you know credentials. Since it's Authenticated Code Execution by Design, it will work even without this vulnerability as long as you can steal a username and password. Expect that to land soon and be in the next wrapup. And while you're waiting, go double check to make sure you did the initial account setup on your Metasploit installs.

 

Download improvements

 

It's a bit of a hassle if a download gets interrupted, especially if the file is large. Thanks to first-time contributor cayee, you can now continue an interrupted download with Meterpreter's new download -c.

 

Module documentation

 

We've been pumping out better documentation for individual modules for a few months now, since the introduction of info -d, which gives you nice pretty markdown.

 

If you have wanted to contribute but didn't know what you wanted to work on, this is a great place to get started. Check out the Module Documentation milestone for a list of the modules we think are the highest priority. Github won't let you assign a ticket to someone who isn't part of the Metasploit organization, so leave a comment on one of those issues to claim it so others don't duplicate your work.

 

New Modules

Exploit modules (1 new)

Auxiliary and post modules (4 new)

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.22...4.12.25

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

egypt

Weekly Metasploit Wrapup

Posted by egypt Employee Sep 2, 2016

PHP Shells Rising from the Flames

 

Phoenix Exploit Kit is your standard run-of-the-mill crimeware system, written in PHP, whose creator apparently got popped by the FSB earlier this year. Like many exploit kits, it has a back door, this one allowing you to eval whatever PHP code you like by sending it in a GET parameter (subtly named 'bdr'). Of course running arbitrary PHP allows us control of the underlying operating system to various degrees depending on configuration.

 

I love the idea of popping shells in malware. We've been doing it for a while, since way back in the day with exploit/windows/ftp/sasser_ftpd_port, an exploit for the FTP server run on compromised machines by the sasser worm, and I was delighted to discover that I'm not the only one who finds exploits for malware to be hilarious.

 

MalSploitBase is a database of exploits for known vulns in evil things just like these. Even better, its code is available on github (https://github.com/misterch0c/malSploitBase) and the author encourages pull requests.

 

How come you never call anymore?

 

If you create child processes from your Meterpreter session, you often want to keep track of them and make sure they're not staying out too late or getting caught up with the wrong crowd. A new option to Meterpreter's ps command makes that a little easier, giving you a nice printout of all the children of your current process.

 

Other Post stuff

 

A few fun new modules from an up-and-coming contributor h00die make persistence on Linux a bit easier in the latest release. One of the big advantages of having modules for doing persistence instead of dropping files manually is the ability to automate it. For example, putting post/linux/manage/sshkey_persistence in your AutoRunscript option for an exploit lets you automatically establish a way back in without having to think about it in the crucial first few minutes of having a shell.

 

And finally, for an exciting exfiltration extravaganza, post/multi/manage/zip gives you a platform-agnostic way of zipping up a directory for simplified pilfering.

 

New Modules

 

Exploit modules (5 new)

Auxiliary and post modules (3 new)

 

Get it

 

As always, you can update to the latest Metasploit Framework with a simple msfupdate and the full diff since the last blog post is available on GitHub: 4.12.19...4.12.22

 

To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions.

Filter Blog

By date: By tag: