Skip navigation
All Places > Metasploit > Blog
15 16 17 18 19 Previous Next

Metasploit

678 posts

Browser Exploit Server

This release includes the much vaunted and anticipated BrowserExploitServer (BES) mixin, the brainchild of Metasploit exploit developer Wei @_sinn3r Chen. Metasploit, at its core, is designed to be both an exploit delivery system and exploit development system, so this new mixin should help tremendously with the latter. BES, in a nutshell, saves you, the exploit developer, a ton of time when it comes to common chores like operating system identification, browser identification, and plugin detection. It also adds some best-effort client vulnerability detection before firing off the exploit, which is handy if you need to keep your super-secret 0-day still super-secret.

 

There's a few other niceties in there as well, but I don't want to completely spoil the surprise. Sinn3r has written up some comprehensive documentation on using BrowserExploitServer as well as a bunch of refreshed hints on using HttpServer (which may or may not be an exploit). Note that it's on the module writer to decide which one is the right one to use; there are times where you may not want or need all the browser-y things that BES provides.

 

supermicro-ipmi.gif

IPMI Exploiter's Diary

This week also sees the release for a proper exploit on one of the recently disclosed IPMI vulnerability; when the process of developing a reliable exploit has some particularly novel aspect, Metasploit exploit developer Juan Vazquez has a habit of churning out some really fasciniating notes on the process. If you haven't already, check out his blog post, Exploiting the Supermicro Onboard IPMI Controller. It's a pretty detailed look at the process he and discoverer HD Moore went through to get reliable code execution on these buggers, so if you're interested in that sort of thing, or especially if you're stuck on something similiar, posts like that one can really help you out.

 

KiTrap0D, Modularized

Finally, the other exploit module this week is, in fact, the first from Meterpreter grandmaster OJ TheColonial Reeves. While cleaning up Meterpreter, he noticed that the KiTrap0D implementation on Meterpreter's 'getsystem' function could be a little flakey. By default, Meterpreter supports a number of methods for privilege escalation to SYSTEM privileges, and attempts each one of them in order until one succeeds or they have all failed. While KiTrap0D is a fine strategy for this, it did occasionally crash the Meterpreter getsystem function, or worse, BSOD the box. Needless to say, the getsystem call shouldn't result in this kind of behavior and so the decision was made to change getsystem so that it doesn't make use of exploits like this. As a result, KiTrap0D was removed from getsystem, and turned around into a regular local exploit module.

 

New Modules

Including the two exploit modules mentioned above, we have seven new modules this week. And yes, that's a compressed file memory bomb DoS module. No, it's not from 1988.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Last week @hdmoore published the details about several vulnerabilities into the Supermicro IPMI firmware. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities:

 

ModulePurpose
smt_ipmi_static_cert_scanner

This module can be used to check devices using an static SSL certificate shipped with Supermicro Onboard IPMI controllers. (CVE-2013-3619).

smt_ipmi_url_redirect_traversalThis module can be used to abuse a directory traversal on the url_redirect.cgi component and download files with root privileges. Authenticated access to the web interface is required.
smt_ipmi_cgi_scannerThis module can be used to remotely check if a device if vulnerable to two unauthenticated remote buffer overflow, respectively on the login.cgi (CVE-2013-3621) and close_window.cgi (CVE-2013-3623) components.

 

Just a day after the advisory's release we were able to finish a functional exploit for one of the unauthenticated overflows (CVE-2013-3623), allowing to get root access to the device through the close_window.cgi component on the web interface.

 

This exploit development was quite interesting because we had just remote restricted access to a real Supermicro device, running the firmware SMT_X9_214 and, of course, emulation. While emulation is a great resource to search for vulnerabilities and development of proof of concepts, often it isn't enough to ensure a real live working exploit. In this blog we would like to share a couple of funny tricks we used to end the real live exploit. Hope you enjoy!

 

Traversal to the rescue

 

The first requirement in order to deploy a real-live working exploit is to know which common memory protections (NX, ASLR) apply. In order to get this information the Directory Traversal vulnerability on the url_redirect.cgi was used. Since the vulnerability allows access to arbitrary files with root privileges, even with restricted web access, this one was perfect to get some environment information. The trick here was to use the directory traversal to read "/proc/self/maps". Even when the maps would be the url_redirect.cgi's one, it would be good enough to check memory protections applied to cgi's processes, and even when we were aware of the lack of ASLR for the main executable and libraries, thanks to the @hdmoore's previous experience with the UPnP exploit, we were able also to discover stack and heap executables:

 

00012000-00033000 rwxp 00012000 00:00 0          [heap]

bee78000-bee8d000 rwxp bee78000 00:00 0          [stack]

 

This information was highly valuable in order to design the exploit for the close_window.cgi overflow, where the space and badchars limitations, would make a "return into libc-system" really hard otherwise!

 

Details matter

 

With the information above, and the help of qemu, a first version of the exploit could be developed. Still not accurate enough to get real live shells! Indeed, when exploiting, details and the environment are important things to have into account, and the traversal directory vulnerability, even when powerful, was not enough to get a session. In order to end the exploit on a reasonable time, collect debug information about the process on the real device became a requirement.

 

Having restricted shell access to the real Supermicro's device, was time to check what could be done with it:

 

ATEN SMASH-CLP System Management Shell, version 1.04
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved

-> help
/

  The managed element is the root

  Verbs :
  cd
  show
  help
  version
  exit

->









 

SSH access provides a restricted SMASH System Management Shell, which indeed isn't very useful for environment inspection / exploiting debug. Even when the command line help isn't very encouraging, neither the SMASH's specification from the DMTF, we had access to the firmware and the ATEN SMASH binaries. Fortunately, after digging a little around them, something interesting was found. While following the code responsible of handling the command line, close to the parsing of pipes ("|") and semicolon characters (";") the parsing of the next word keys is found:

 

shell_command.png

Specially interesting is to find the reserved word "shell", so time for a new test:

 

-> shell test
Change shell to test
changing shell fails.: No such file or directory

->









 

Interesting! So looks like a shell comand exists indeed. A little more of static analysis reveals which the shell command not only exists, but should allow easily arbitrary command execution :

 

shell_exec.png

Time to test:

 

-> shell ls
Change shell to ls
SFCB        bin        dropbear    lib        lost+found  proc        sys        usr        web
SMASH      dev        etc        linuxrc    nv          sbin        tmp        var        wsman

->









 

Looks good, one more test...

 

-> shell sh
Change shell to sh
# uname -a
Linux (none) 2.6.17.WB_WPCM450.1.3 #5 Wed Apr 24 10:53:55 PDT 2013 armv5tejl unknown
#









 

And a root shell opens in front of us! (SMT_X9_315 firmware fixes the "shell sh" escape). With a root shell available, in order to end the development of the exploit we chose to configure generation of core dumps to the /tmp folder, mounted with rw and enough space available:

 

# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro)
proc on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /tmp type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
/dev/mtdblock1 on /nv type jffs2 (rw)
none on /tmp type tmpfs (rw)
/dev/mtdblock4 on /web type cramfs (ro)
# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                  20.0M    20.0M        0 100% /
/dev/root                20.0M    20.0M        0 100% /
none                    36.0M      1.1M    34.9M  3% /tmp
/dev/mtdblock1            1.3M    320.0k    960.0k  25% /nv
none                    36.0M      1.1M    34.9M  3% /tmp
/dev/mtdblock4            3.9M      3.9M        0 100% /web








 

To extract the core dumps we used openssl s_server and the legit web server certificate to set up a fake HTTP server, allowing external access to the /tmp directory contents. Several core dumps later we were able to make the exploit work smoothly on the real device :


msf exploit(smt_ipmi_close_window_bof) > show options

Module options (exploit/linux/http/smt_ipmi_close_window_bof):

   Name     Current    Setting  Required  Description
   ----       ---------------  --------     -----------
   Proxies                                  no         Use a proxy chain
   RHOST                                 yes       The target address
   RPORT                                 yes       The target port
   VHOST                                 no         HTTP server virtual host


Payload options (cmd/unix/generic):

   Name  Current Setting                        Required  Description
   ----  ---------------                        --------  -----------
   CMD   echo metasploit > /tmp/metasploit.txt  yes       The command string to execute


Exploit target:

   Id  Name
   --  ----
   0   Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214


msf exploit(smt_ipmi_close_window_bof) > rexploit
[*] Reloading module...

[*] - Sending exploit...
[*] Exploit completed, but no session was created.

 

Checking the proof of success on the Supermicro's device:

 

ATEN SMASH-CLP System Management Shell, version 1.04
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved


-> shell sh
Change shell to sh
# cd /tmp
# pwd
/tmp
# cat metasploit.txt
metasploit








 

Definitely, it you are using Supermicro's motherboard, you should review the information and updates on the Supermicro IPMI Firmware Vulnerabilities article, and apply the vendor's updates if necessary.

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments

By guest blogger and Rapid7 customer David Henning, Director Network Security, Hughes Network Systems

 

A few weeks ago, Rapid7 asked me to participate in the Metasploit Tech Preview for 2013. I’ve participated in a couple of other product previews in the past. I like the interaction with the Rapid7 development teams.  This tech preview was smooth and it was easy to participate. Previous testing sessions required interactions over e-mail and there was shv-new-look.pngsome associated lag. This preview was managed via the Rapid7 community site which helped it run much more smoothly.

 

So now I’ve been asked to give my impressions of the latest Metasploit 4.8. My team and I have been kicking it around for a little over a week now. What’s new? Well, there are five main improvements to the tool; user interface, reporting, passive network discovery, vulnerability validation, and the validation wizard. Of these, we were asked to test two, the user interface of the single host screen and the vulnerability validation wizard.

 

My take on the latest Metasploit Pro? The UI is nice. It has a clean modern look you would expect in this age of sleek phones and tablets. The quick start wizards allowed me to get going quickly, but I still had the ability to walk through a new project step-by-step, if I chose. The new tabs in the single host view include summary numbers. For example, a host with three services will have the number 3 circled on the Services tab just like the mail app on my phone tells me how many messages I’ve got.

 

vvz-findings.pngThe big feature, though, is the Vulnerability Validation Wizard. In just a few clicks, you can use the wizard to connect from Metasploit into the Nexpose scanner product, download the recent scan data, and automatically launch tests to validate if the vulnerability can be exploited by Metasploit. This gives one the ability to prioritize vulnerabilities that need to be fixed now because they are easily exploited vs. vulnerabilities that are not easy or even are completely false positives. Once the vulnerabilities are validated or proven un-exploitable by Metasploit, the new wizard will continue the workflow and the findings are pushed back into the Nexpose console.

 

Collectively, I’m pleased with the new improvements to Metasploit Pro. The vulnerability validation and two-way communication with the related Nexpose scan tool is something I know I’ve asked for and suspect many other customers had as well. It saves me and my team considerable time compared to manually entering false positives or sending reports on valid vulnerabilities to our systems groups for remediation. Definitely looking forward to upgrading our production system when this is released.

Not having visibility can be dangerous in many situations. The new Metasploit 4.8 gives you better visibility in four key areas:

  • View phishing exposure in the context of the overall user risk
  • See which vulnerabilities pose the biggest risk to your organization
  • Have all host information at your fingertips when doing a pentest
  • Discover the latest risks on your network with new exploits and other modules

 

See Phishing Exposure as One Factor of User Risk


Users are often a weak part of the security chain, exposing organizations to attacks. This has led to a change in attacker methodology from brute force system-based attacks to deception-oriented attacks.  Especially phishing has seen a rise in recent years. Many organizations already conduct end-user trainings but find it challenging to determine how vulnerable their users really are and which users pose the largest risk.

 

Phished.png

Rapid7 Metasploit Pro measures the effectiveness of security awareness trainings by running simulated phishing campaigns and integrates with Rapid7 UserInsight to provide this information in the context of a more comprehensive user risk, including network access, cloud service usage, and compromised credentials.

 

What’s new – the details:

  • UserInsight can now pull phishing information through Metasploit Pro’s Remote API
  • UserInsight provides an overview of the current status of each user and incorporates the phishing risk into the overall user risk
  • Security professional can see user awareness trending over time

 

Here is how this helps you:

  • Clear picture of user risks: Security analysts get a quick and clear picture of a user’s accounts, network activity, cloud services, mobile devices, network activity and now phishing in one place, unifying information normally scattered across systems.
  • More effective security program: Tracking the effectiveness of security awareness trainings means you can adapt them to become more effective over time.

 

Metasploit Pro is the only phishing simulation solution that integrates with a solution to provide insight into user activity and risk. Unlike alternative penetration testing solutions, Metasploit Pro’s social engineering reports provides conversion rates at each step in the campaign funnel, such as how many people clicked through a phishing email, how many entered username and password on a fake website, and how many systems were compromised. Only Metasploit provides advice on how to address risk at each step in the social engineering funnel.

 

While some phishing simulation services can only measure user awareness, Metasploit Pro can also measure the effectiveness of technical controls. If desired, phishing web pages or email attachments can contain exploits that test patch levels, security configurations, and network-based defenses.

 

Simulated phishing campaigns are exclusive to Metasploit Pro users.

 

See which vulnerabilities pose the biggest risk to your organization

 

vvz-nx.pngVulnerability scanners can determine installed software and its vulnerabilities but not whether it poses a real risk in the context of your network. This is dangerous and wasteful because IT teams need to fix all vulnerabilities with equal priority.

 

Vulnerability validation helps you to determine if a vulnerability poses a high risk to your environment. It focuses on vulnerabilities with known public exploits that provide an easy way into your network - even for less experienced attackers.

Metasploit Pro simplifies and expedites vulnerability validation. It provides a unified, guided interface, called the Vulnerability Validation Wizard, that walks you through each step of the vulnerability validation process - from importing Nexpose data to auto-exploiting vulnerabilities to sending the validation results back to Nexpose. You can even define exceptions for vulnerabilities that were not successfully exploited.

Nexpose and Metasploit Pro seamlessly integrate to streamline the vulnerability validation workflow. It creates a closed-loop security risk assessment solution so that you can find potential vulnerabilities, exploit them, and identify the security flaws that pose a real threat to a network.

 

After vulnerabilities have been validated, the results are returned to Nexpose, where exploitability of a vulnerability can be used to create reports and prioritize vulnerabilities for remediation.

 

vvz-findings.png

What’s new – the details:

  • Metasploit added a vulnerability validation wizard, greatly simplifying the vulnerability validation process.
  • Exploited vulnerabilities are now marked in Nexpose with a special icon,
  • Nexpose users can create a dynamic asset group containing validated vulnerabilities, making it easy to see how many machines fall into that group and enabling reporting and trending,
  • Nexpose users can now filter by exploited vulnerabilities and create top remediations reports that provide clear instructions for the IT teams.
  • Vulnerabilities discovered by Metasploit that were not part of the original Nexpose import are marked with a green “New” flag.
  • Clear status next to each vulnerability in Metasploit on whether the vulnerability could be exploited.
  • Faster and more robust import of vulnerability scans from Nexpose and third-party scanners

 

Here is how this helps you:

  • Reduced cost: Focusing on prioritized, high-risk vulnerabilities reduces the workload of the remediation team.
  • Higher security assurance: Knowing which vulnerabilities pose a high risk and addressing them first reduces the likelihood that an attacker can get in.
  • Higher credibility: Provide proof of exploitability to application owners to elevate the remediation discussion to an objective level

 

00_VulnListing_IconCallout.jpg

 

Only Rapid7 offers closed-loop vulnerability validation, returning information about successful validations and vulnerability exceptions into the vulnerability management solution for easy remediation, reporting, and trending.

 

Unlike other solutions, that require a manual XML export and import of vulnerability data, Metasploit Pro can pull existing scan data directly from Nexpose, through a supported API.

 

Closed-loop vulnerability validation is exclusive to Metasploit Pro users.

 

If you're interested to hear more about vulnerability validation and see a live demo, join our free webcast "Don’t Trust, Validate! How to Determine the Real Risk of Your Vulnerabilities."

 

Have all host information at your fingertips when doing a pentest

 

While penetration testers are used to bending technology to suit their needs, solving difficult tasks is not an end it itself. Especially in large penetration tests, it can be challenging to manage a lot of data efficiently and without losing the overview. These difficulties can quickly cause longer work hours and overdue projects.


shv-new-look.png

Metasploit Pro makes it easier to carry out standard tasks and to manage the vast amount of information collected during a penetration test. This directly translates into time savings and a reduced training need for new staff. For example, Metasploit Pro manages data by tracking active projects, importing results from other sources, and now allowing manual input.

 

What’s new – the details:

  • Overhauled usability of the single host view, the most used screen in Metasploit Pro, to provide all important data at a glance.
  • New screen includes counts/stats for services, vulnerabilities, notes, credentials, captured data, file shares, exploit attempts, and matched modules.
  • Pentesters can now manually add services, vulnerabilities, credentials, and captured data files they have discovered outside of Metasploit.

 

Here is how this helps you:

  • Reduced cost: Better usability means shorter project times, lower cost, and reduced training needs for new staff

 

Metasploit Pro makes it much easier than Metasploit Framework to handle large penetration tests and bring new staff on board.


The new single host view is available in Metasploit Community, Metasploit Express, and Metasploit Pro.

 

128 New Modules in Metasploit 4.8.0: Routers, HP Enterprise Software, and Awesome Payloads

 

First off, we have 128 new modules since 4.7's release back in July (and you get bonus secgeek points if that count makes you a little nervous). That comes in at just about one and a half new modules a day, every day, since July 15. These modules are all over the place, since most of them come in unannounced to be cleaned up and put to work like so many Dickensian orphans. However, some themes did shake out with what we pursued in exploit-land for this release.

 

We have eight new modules targeting SOHO routers and access points, from Michael Messner, Craig Heffner, Brandon Perry, and Juan Vazquez. SOHO router hacking has been a focus for Metasploit for about a year now, and we're still championing the idea that if you have work-from-home employees, or even high-priority targets like the CFO's laptop, SOHO routers like these should be in scope for your engagement. It's a discussion worth having, and the availability of Metasploit modules can help a penetration tester make his case.

 

There are 24 new modules that exploit ZDI-disclosed vulnerabilities, 20 of which saw a bunch of work from Juan Vazquez, who I swear doesn't have it in for HP. It just so happens that over half of these ZDI vulns are targeting HP enterprise server software, including StorageWorks, LoadRunner, IMC, and Procurve Manager. ZDI bugs are great targets for exploit developers, because they represent popular software that you're likely to find in the enterprise, so penetration testers get a lot of mileage out of these.

 

This release was unique among most in that there are some really neat new payloads; we now have new shell bind and reverse shell payloads in Lua and Node.js from xistence and Joe Vennix, respectively. These go along with our usual bash, VBS, Perl, Python, and assorted other language shells. If your client's IDS/IPS/AV vendor isn't paying attention, these new shell spawners might slip past their tried-and-true defenses. That said, I have to say that the most exciting new payload is a Python implementation of Meterpreter from Spencer McIntyre. This brings more Meterpreter functionality to pretty much any standard Linux build, and is getting much more active development than our old C-based POSIX Meterpreter.

 

Oh, yes, and there's good old Windows Meterpreter. We've made huge improvements there, thanks to some phenomenal focused effort from OJ "TheColonial" Reeves. OJ has brought Meterpreter (sometimes kicking and screaming) to the modern era of C development, with a completely revamped build environment (using the free edition of Microsoft Visual Studio 2013) and continuous integration platform. Along the way, he smashed a huge pile of bugs and annoyances, both internally and externally reported. What this all means to users is that Meterpreter is slightly smaller and *much* more stable now, *and* it's totally amenable to open source C development. The days of having to incorporate every change with the tribal knowledge of James "Egypt" Lee and HD Moore are pretty much over.

 

For exploit developers, we have a bunch of new brand new libraries for use: FireFart's WordPress manipulation API makes WP-specific assessments much easier, and Meatballs' WDSCP protocol library takes advantage of insecure Windows Deployment Services (are there any other kind?) to get a quick foothold in a WDS-imaged enterprise. Meatballs also contributed a handful of new binary templates for use with payload generation, including templates for PowerShell, VBA, MSI installers, and more, all of which complicate Metasploit's relationship with the various anti-virus vendors.

 

Of course, that's not all, but those are the headline features for Metasploit Framework 4.8.0. We landed over 2,300 commits since mid-July; the summary above and the modules below represent the most visible changes. But with nearly a hundred non-Rapid7 people who got commits into the master repository for Metasploit Framework, it's really pretty impossible to give a complete rundown of every cool new thing that hit; for that, you can start by looking at the last four or five months' worth of blog posts, or even better, peruse the git shortlog (from your nearest git clone, type 'git shortlog 4.7.0...4.8.0').

 

So, thanks to all the volunteers listed below for all your commits (and commitment!) to our collective open source security product, sorted by commit count, then alphabetically by first name or handle. You guys make Metasploit go.

 

Meatballs1, FireFart, jiuweigui, Spencer McIntyre, m-1-k-3, several people calling themselves "root" (fix your .gitconfig, guys!), Nathan Einwechter, xistence, Rick Flores, Karn Ganeshen, MrXors, AverageSecurityGuy, Ramon de C Valle, Markus Wulftange, kaospunk, dummys, Bruno Morisson, RageLtMan, mubix, g0tmi1k, darknight007, bcoles, TecR0c, shellster, Charlie Eriksen, Rich Lundeen, Boris, bmerinofe, joernchen of Phenoelit, jgor, jamcut, ZeroChaos, trustedsec, Shelby Spencer, Sean Verity, Patrick Webster, Dhiru Kholia, ddouhine, Davy Douhine, Alexandre Maloteaux, Tyler Krpata, swtornio, Stephen Haywood, Ryan Wincey, Norbert Szetei, Nicholas Davis, kernelsmith, h0ng10, Frederic Basse, Daniele Martini, Brandon Perry, Brandon Knight, Winterspite, Vlatko Kosturjak, violet, tkrpata, Till Maas, scriptjunkie, Sagi Shahar, Ruslaideemin, Rick Flores, rbsec, pyoor, Paul, nmonkee, MosDefAssassin, Matt Andreko, Juushya, Joshua J. Drake, Jon Hart, Jonathan Rudenberg, Joff Thyer, Joe Barrett, Icewall, Henrik Kentsson, ethicalhack3r, Darren Martyn, corelanc0d3er, Borja Merino, Booboule, allfro, and Alexia Cole.

 

New modules since 4.7.0:

 

Exploit modules

 

Auxiliary and post modules

 

The new modules are available in all Metasploit editions, including Metasploit Pro, Metasploit Express, Metasploit Community, and Metasploit Framework.

 

And It's All Available Now

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

This month, a security researcher disclosed that a version of the old banking Trojan “Trojan.ibank” has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime.  Once a domain of a few isolated APT attacks, SAP appears to be in the cross hairs of hackers that know just how much sensitive data ERP systems house, including financial, customer, employee and production data.  With more than 248,500 customers in 188 countries, SAP may see an increase of attacks and their customers face the threat of data theft, fraud and sabotage.

 

SAP-architecture-for-pentesting.jpgThis trend is not really surprising, given that financial, customer, employee and production data reside in a company’s enterprise resource planning (ERP) systems—and they are juicy targets for all sorts of malicious hackers. What’s worse, these systems have often organically grown over decades and are so complex that few people understand their organization’s entire ecosystem, let alone some of SAP’s protocols and components that are not publically documented. If you are a security professional responsible for security audits, you may want to download Rapid7’s new free research paper on conducting penetration tests on SAP systems.

 

Organized cyber-crime often looks for credit card numbers contained in business transaction data, which they use to conduct fraudulent transactions. They can extract social security numbers in an employee database to conduct identity theft. By changing the payee account details in the system, they can redirect funds into their own accounts and go home with a hefty paycheck.

 

But cyber-crime is not the only player to worry about. State-sponsored hacking groups regularly break into enterprises for purposes of industrial espionage. ERP systems provide them with a wealth of data to pass on to their domestic industry – as well as a chance to sabotage production flows and financial data. As a result, mergers and acquisitions may fall through or foreign competitors may get a head start on copying the latest technology.

 

SAP is the market leader for ERP systems with more than 248,500 customers in 188 countries. In collaboration with its community contributors, Rapid7’s security researchers have published a research report on how attackers may use vulnerabilities in SAP systems to get to a company’s innermost secrets. The research report gives an overview of key SAP components, explores how you can map out the system before an attack, and gives step-by-step examples on how to exploit vulnerabilities and brute-force logins. These methods have been implemented and published in the form of more than 50 modules for Metasploit, a free, open source software for penetration testing. The modules enable companies to test whether their own systems could be penetrated by an attacker.

Many attackers will try to gain access to SAP systems by pivoting through a host on a target network, for example after compromising a desktop system through a spear phishing email. However, Rapid7 researchers found close to 3,000 SAP systems directly exposed to the Internet providing direct access to attackers.

 

Rapid7 security researcher Juan Vazquez has published a technical research paper summarizing the vast body of work published by security researchers and himself, many of them Metasploit open source contributors who are credited throughout the paper. The research paper is a practical, technical overview of the various SAP systems and protocols as well as over 50 Metasploit modules that can be leveraged for pentesting SAP solutions. Get your free research paper now “SAP Penetration Testing Using Metasploit - How to Protect Sensitive ERP Data”

By Guest Blogger Marius Corîci, ctf365.com

 

Before I start, I would like to thank the Metasploit team at Rapid7, and the Kali Linux team at Offensive-Security for their kindnesses to let us use their logos on our platform. I'd especially like to thank hdmoore and ckirsch at Rapid7 as well as Mati Aharoni at Offensive Security. This means a lot to us.

 

Note: If this article is TL;DR, then I recommend you just go to CTF365.com create an account, create a team and start play with it.

landingSmall.png

 

A little bit of history before introducing CTF365

 

In October 2011, we started the HackaServer Project, a web security testing platform using the power of crowd sourcing. When we were building HaS we had to come up with a way to create a spin off in case things were not moving in the direction that we anticipated. I have to mention that HaS is not open for business yet because of one simple reason: We are a very small team.

 

A short recap

 

Information Security through Gamification is not a brand new concept. In fact is quiet old, as old as the Internet: It is called CTF – Capture The Flag. The DefCon conference had one of the first CTF competitions. You can check CTF Time to see where a CTF has taken place, which are organized by CS faculties, companies or even governments agencies.

 

Why CTFs?

The best way to learn is to learn on the job. Gamification improves skills, and provides education and training. Learning information security through gamification increases students/employee engagement, improves retention rate and speeds up the learning curve/process. At the same time, it is entertaining, challenging, community-driven and hands-on for the students and employees participating in it.

 

Today's CTF competitions are very diverse, going all the way to attack-and-defense scenarios where Red Teams and Blue Teams play against each other. Teams often show an unparalleled level of effort and dedication.

 

However, traditional CTFs have these issues:

 

  • Short duration – CTFs typically only take between 24 hours and a few days.
  • On-site – Many CTFs require you to be physically present at the venue.
  • Few and far between – CTFs don't happen on a regular schedule, and they happen all over the globe.
  • Not beneficial for work – Because CTFs aren't centrally organized, there are no universal scores that are meaningful to a penetration tester's hiring manager.
  • Artificial – Many CTFs don't resemble a real-life network and restrict the players with plenty of rules.

 

 

So why another CTF when there are already so many?

 

We, the team behind CTF365, decided that is time to change the way CTF is designed and held by bringing a brand new approach and push security gamification at a bigger scale: World Wide. Our goal is to create the Internet replica of a real-life network where security professionals, security students and security wannabe to get continuous training on real man-made servers and infrastructures, not intentionally vulnerable servers.

 

How is that possible?

 

We did asked ourselves, too. It looks like we've made it. Although there is a lot more to do, our IaaS is flexible enough to mimic the real world. CTF365's flexible platform allows users to connect their own infrastructure, whether they are cloud-based, private or dedicated servers. We have already proven that is possible to have servers tested in the cloud, for example with Metasploitable on HackAServer.com. You can read this article right here on the Rapid7 Community.

 

Companies and organizations can set up their own CTF infrastructure within minutes, and all their users achievements can be added to the user's general performance. This feature will engage more users at future conference CTFs.

 

 

Who is it for?

 

  • Blue Teams, Red Teams, CERT/CSIRT - Offensive and defensive specialists can improve their trainings on life-like enviroments.
  • CTOs, System Administrators – Can experiment with server configurations and see if they can be defeated.
  • Security Vendors – Can test their WAFs and other software as well as hardware.
  • Security Training Companies – Improve their students retention rate on life-like environments.
  • Information Security Recruiters – Security Certificates are very important but user performance and achievements as security professional are a true testament of their abilities.
  • Web Security organizations like OWASP – Spread awareness among web developers and DevOps.
  • InfoSec Conferences – Participants really want to have fun and have their achievement count.

 

 

Where are we now?

 

At this moment, CTF365 is in Alpha Stage which means it's up and running with a small number of teams (over 30 teams) and there are +11,000 registered users and +900 teams ready to play all over the world. Being in Alpha means that we're still in the developing stage and those who have access to Alpha and future Beta can experiment and get a sneak peak at the live system.


Once we have scaled up our hardware, we'll be ready to let everyone to get in. During the Alpha and Beta phases, most users are security professionals from various pentesting and security training companies. As referrals for the pre-release environment, we also accept infosec professionals as well as infosec instructors/teachers. If you would like early access, just let me know.

 

The bottom line

 

“Security will never be perfect, but can be pushed to perfection.”


According to Frost & Sullivan, the global population of information security professionals will increase by 332,000 to 3.2 million at the end of year and reach ~5 million by 2017. The Internet grows faster than the world’s capacity to provide security-aware system administrators and engineers. We need to close this gap.


CTF365 aspires to build a playground to improve the training possibilities for information security professionals.


Sign up for a CTF365 account now!

todb

Weekly Update

Posted by todb Employee Nov 6, 2013

Disclosures for SuperMicro IPMI

On the heels of last week's bundle of FOSS disclosures, we've gone a totally different direction this week with a new round of disclosures. Today, we're concentrating on a single vendor which ships firmware for Baseboard Management Controllers (BMCs): Supermicro, and their Supermicro IPMI firmware. You can read up on the details on HD's blog post which covers the five new CVEs.

 

It's important to stress that the vulnerabilities discussed by HD don't actually have much of anything to do with the IPMI subsystems themselves; rather, the focus was on the web and SSH management interfaces. Because of this, there is plenty of opportunity for attackers to leverage these oft-overlooked network services to gain a foothold in your datacenter, especially if you have permissive or non-existent firewall rules that expose these services to the Internet; by default SuperMicro's IPMI web and SSH interfaces listen on TCP/443 and TCP/22, as you'd expect.

 

A simple network misconfiguration such as a blanket "allow" rule on these ports, can accidentally expose these guys to the Internet. Experience shows that exposing management interfaces to the Internet is surprisingly common, and a quick peek at the Internet courtesy of Project Sonar shows that there are over 35,000 SUpermicro IPMI interfaces exposed to the world. Yikes.

 

We're toiling away on putting together some reliable exploits and scanner modules for the vulnerabilities, so keep an eye on the Metasploit Framework Repository for those. And speaking of our open source repo...

 

Signed Commits for Metasploit Framework

In Metasploit Framework development news, we've started getting serious about cryptographically signing our commits to Metasploit Framework. This was inspired by the most excellent blog post from Mike Gerwitz, A Git Horror Story: Repository Integrity with Signed Commits. At this point, pretty much all merges to Metasploit's master branch are signed with the committer's PGP key, and you can confirm the signatures yourself by this easy and not-so-fun two step process: First, get a hold of all the committer keys, and import them with your command line PGP/GPG application. Next, use the command "git log --show-signature --merges", and amaze at the cryptographic integrity of the most recent merges.

 

For me, the main reason to do something like this is to add a layer of authenticity to our open source project -- by ensuring that commits to master are signed, even if one of our committers' GitHub account gets totally compromised, the attacker would still need to also compromise the committers' PGP key in order to reasonably impersonate him. For most sensible people (our committers included), that means compromising the local key store, which is a much smaller attack vector than GitHub. GitHub is great -- seriously, it is -- but it's big, popular, and always online (pretty much), so it's an attractive target for both focused attacks and general vandalism.

 

Now, actually verifying these signatures automatically by end users is another story; sadly, I don't have any advice for you on how to automatically reject and revert unsigned commits. Today, I eyeball it manually, which of course, sucks. We've asked GitHub nicely to provide some kind of indicator on their web UI that a commit is signed, so I'm hopeful that that feature is Coming Soon. If you have any advice for nice signature-verifying git functionality, comment below, por favor!

 

New Modules

We have two new exploits this week: one for ProcessMaker Open Source by longtime contributor Brendan Coles, and one for Beetel Connecton Manager. The latter is the very first exploit module from our new hire, William Vu, so feel free to pay special attention to this module, and file lots of annoying bugs for him on our Redmine issue tracker. Thanks guys!

 

Exploit modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

 

Ninja Update: We have just landed three new auxiliary modules for the Supermicro issues that can help in scanning efforts; they'll be in next week's Metasploit update, but those of you who are following our bleeding-edge source can fetch them from GitHub.

 

Introduction



This post summarizes the results of a limited security analysis of the Supermicro IPMI firmware. This firmware is used in the baseboard management controller (BMC) of many Supermicro motherboards.


The majority of our findings relate to firmware version SMT_X9_226. The information in this post was provided to Supermicro on August 22nd, 2013 in accordance with the Rapid7 vulnerability disclosure policy. More information on this policy can be found online at http://www.rapid7.com/disclosure.jsp. Note that this assessment did not include the actual IPMI network services and was primarily focused on default keys, credentials, and the web management interface.


Although we have a number of Metasploit modules in development to test these issues, they are not quite ready for production use yet, so stay tuned for next week's Metasploit update. At our last count, over 35,000 Supermicro IPMI interfaces were exposed to the public internet.


Supermicro has published a new firmware version (SMT_X9_315) that appears to address many of the issues listed identified below, as well those reported by other researchers. We have updated each entry to indicate how the new firmware version impacts these issues.


A cursory review of the new firmware shows significant improvements, but we still recommend disconnecting the IPMI interface from untrusted networks and limiting access through another form of authentication (VPN, etc).



 

Static Encryption Keys (CVE-2013-3619)

 

The firmware ships with harcoded private encryption keys for both the Lighttpd web server SSL interface and the Dropbear SSH daemon. An attacker with access to the publicly available Supermicro firmware can perform man-in-the-middle and offline decryption of communication to the firmware. The SSL keys can be updated by the user, but there is no option available to replace or regenerate SSH keys.

 

We have not been able to determine if firmware version SMT_X9_315 resolves this issue.


 

 

 

Hardcoded WSMan Credentials (CVE-2013-3620)

 

The firmware contains two sets of credentials for the OpenWSMan interface. The first is the digest authentication file, which contains a single account with a static password. This password cannot be changed by the user and is effectively a backdoor. The second involves the basic authentication password file stored in the nv partition – it appears that due to a bug in the firmware, changing the password of the ADMIN account leaves the OpenWSMan password unchanged (still set to admin).

 

We have not been able to determine if firmware version SMT_X9_315 resolves this issue.


 

 

CGI: login.cgi (CVE-2013-3621)

 

 

The login.cgi CGI application is vulnerable to two buffer overflows. The first occurs when processing the name parameter, the value is copied with strcpy() into a 128 byte buffer without any length checks. The second issue relates to the pwd parameter, the value is copied with strcpy() into a 24 byte buffer without any length checks. Exploitation of these vulnerabilities would result in remote code execution as the root user account. The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).

 

if ( cgiGetVariable("name") )

{

  v2 = (const char *)cgiGetVariable("name");

  strcpy(&dest, v2);

}

if ( cgiGetVariable("pwd") )

{

  v3 = (const char *)cgiGetVariable("pwd");

  strcpy(&v13, v3);

}

 

Firmware version SMT_X9_315 removes the use of strcpy() and limits the length of the name and pwd values to 64 and 20 respectively.

 

 

CGI: close_window.cgi (CVE-2013-3623)

 

The close_window.cgi CGI application is vulnerable to two buffer overflows. The first issue occurs when processing the sess_sid parameter, this value is copied with strcpy() to a 20-byte stack buffer without any length checks. The second issue occurs when processing the ACT parameter, this value is copied with strcpy() to a 20-byte stack buffer without any length checks. Exploitation of these vulnerabilities would result in remote code execution as the root user account. The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).


if ( cgiGetVariable("sess_sid") )

{

  v1 = (const char *)cgiGetVariable("sess_sid");

  strcpy(&v19, v1);

}

 

...

if ( cgiGetVariable("ACT") )

{

  v3 = (const char *)cgiGetVariable("ACT");

  strcat(&nptr, v3);

  ...

 

Firmware version SMT_X9_315 completely removes this CGI from the web interface.

 

 

 

CGI: logout.cgi (CVE-2013-3622) [ authenticated ]

 

 

The logout.cgi CGI application is vulnerable to two buffer overflows. The first occurs when processing the SID parameter, the value is copied with strcpy() into a 20 byte buffer without any length checks. The second issue relates to further use of the SID parameter, the value is appended with strcat() into a 32 byte buffer without any length checks. Exploitation of these vulnerabilities would result in remote code execution as the root user account.The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).



if ( cgiGetVariable("SID") )

{

  v4 = (const char *)cgiGetVariable("SID");

  strcpy(&s, v4);

}

 

Firmware version SMT_X9_315 switches to a GetSessionCookie() function that limits the length of the SID variable returned to this code and no longer calls strcpy().

 



CGI: url_redirect.cgi (NO CVE) [ authenticated ]

 

 

The url_redirect.cgi CGI application appears to be vulnerable to a directory traversal attack due to lack of sanitization of the url_name parameter. This may allow an attacker with a valid non-privileged account to access the contents of any file on the system. This includes the /nv/PSBlock file, which contains the clear-text credentials for all configured accounts, including the administrative user. The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).


sprintf(&v23, "%s/%s", *(_DWORD *)&ext_name_table[12 * i + 8], s);

v18 = fopen(&v23, "r");


Firmware version SMT_X9_315 appears to fix this issue.

 

 

CGI: miscellaneous (NO CVE) [ authenticated ]

 

 

Numerous unbounded strcpy(), memcpy(), and sprint() calls are performed by the other 65+ CGI applications available through the web interface. Most of these applications verify that the user has a valid session first, limiting exposure to authenticated users, but the review was not comprehensive. All instances of unsafe string and system command handling should be reviewed and corrected as necessary. Exploitation of these issues allows a low-privileged user to gain root access to the device.


Firmware version SMT_X9_315 has reorganized the web root, adding quite a few new CGI applications, removing many more, and generally purging the use of insecure functions like strcpy(). In addition, the config_tftpd.cgi and snmp_config.cgi CGI applications now validate that the user has a valid session first. They did not before, but it wasn't clear what risk this posed. In fact, the only two CGI applications that are now exposed to unauthenticated users are vmstatus.cgi and login.cgi.

 





Disclosure Timeline

 

2013-08-22 (Thu) : Initial discovery and disclosure to vendor

2013-09-07 (Fri) : Vendor response

2013-09-09 (Mon) : Disclosure to CERT/CC

2013-10-23 (Wed) : Planned public disclosure (delayed)

2013-11-06 (Wed) : Public disclosure

2013-11-06 (Wed) : Scanner modules written

2013-11-06 (Thu) : Vendor indicates a fix is available


sohorouter-webcast.jpgThis Thursday, it's my distinct pleasure to host Mike @s3cur1ty_de Messner for a German-language webcast about SOHO router security. For those not familiar with him, Mike is the author of the most comprehensive German Metasploit book (published by dpunkt) and worked several years as a Metasploit trainer. His personal passion is poking holes into the kind of routers you (and your CEO) have at home. These types of systems are very widely used but are rarely patched - even though they have critical security issues. A few months ago, for example, 420,000 embedded devices were infected by a botnet called Carna and then used for a global Internet scanning project. While the so-called Internet Census was illegal but benign, it outlined the scale of the problem.

 

In this German-language webcast, Mike is sharing some of his research and is giving live demos of the Metasploit modules he's using. He's covering the following topics:

  • Why is the security of SOHO routers important?
  • Typical security issues with SOHO routers
  • Technical case studies with live demos
  • Metasploit modules for testing routers
  • Results of 30 tested devices
  • Q&A

german-flag.jpg

Reserve your seat in this German-language webcast now - space is limited!

Disclosure for FOSS Projects

Earlier today, we published seven modules for newly disclosed vulnerabilities that target seven free and open source (FOSS) projects, all discovered and written by long time Metasploit contributor Brandon Perry. These vulnerabilies moved through Rapid7's usual disclosure process, and as you can read in the summary blog post, it was a little bit of an adventure. These were not projects like Linux or Apache with bazillions of downloads and installed basically everywhere, but more on that second and third tier of free software projects which have merely millions of downloads or tens of thousands of users.

 

One thing that occurred to me is that these may be the first, or at least among the first, vulnerabilities disclosed to many of these software vendors. Collectively, these applications have been downloaded more than 16 million times, so it seems weird that the vendors' disclosure handling wasn't a little more normalized.

 

Of course, the way to get good at anything is to practice, so publishers of free software at this level of popularity could use some practice fielding new vulnerability disclosures. To that end, if you're a user of these applications (or other mildly popular applications), you may want to take a look at their openly published source and binaries to see if you can't uncover some vulnerabilities yourself. After all, that's part of the compact we have with FOSS publishers -- they make their materials free to open inspection, but someone actually has to do the inspection.

 

As you can see in the technical writeup, most of these exposures aren't terribly complicated once you start looking. These issues were uncovered and exploited by Brandon primarily during some downtime at DEFCON 2013, so it's not like it was a particularly complicated approach to bug hunting.

 

Inspecting open source software for security issues is a public good that pretty much anyone with technical chops can get into -- you can practice your exploit dev skills, and the software developers can practice handling disclosures once you report them -- either directly or through a third party like ZDI or your friends here at Rapid7. There are tons of books and websites on security best practices and vulnerability research to get you started, and lots of helpful researchers on the Internet to help you along the way. All I ask is that you disclose your findings reasonably and give the vendor time to patch and time to warn their user base about the issues. That way, you're not needlessly injecting extra instability into the Internet as a whole.

 

A Quick Respin of 4.7.2

You may have noticed that we didn't release an update for Metasploit last week. Instead, we were chasing down, fixing, and re-releasing the update to fix a bug in the way the Postgres database is upgraded for Metasploit Community and Metasploit Pro. If you haven't noticed any problems, you're in the majority, and there's no need to reapply anything -- the bug only appears to have hit (a very few) isolated platforms where the end users a) were not on supported platforms and b) had altered their own local database configurations. If you happen to be in this group, then simply reinstalling the newly re-released update will get you squared away. Again, this affected a small set of users (I can count them on one hand) and wasn't a security issue or anything, just configuration conflict.

 

New Modules

We're shipping a whopping 16 new exploits, including the seven from bperry, eight new auxiliary modules, and one new post module. At a grand total of 25 new modules, it's been a busy week in the People's Glorious Republic of Metasploit. Thanks to all various and sundry contributors for your efforts this week.

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Adventures in FOSS Exploitation, Part One: Vulnerability Discovery

This is the first of a pair of blog posts covering the disclosure of seven new Metasploit modules exploiting seven popular free, open source software (FOSS) projects. For technical details on the security issues for the applications discussed here, see Brandon Perry's exhaustive blog post.

 

Back over DEFCON, Metasploit contributor Brandon Perry decided to peek in on SourceForge, that grand-daddy of open source software distribution sites, to see what vulnerabilities and exposures he could shake loose from an assortment of popular open source enterprise applications. For his effort, he discovered a variety of vulnerabilities and exposures, and has released Metasploit modules for the following applications. All have some kind of webapp component, which was the focus of his efforts.

 

Affected Software Summary

 

SoftwareVulnerability / ExposureCVEStatusLifetime Downloads
MoodlePost-Authentication Host OS Command Execution2013-3630wontfix4,760,000
vTiger CRMPost-Authentication Host OS Command Execution2013-3591patched3,643,000
ZabbixPost-Authentication Host OS Command Execution2013-3628wontfix2,961,000
Openbravo ERPPost-Authentication XXE Arbitrary File Read2013-3617patched2,135,000
ISPConfigPost-Authentication Host OS Command Execution2013-3629patched1,561,000
OpenMediaVaultPost-Authentication Host OS Command Execution2013-3632wontfix703,000
NAS4FreePost-Authentication Host OS Command Execution2013-3631no data667,000

 

The most popular application on this list is Moodle, with over four and a half million downloads over its lifetime of SourceForge hosting, and the least is NAS4Free, with merely several hundred thousand downloads. While this is only an approximate figuring of popularity, and none approach the installation base boasted by Wordpress or Apache, they nevertheless are not uncommon to find on a penetration testing engagement. Across all seven projects, we're looking at a total lifetime download count of about 16 million. If only one to two percent of those are installed and still active today, that's still over a quarter million targets out there.

 

Despite this level of apparent popularity, though, the actual business of disclosing vulnerabilities to the software developers directly was... circuitous. Across these seven projects, I found there were at least seven different approaches to handling incoming vulnerability reports.

 

It's been well over a decade since the publication of Rain Forest Puppy's seminal work, the RFPolicy 2.0, and virtually everyone in the information security community can agree that some kind of vulnerability disclosure policy is useful for any serious project of note. Yet, when we contacted these vendors, it was as if the RFPolicy had never existed.  I won't trouble you with shaming details of disclosure -- I won't mention which project representative asked for a password-protected zip file of the disclosure, while another filed the issue on a public bug tracker which promptly e-mailed it back in cleartext -- but the the level of preparedness I ran into was pretty troubling. I suspect, rather strongly, that mature security issue handling that you find at organizations like the Apache Foundation or Microsoft is the exception, and not the rule.

 

 

A Vulnerability Handling Checklist

So, rather than simply dump these vulnerabilities and exposures and run, we thought we'd provide an extremely short checklist that software maintainers could use to ensure that they are holding up their end of the social contract for popular software. This is broad strokes stuff, intended for the (apparently huge) audience of software developers and maintainers who don't already have a security vulnerability handling procedure in place.

 

1. Have a designated security mailing alias. If your software is popular, you almost certainly already have a dedicated domain name, so security@yoursoftware.org is an ideal format. Try not to be creative with this naming convention; the goal is to be easily guessable, even if the reporter can't (or won't) find your most excellent web page describing your disclosure process.

 

2. Have a signed PGP key. Ideally, you will already be participating in a web of trust, and can collect multiple signatures, but at the very least, the PGP/GPG key associated with security@yoursoftware.org is signed by one or more of your core developers.

 

3. Publish your PGP key somewhere obvious. At Rapid7, we link to our PGP key on MIT's keyserver at http://www.rapid7.com/disclosure.jsp. CERT/CC is even better at this, hosting the key directly on their own server over HTTPS. At a minimum, it should be findable with very little work.

 

4. Insist on encrypted communication. Yes, the NSA has already broken everyone's encryption (let's say), but that doesn't mean every ISP, intermediate router, e-mail exchange, and bug tracker should have straight cleartext access to your security disclosure messages. I have no idea if anyone's watching your comms for reported security issues, but more importantly, neither do you. Plus, using encrypted e-mail serves as a pretty decent shhibboleth for representing yourself as Serious About Security.

 

5. Acknowledge receipt. If you are getting a disclosure for free you should be polite and acknowledge receipt. The vulnerability discoverer is playing by the rules, so you should make the effort as well. Worst case, you don't respond, and the discoverer just dumps his findings on Full Disclosure.

 

6. Have a contact at CERT/CC. I like dealing with CERT/CC a lot, since they tend to know people, and know people who know people. If something serious is discovered, we communicate with CERT/CC shortly after informing the vendor, so if they already know who you are, coordinated disclosure is all the easier.

 

7. Issue a patch. This may seem obvious, but not every vulnerability is a bug in code. Some -- like the ones found here by Brandon -- are "merely" exposures, which are (often unintended) features; in this case, a patch could simply be a documentation update, warning about the described behavior.

 

8. Issue a disclosure. Nearly always, security researchers will publish their own findings. Sometimes, CERT/CC will publish a Vulnerability Note. Public security resources such as OSVDB and Exploit-DB will often have entries for your bug. All of this is great here in infosec land, but your users may not keep abreast of these sources. For many of them, all they know about your software is what you tell them. So, take advantage of this event to help out your users, and their users, and the rest of the Internet. Have a link to some clearly worded text that describes the problem, the solution, and any workarounds.

 

That is really the long and the short of it. It's a little preachy, but believe me, there are many, many more things to say on disclosure (both giving and receiving). The above should get you going today if you don't already have some kind of process in place, and if you have many hundreds of thousands of downloads, you really ought to have that process ironed out and ready to go.

 

That's nice, what about all the "wontfix" bugs?

Please see part two of the FOSS Tricks and Treats by Brandon Perry, for technical details of these exposures and vulnerabilities. The modules described are checked into Metasploit now, and will be available as part of the regular Metasploit update. Note that all are post-authentication, which means that you already need a username and password to exercise host operating system functionality via the HTTP/HTTPS vector. Also, for some of these applications, the argument was made that these exposures were normal, designed functionality. In other words, many of these modules will still function in the latest patched versions of the software.

 

There is definitely room for debate as to whether or not these were particularly wise design decisions. On the one hand, many of these applications assume the user is also already in control of the host operating system. On the other, the users of these applications may not realize that by allowing regular old port 80 traffic, they are, effectively, opening a full shell to anyone able to guess a username and password. Penetration testers love these kinds of applications, since they often can provide surprising and unexpected footholds into a network.

 

Thanks to CERT/CC for helping with disclosure chores, and to the above vendors who responded in a timely way to our vulnerability disclosure ministrations. Regardless of their unique disclosure handling processes, every one of them reacted politely and professionally, so thanks for that.

 

Update: ISPConfig has reported that they are patched and has provided a link. Links also provided for the vTiger and Openbravo fixes.

Adventures in FOSS Exploitation, Part Two: Exploitation

This is part two of a pair of articles about disclosing vulnerabilities in a set of FOSS projects, see part one for some background on these vulnerabilities in particular, and some general advice for FOSS developers and maintainers.

 

A while back, I started a project to go over some of the top Sourceforge web applications and try to write some Metasploit modules for them. In the end, I was able to write seven new Metasploit modules (six exploits and one aux). Some of the modules take advantage of intended functionality, such as the Moodle module. Others take advantage of true security flaws, such as the Openbravo XXE module. I will go into detail for each module in this blog post.

 

I would like to especially thank todb for handling the vuln reporting for these modules, as I am lazy and just want to hack stuff. Props!

 

Moodle Authenticated Remote Command Execution (CVE-2013-3630)

Moodle is an open-source Learning Management System or Course Management System. It is used around the world by educational institutions, private enterprises, and governments alike and is a very good example of a solid open-source project. This year, as of this writing, Moodle has been downloaded from Sourceforge over 800,000 times. However, Moodle is easily installed from apt and yum as well.

 

This module exploits more of a design flaw than a bug as the feature that is abused is meant to be there. This means that this isn't actually going to be fixed, but I will discuss mitigation later.

 

The module also has the ability to exploit a vulnerability. Moodle was recently found to have an XSS bug that allows a student (unprivileged user) to steal an admin's session key (the "sesskey"). You can log in with less-privileged credentials, but supply a sesskey for an admin. This allows the unprivileged user to have the authorization of the admin, which in turn allows the user to pop a shell. You can read more about this XSS vulnerabilities on Exploit-DB.

 

image.jpg

 

So, down to the knitty-gritty, how do you pop the shell? Within Moodle, an Administrator has the ability to specify a system path to the aspell binary on the filesystem that the TinyMCE editor will use for spell-checking. You can probably already see where this is going.

 

image.jpg

 

Basically, an attacker can specify an arbitrary command, ensure the editor will use the system aspell, and make a request to ask for a spell check. By default, it is not set to the correct value and you will need to ensure it is using the system aspell.

 

image.jpg

 

 

When the request for a spell check is made, the command is run in the context of the web application. If you specify the username and password of any user, and a sesskey of an admin, the exploit will work in the exact same way.

 

You can use the config value "$CFG-> preventexecpath = true" to mitigate this risk.

 

image.jpg

 

Disclosure Timeline (Moodle)

 

Sat Aug 03, 2013: Initial discovery by internal researcher

Sat Aug 03, 2013: Draft Metasploit module written

Mon Aug 26, 2013: Initial contact to vendor

Mon Aug 27, 2013: Bug filed at Moodle bug tracker as MDL-41449

Wed Oct 30, 2013: Public Disclosure

 

Vtiger CRM Authenticated Remote Code Execution

 

This web application has been downloaded over 200,000 times this year from Sourceforge.

 

image.jpg

 

I found that an authenticated user (default creds admin:admin) could upload PHP source files with an extension of .php3 (.php was blocked) after manipulating a URL that the user is taken to during image uploading.

 

image.jpg

 

By altering the URL (is read-only, need to copy to new tab), you could navigate to an upload folder with less file restrictions than the image upload folder, and by uploading a PHP script to this folder, you could access the script remotely to have it run the arbitrary PHP code.

 

image.jpg

 

There are two vulnerabilities here that lead to successful exploitation. The first is that a user could navigate to an upload directory with less restrictions on allowed filetypes (non-images). The second is that this used an incomplete blacklist (restrict .php but not .php3).

 

You can access the newly uploaded file directly on the web server and execute any PHP code you want.

 

image.jpg

 

Once I realised the workflow for exploitation, a Metasploit module was cake . The module is effective against versions 5.3.0 and 5.4.0 of VTiger CRM.

 

image.jpg

 

Disclosure Timeline (vTiger CRM)

 

2013-07-01: Vulnerability discovered by Brandon Perry, Rapid7

2013-07-01: Metasploit module written

2013-07-02: Disclosure first draft written

2013-07-03: Vendor contacted with disclosure and Metasploit module

2013-07-23: CERT/CC contacted with disclosure and Metasploit module

2013-09-05: Planned Public disclosure (delayed)

2013-10-30: Public disclosure

 

Zabbix Authenticated Remote Command Execution (CVE-2013-3628)

 

Zabbix is an enterprise-class open-source software for monitoring networks, similar to Nagios. It has been downloaded on Sourceforge almost 300,000 times this year so far.

 

This module abuses functionality within the application which allows an administrator to run scripts on hosts. By creating a host with an IP of 127.0.0.1 (it can already exist, will make two), then you can create a 'script' with an arbitrary command to be run on the Zabbix server, and call script_exec.php with the ID of the new host and the ID of the new script. This module uses the same vector of command execution as the module pyoor just got pushed into the framework, but uses real authentication as opposed to a SQL injection. This means mine will still work after the patch, with correct credentials. As it turns out, I found the vector around the same time as another researcher (Lincoln of corelan), independently. Funny how things like that work sometimes.

 

image.jpg

 

Disclosure Timeline (Zabbix)

 

Sat Aug 24, 2013: Initial discovery by internal researcher

Sat Aug 24, 2013: Draft Metasploit module written

Mon Aug 26, 2013: Initial contact to vendor

Wed Aug 28, 2013: Response from vendor, details provided

Wed Sep 11, 2013: Disclosure to CERT/CC

Wed Oct 30, 2013: Public Disclosure

 

Openbravo ERP Authenticated XXE (CVE-2013-3617)

 

Openbravo ERP is an open source project available on Sourceforge, downloaded over 134,000 times this year. It was vulnerable to an XXE (XML eXternal Entity) attack the the XML API. This allows an authenticated user to post specially-crafted XML to the XML API and read arbitrary files from the file system as the user the application is running as (generally not root).

 

image.jpg

 

If you aren't familiar with what an XXE attack is, I will explain it briefly. A great resource to read up more fully on this type of vulnerability is on the OWASP website.

 

Basically, the default SAX parser used by many Java applications by default validates and expands entities defined within an external DTD. An attacker can create an external DTD within the XML request to a web service that will define new entities and where to look for them if referenced. When this request is parsed, the entities will be expanded on the server side to the values they are set to be expanded to. You can set these to expand to local files on the file system, thus replacing the entity with the contents of the file. This is the basic premise of the attack.

 

Openbravo ERP is a Java application that provides an XML API to authenticated users. This is available at the URI /ws/dal/<ENDPOINT>. Each endpoint represents a specific entity within the Openbravo data access layer. The module by default uses the ADUser endpoint because you will eventually find a user you can edit (yourself) and persist with the new value. Each class represented by the endpoints seem to all share at least one property, a comment. This field seems to be postable with free form text across all the endpoints I tried (Product is another). The module uses this field to store the value of the file, then requests the updated entity from the endpoint with a GET and parses the comment field. I do try to remain stealthy, so I remove the file from the comments field when done. You have ability to set the endpoint you want to use in the options for the module (ENDPOINT, be default ADUser).

 

image.jpg

 

Disclosure Timeline (Openbravo ERP)

 

Mon Jul 22, 2013: Initial discovery by internal researcher

Mon Jul 29, 2013: Draft advisory written

Tue Aug 06, 2013: Initial contact to vendor

Tue Aug 06, 2013: Automatic response for issue 22813

Tue Aug 13, 2013: PGP key provided, disclosure sent to vendor

Wed Aug 26, 2013: Disclosure to CERT/CC

Thu Aug 27, 2013: VU#533894 assigned by CERT/CC

Wed Sep 04, 2013: Planned public disclosure (Delayed)

Wed Oct 30, 2013: Public Disclosure

Wed Oct 30, 2013: CERT/CC VU published

 

 

ISPConfig Authenticated Remote Code Execution (CVE-2013-3629)

 

 

ISPConfig is an open source hosting control panel written in PHP that allows for easy management of resellers and clients of internet cloud space and the like.

 

An administrator (default creds admin:admin) on ISPConfig has the ability to import and export language definition files. These files contain snippets of PHP code that get evaluated and executed in order to persist the correct language values. An attacker can abuse this by uploading a specially crafted file with arbitrary PHP code.

 

The Metasploit module I have written to take advantage of this is called ispconfig_php_exec and allows the attacker to define the language that will inevitably be over-written (so don't choose the main language, otherwise it will be apparent something is wrong). While the vendor has stated they have added mitigations to later versions than 3.0.5.2 (which I was testing on at first), the module still works against the latest release.

 

image.jpg

 

Disclosure Timeline (ISPConfig)

 

Mon Jul 29, 2013: Initial discovery by internal researcher

Mon Aug 29, 2013: Draft Metasploit module written

Mon Aug 26, 2013: Initial contact to vendor

Tue Aug 27, 2013: Vendor response with PGP key

Tue Aug 27, 2013: Vendor provided with full details

Wed Sep 04, 2013: Vendor provided a fix

Wed Sep 12, 2013: Disclosure to CERT/CC

Wed Oct 30, 2013: Public Disclosure

 

OpenMediaVault Authenticated Remote Command Execution (CVE-2013-3632)

OpenMediaVault is an open-source Debian distribution for network attached storage devices. Available on Sourceforge, it has been download over 500,000 times this year as of this writing.

 

OpenMediaVault allows you to create cron jobs as users (including root). This module abuses this to create a cron job to run whatever arbitrary command the authenticated attacker (default creds admin:openmediavault) wants to run.

 

image.jpg

 

Disclosure Timeline (OpenMediaVault)

 

Thu Aug 01, 2013: Initial discovery by internal researcher

Thu Aug 01, 2013: Draft Metasploit module written

Mon Aug 26, 2013: Initial contact to vendor

Tue Aug 27, 2013: Vendor response with PGP key

Tue Aug 27, 2013: Vendor provided with full details

Wed Sep 11, 2013: Vendor response

Wed Sep 12, 2013: Disclosure to CERT/CC

Wed Oct 30, 2013: Public Disclosure

 

NAS4Free Authenticated Remote Code Execution (CVE-2013-3631)

NAS4Free is an open-source BSD distribution for network attached storage devices. Available on Sourceforge, it has been downloaded nearly 350,000 times this year as of this writing. NAS4Free is a direct continuation of development of FreeNAS, just under a different name (due to legal circumstances).

 

A feature offered by NAS4Free to authenticated users (default creds admin:nas4free) is to run arbitrary PHP code (what could go wrong?). It also offers to run bash commands, but the bash environment is very limited and no connect-backs were viable via this vector.

 

image.jpg

 

This module simply takes advantage of this feature to pop a shell with PHP. I noticed that PHP meterpreter did not work properly, and settled on using the more simple php/reverse_php payload for most of my testing.

image.jpg

 

Disclosure Timeline (NAS4Free)

 

Fri Aug 02, 2013: Initial discovery by internal researcher

Fri Aug 05, 2013: Draft Metasploit module written

Mon Aug 26, 2013: Initial contact to vendor

Wed Aug 28, 2013: Disclosure to vendor

Wed Sep 12, 2013: Disclosure to CERT/CC

Wed Oct 30, 2013: Public Disclosure

Wed Oct 30, 2013: CERT/CC VU published

Simulating the Adversary

A big part of what we do here at Metasploit is "simulating bad guys." On a good week, we can focus on taking real exploits that are being actively used on the Internet, clean them up to our standards for publishing, make sure they actually work as reported, and publish a Metasploit module. This last week has been very good indeed, at least from our point of view, since there's been loads of exploitation going on lately that's come into public view.

 

vBulletin's accidental backdoor

Last week, there was a report of a dangerous vBulletin exploit in the wild. vBulletin is a proprietary community / forum PHP application, and the vulnerability in question looks to be some installation-time artifacts accidentally left over after installing the the software. What it actually amounts to is a (almost certainly) accidental backdoor into account creation, whereby an attacker can create new administrator accounts.

 

However, the disclosure timeline of this vulnerability is a little troubling. vBulletin (the vendor) appears to have known about this exploit vector since at least August 27th, 2013, as evinced by this blog post. The attack was reported by a victim at least as early as September 5, 2013, which was the same day as this security patch tweet, which may or may not address the issue -- there appear to be no public release notes for this patch. The first time there's any real public knowledge posted publicly is the above Imperva analysis, was the genesis for the OSVDB entry, and now, this module.

 

So, if you're responsible for a vBulletin community, you might want to leap on this patch. If you're like me, and wondering if the patch is effective, you can test it with the vBulletin Metasploit module. If it tests out okay, feel free to mention your results somewhere that vBulletin users are likely to see it. I'm sure they'd appreciate it.

 

D-Link's intentional backdoor

While the vBulletin thing is quite likely to be accidental, the D-Link backdoor is absolutely not accidental. For starters, it's an authentication bypass that is triggered by a custom User-Agent string (the thing that your browser uses to tell the server about itself). The string could technically be more obviously malicious, but it's a stretch. Reverse the string: "xmlset_roodkcableoj28840ybtide," and you get, "editby04882joelbackdoor_teslmx." So, intent here is pretty clear.

 

The most recent discoverer of this backdoor has some pretty solid evidence that intelligence on this has been floating around, at least in Russia, since 2010.

 

There is at least one unattributed quote that D-Link was also aware of the backdoor, and it was implemented on purpose as "a failsafe." Simpler times, I guess, if it's true. At any rate, we have an easy-to-use DLink User-Agent Backdoor Scanner, and there's active R&D work on turning out a proper remote code execution module.

 

The other MSIE 0-day

As promised last week, we also have a working exploit for the other Microsoft Internet Explorer vulnerability patched by MS13-080: MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free. I won't beat on this too much, primarily because this disclosure horse is quite dead. However, we have a situation now where IT shops may feel like they've bought some time with Microsoft's Fix-It or EMET solutions for the originally reported vulnerability patched by MS13-080, the SetMouseCapture Use-After-Free bug (aka CVE-2013-3893), when in fact, they're still vulnerable to CVE-2013-3897, the CDisplayPointer UAF.

 

Since the former bug got more attention than the latter, your 3rd party proxy or IPS-based protections may not be aware of this. So, obviously, while patching is the best recourse, we know from the continued usability of good old MS08-067, some organizations put off patching for a long, long time. In particular, according to Metasploit researcher Wei Chen, original in-the-wild exploit for the CDisplayPointer UAF bug was pretty incomplete, even though it had been floating around since mid-September. The Metasploit module that exploits this vulnerability is much more solid and clear about the vulnerability itself, which can help defenders better understand the problem.

 

Why do this?

This whole philosophy of delivering clean, reliable exploits to the good guys (penetration testers, quality testers, and IT admins, among others) has been kind of front and center the last couple weeks here at Metasploit. Maybe the reasons are obvious (at least to security folks) why we do this, but to be explicit:

 

知彼知己,百戰不殆;不知彼而知己,一勝一負;不知彼,不知己,每戰必殆 
    Sun Tzu, Art of War, Chapter 3

 

If you know others and know yourself, you will not be imperiled in a hundred battles; if you do not know others but know yourself, you win one and lose one; if you do not know others and do not know yourself, you will be imperiled in every single battle. 
    Sun Tzu (translated)

 

Thanks, WikiQuote! Also, thanks tons to Juan Vazquez, sinn3r, and m-1-k-3 for putting these modules togther.

 

New Modules

We're shipping ten new modules this week, including the ones discussed above. Five are exploits, four are auxiliary, and one post. Note that the WRT110 module replaces the existing WRT110 command exec module, so it's not technically new.

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

When you're assessing the exposure to phishing in your organization, one important part are the client-side vulnerabilities that would enable a malicious attacker to exploit a browser. In this blog post, I'd like to outline a non-invasive (and free!) way to get visibility into your client-side risk landscape.

 

There are essentially two ways to use phishing as part of your security program.


  • Phish 2 Pwn: If you are a penetration tester, you'll likely use spear phishing of a couple of users to compromise a machine to gain a first foothold in the network and then pivot from there.
  • Phish 2 Educate: Phishing as part of your security program uses simulated phishes to see how many of your users would click on a link or enter credentials on a fake form.

 

Metasploit Pro offers phishing options for both Phish 2 Pwn and Phish 2 Educate. For this blog post, we'll focus on the latter. With Metasploit, you would typically set up your phishing email, containing a link to a landing page, which could be used to do any of the following:

 

  • Exploiting the browser or its plugins
  • Displaying a fake login page to harvest credentials (e.g. OWA login page)
  • Tracking click-throughs
  • Delivering security awareness training
  • Any combination of the above

 

Some phishing projects don't allow you to exploit clients, but there is a great way to determine client-side vulnerabilities using a free Rapid7 product called BrowserScan. Think of BrowserScan like Google Analytics for client-side vulnerabilities: You embed an invisible JavaScript snippet in your landing page and view the vulnerabilities in your BrowserScan dashboard. It records both browser and plugin vulnerabilities. While a vulnerability management, such as Nexpose, can give you this kind of information about clients inside your network, BrowserScan gives you the vulnerability ratings of the machine actually used by the user, such as the user's home PC.

 

Here's how you do it:

 

  1. Create your free BrowserScan account
  2. Click on Tracking and choose the Transparent badge, which is not visible when the user visits the page
  3. Embed the JavaScript code in your phishing landing page

 

BrowserScan1.png

 

Once you have run your phishing campaign, you'll be able to see the the results of the vulnerable scanners in your BrowserScan Dashboard:

 

browserscan7.jpg

 

You can view the number of vulnerable clients overall or by a particular plugin. Here's Oracle Java by vulnerability status:

 

browserscan6.jpg

 

You can also see the breakdown by version number:

 

browserscan5.jpg

 

BrowserScan is not only limited to your phishing campaigns - you can also host it on other web pages, e.g. your intranet page or a frequently used internal web application, to get a quick, easy, and free view of your users' security posture, no matter where they may access the page from. You can even include a badge on your intranet page that gives the user instant feedback of their security posture. You may even consider this for your phishing training page:

BrowserScan3.jpg

Want to give this a try? Create your free BrowserScan account now!

Updates to the ROPDB

Hey, remember last week when we shipped that unpatched MSIE exploit?  Yeah, good times. Well, first off, it's patched now, so get yourself revved up to at least MS13-080 to protect against CVE-2013-3893. That said, the story's not quite over yet.

 

Just about a year ago, Wei sinn3r Chen and Juan Vazquez put together the Return-Oriented Programming Database, or ROPDB. This innovation provides exploit writers a fairly generic mechanism to come up with useful ROP chains from a stock of known-good DLLs.

 

Fast-forward to today. If you'll remember from sinn3r's exploit for MS13-080, the in-the-wild exploit was using an Office DLL to avoid tripping up on DEP (Data Execution Prevention) -- in other words, to skip past DEP by using a ROP chain. This week, you'll find new options for using ROP chains found in shipping versions of Office 2007 and Office 2010. Turns out, many-to-most users of Internet Explorer also tend to have a version of Office installed, so exploiting MSIE bugs by using Office's shipped version of hxds.dll is a pretty safe bet.  Incidentally, hxds.dll is a registered handler for "ms-help://" URI scheme, so it's available from MSIE-land.

 

In addition to this, the other ROP chains were reviewed and updated, so you should find some more reliability in the already-shipping chains for msfvcrt.dll and java.dll.

 

In other MSIE exploit news, you may have seen the report about another 0-day that was floating around for a month, also patched by MS13-080. The fact that it was known to vendors and some researchers to be circulating in the wild for a whole month with no fixit, no public alert, and no Metasploit module to let defenders test their defenses is a little disconcerting, but never mind all that -- we have a line on a sample for CVE-2013-3897 as well, so expect that to be released here Real Soon Now.

 

New Modules

We're shipping six new modules this week -- 5 exploits, and the one bruteforcer auxiliary module for Sentry Switched CDU. If you watch the open source diffs, you'll notice that community contributor Christian FireFart Mehlmauer apparently got sick and tired of seeing the "rport" and "peer" methods defined in about 50 different modules, and did some housekeeping. Thanks FireFart!

 

Exploit modules

 

Auxiliary and post modules

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Filter Blog

By date: By tag: