Skip navigation
All Places > Metasploit > Blog
16 17 18 19 20 Previous Next


697 posts

Meterpreter Extended API

This week, we've got some new hotness for Meterpreter in the form of OJ TheColonial Reeves' new Extended API (extapi) functionality. So far, the extended API is for Windows targets only (hint: patches accepted), and here's the rundown of what's now available for your post-exploitation delight:


  • Clipboard Management: This allows for reading and writing from the target's clipboard. This includes not only text, like you'd expect, but a seamless download of files and images as well. Useful for grabbing interesting but temporary data such as passwords or files copies from remote sources.
  • Service Management:  Meterpreter users are familiar with the overview provided by regular 'ps', but the service management interface allows for more detailed readouts of running services; most notably, DACLs, load order group, the start up status, and if that service can interact with the desktop.
  • Window Management: Gives the ability to easily enumerate all open Windows. This can help penetration testers discover if a particular target is worth VNC'ing in on at the moment.


In addition to all this, the Extended API structure makes it a handy place to start prototyping new Meterpreter functionality for Meterpreter hackers who aren't named OJ. It's pretty well organized from the get-go and doesn't require refactoring to core Meterpreter functionality to get something put together and demo-able quickly. So, if you've got an idea of what you'd like to see Meterpreter make easier that's relevant to your particular pen-testing workflow, this is a great place to start.


New HttpServer / HttpClient HOWTO

Not too long ago, we announced Wei @_sinn3r Chen's Browser Exploit Server, a nice Ruby mixin that consolidates a lot of the grunt work behind developing exploits. This week, Wei has fleshed out more of the exploit dev documentation with a nice, compact HOWTO-style guide on writing modules that leverage the strengths of the revised HttpServer and HttpClient mixins, so read up on it here.


I've been bugging sinn3r to put together some YouTube videos on the process of exploit dev as well, complete with the requisite thumpa-thumpa music, but you are welcome to beat him to it by following his documentation for your next browser exploit. The kids love the YouTube, and watching exploit devs type is apparently an effective teaching technique for some.


SAP for People Closer to GMT

If you missed last week's SAP hacking webcast by Juan Vazquez, Christian Kirsch, and yours truly, we'll be hosting it again live next week. You can register here, and it'll be held mid-afternoon for those of you who are observing a European time zone. We hear SAP is big over there, so we'll be getting online early in the AM here in Austin to make sure you all can participate in our overview of the state of the art of SAP reconniscance and exploitation with Metasploit.


New Modules

It's an even split this week between exploit and non-exploit modules, with eight total. Rails has another DoS that we exercise this week, thanks to sinn3r's Rails Action View auxiliary module which exploits CVE-2013-6414; now would be a fine time to check your Rails version and update accordingly to get the fix.


Exploit modules


Auxiliary and post modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.


We've been all SAP all the time here in the Independent Nations of Metasploit, and expect to be for the rest of the week. You might recall that Metasploit exploit dev, Juan Vazquez published his SAP survey paper a little while back; on Tuesday, we did a moderated twitter chat on the hashtag #pwnSAP with the major SAP-focused Metasploit contributors Bruno Morrison, Chris John Riley, and Dave Hartley; and today (Thursday, December 5), Juan and I will be hosting a webcast on the various and sundry SAP exposures that Metasploit covers, and There Will Be Demos and Q&A, so it should be fun.


The whole thing has been pretty eye-opening for me; there's been a bunch of movement in the research over the last 18-24 months or so, and I'm delighted that so many talented people are making noise about this in the form of Metasploit modules. Hopefully all this will raise some awareness of the risks and exposures involved with running huge, complex, interconnected systems like ERP in general.


Silverlight Exploit

In other (non-SAP) news, this week, we're shipping our first ever Silverlight exploit, which exploits MS12-022 (aka, CVE-2013-0074). That's exciting. Use your DNS MITM attacks to jack the Netflix domains, wait for Orange is the New Black fans to connect, and profit!


It's important to know that the vulnerability is in Silverlight proper, and not IE, so while our exploit targets Microsoft Internet Explorer only today, the vulnerability is actually cross-platform. So, now that we've done this groundwork of demoing how to write a Silverlight exploit in Metasploit, all we need now is some enterprising young researcher to port this to a working Apple implementation. Have at it!


New Modules

I know, I know, last week we kind of cheated you out of your usual complement of new modules, thanks to the the Ruby float bug. To make it up to you, we have 14 new modules this week, including the Silverlight module mentioned above. Have at it! There's a lot of neat new attacks in there, so thanks again to our beloved community contributors for their efforts on these.


Exploit modules


Auxiliary and post modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

If you’re conducting security assessments on enterprise networks, chances are that you’ve run into SAP systems. In this blog post, I’d like to give you an introduction to SAP and ABAP to help you with your security audit.


The full SAP solution (ERP or SAP Business Suite) consists of several components. However, to manage the different areas of a large enterprise, probably one of the better known components or features of the SAP solution is the development system based on ABAP, the language used to build business applications on the SAP platform.


The traditional way to execute ABAP code is to use a transaction, for example, from any existing SAP client (which will be reviewed later):




One way to simplify the concept of the SAP platform is to think of it as an application server. Most readers are probably familiar with Java-related application servers, so it’s easy to think of SAP as an ABAP application server. In fact, SAP is capable of running ABAP applications as well as applications written in Java. The name of SAP’s application server is SAP NetWeaver...


If you’d like to know more about this platform and how to pentest it with Metasploit, get your free research paper now "SAP Penetration Testing Using Metasploit - How to Protect Sensitive ERP Data."


If you'd like to join a live discussion on the topic, we're also hosting a tweet chat tomorrow, December 3, at noon ET under the hashtag #pwnSAP. Or you can register for our webcast on Thursday, December 6 at 2:00pm ET, "Become an SAP Pwn Star: Using Metasploit for ERP Security Assessments."

Metasploit 4.8.1 Released

Thanks to the revelations around the recent Ruby float conversion denial of service, aka CVE-2013-4164 discovered and reported by Charlie Somerville, this week's release is pretty slim in terms of content; on Friday (the day of the first disclosure), we pretty much dropped everything and got to work on testing and packaging up new Metasploit installers that ship with Ruby 1.9.3-p484, which fixes the bug.

Ruby Logo CC-SA 2.5

As far as we are able to tell, it's merely a denial of service, so the worst that happens is that your given Ruby application can crash out with a segfault. Like most other Ruby bugs that lead to segfaults, we haven't been able to tease any code exec out, but it's not completely impossible.


So, in case it's not absolutely clear, Metasploit Community, Express, and Pro are all vulnerable as of Metasploit 4.8.0 and prior; again, we don't have a remote code exec path, but getting your assessment knocked out from under you can be more than a little unpleasant. Update to Metasploit 4.8.1 before you start your next engagement, and you'll be golden. We've also updated the Metasploit Framework repo to suggest ruby-1.9.3-p484, so take a moment to install that as well on your development environment if you're that sort.


We're not the only ones who were exposed to this, of course. If you have control over your Ruby installations, you'll want to update if you haven't already. If you rely on a cloud provider or some other kind of provisioning service, you should get with them; to take just one example, Sebastian Saunier has a procedure to update all your Heroku apps, all nicely scripted out in this gist.


PS:, it's a little unneighborly to disclose on a Friday; I'm sure the world's Ruby administrators could have used an extra weekday or two. No time is a good time for new vulns, but when Rapid7 discloses, we make every effort to make sure we coordinate around Wednesdays.


New Modules

Alas, we just have the one new exploit that managed to get landed before the Ruby code review and update freak out. I Promise we'll have more next week, including the Metasploit module that exercises the aforementioned bug (it's landed on our development repo, but that won't be released until next week).


Exploit modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Browser Exploit Server

This release includes the much vaunted and anticipated BrowserExploitServer (BES) mixin, the brainchild of Metasploit exploit developer Wei @_sinn3r Chen. Metasploit, at its core, is designed to be both an exploit delivery system and exploit development system, so this new mixin should help tremendously with the latter. BES, in a nutshell, saves you, the exploit developer, a ton of time when it comes to common chores like operating system identification, browser identification, and plugin detection. It also adds some best-effort client vulnerability detection before firing off the exploit, which is handy if you need to keep your super-secret 0-day still super-secret.


There's a few other niceties in there as well, but I don't want to completely spoil the surprise. Sinn3r has written up some comprehensive documentation on using BrowserExploitServer as well as a bunch of refreshed hints on using HttpServer (which may or may not be an exploit). Note that it's on the module writer to decide which one is the right one to use; there are times where you may not want or need all the browser-y things that BES provides.



IPMI Exploiter's Diary

This week also sees the release for a proper exploit on one of the recently disclosed IPMI vulnerability; when the process of developing a reliable exploit has some particularly novel aspect, Metasploit exploit developer Juan Vazquez has a habit of churning out some really fasciniating notes on the process. If you haven't already, check out his blog post, Exploiting the Supermicro Onboard IPMI Controller. It's a pretty detailed look at the process he and discoverer HD Moore went through to get reliable code execution on these buggers, so if you're interested in that sort of thing, or especially if you're stuck on something similiar, posts like that one can really help you out.


KiTrap0D, Modularized

Finally, the other exploit module this week is, in fact, the first from Meterpreter grandmaster OJ TheColonial Reeves. While cleaning up Meterpreter, he noticed that the KiTrap0D implementation on Meterpreter's 'getsystem' function could be a little flakey. By default, Meterpreter supports a number of methods for privilege escalation to SYSTEM privileges, and attempts each one of them in order until one succeeds or they have all failed. While KiTrap0D is a fine strategy for this, it did occasionally crash the Meterpreter getsystem function, or worse, BSOD the box. Needless to say, the getsystem call shouldn't result in this kind of behavior and so the decision was made to change getsystem so that it doesn't make use of exploits like this. As a result, KiTrap0D was removed from getsystem, and turned around into a regular local exploit module.


New Modules

Including the two exploit modules mentioned above, we have seven new modules this week. And yes, that's a compressed file memory bomb DoS module. No, it's not from 1988.


Exploit modules


Auxiliary and post modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Last week @hdmoore published the details about several vulnerabilities into the Supermicro IPMI firmware. With the advisory's release, several modules were landed into Metasploit in order to check Supermicro's device against several of the published vulnerabilities:



This module can be used to check devices using an static SSL certificate shipped with Supermicro Onboard IPMI controllers. (CVE-2013-3619).

smt_ipmi_url_redirect_traversalThis module can be used to abuse a directory traversal on the url_redirect.cgi component and download files with root privileges. Authenticated access to the web interface is required.
smt_ipmi_cgi_scannerThis module can be used to remotely check if a device if vulnerable to two unauthenticated remote buffer overflow, respectively on the login.cgi (CVE-2013-3621) and close_window.cgi (CVE-2013-3623) components.


Just a day after the advisory's release we were able to finish a functional exploit for one of the unauthenticated overflows (CVE-2013-3623), allowing to get root access to the device through the close_window.cgi component on the web interface.


This exploit development was quite interesting because we had just remote restricted access to a real Supermicro device, running the firmware SMT_X9_214 and, of course, emulation. While emulation is a great resource to search for vulnerabilities and development of proof of concepts, often it isn't enough to ensure a real live working exploit. In this blog we would like to share a couple of funny tricks we used to end the real live exploit. Hope you enjoy!


Traversal to the rescue


The first requirement in order to deploy a real-live working exploit is to know which common memory protections (NX, ASLR) apply. In order to get this information the Directory Traversal vulnerability on the url_redirect.cgi was used. Since the vulnerability allows access to arbitrary files with root privileges, even with restricted web access, this one was perfect to get some environment information. The trick here was to use the directory traversal to read "/proc/self/maps". Even when the maps would be the url_redirect.cgi's one, it would be good enough to check memory protections applied to cgi's processes, and even when we were aware of the lack of ASLR for the main executable and libraries, thanks to the @hdmoore's previous experience with the UPnP exploit, we were able also to discover stack and heap executables:


00012000-00033000 rwxp 00012000 00:00 0          [heap]

bee78000-bee8d000 rwxp bee78000 00:00 0          [stack]


This information was highly valuable in order to design the exploit for the close_window.cgi overflow, where the space and badchars limitations, would make a "return into libc-system" really hard otherwise!


Details matter


With the information above, and the help of qemu, a first version of the exploit could be developed. Still not accurate enough to get real live shells! Indeed, when exploiting, details and the environment are important things to have into account, and the traversal directory vulnerability, even when powerful, was not enough to get a session. In order to end the exploit on a reasonable time, collect debug information about the process on the real device became a requirement.


Having restricted shell access to the real Supermicro's device, was time to check what could be done with it:


ATEN SMASH-CLP System Management Shell, version 1.04
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved

-> help

  The managed element is the root

  Verbs :



SSH access provides a restricted SMASH System Management Shell, which indeed isn't very useful for environment inspection / exploiting debug. Even when the command line help isn't very encouraging, neither the SMASH's specification from the DMTF, we had access to the firmware and the ATEN SMASH binaries. Fortunately, after digging a little around them, something interesting was found. While following the code responsible of handling the command line, close to the parsing of pipes ("|") and semicolon characters (";") the parsing of the next word keys is found:



Specially interesting is to find the reserved word "shell", so time for a new test:


-> shell test
Change shell to test
changing shell fails.: No such file or directory



Interesting! So looks like a shell comand exists indeed. A little more of static analysis reveals which the shell command not only exists, but should allow easily arbitrary command execution :



Time to test:


-> shell ls
Change shell to ls
SFCB        bin        dropbear    lib        lost+found  proc        sys        usr        web
SMASH      dev        etc        linuxrc    nv          sbin        tmp        var        wsman



Looks good, one more test...


-> shell sh
Change shell to sh
# uname -a
Linux (none) 2.6.17.WB_WPCM450.1.3 #5 Wed Apr 24 10:53:55 PDT 2013 armv5tejl unknown


And a root shell opens in front of us! (SMT_X9_315 firmware fixes the "shell sh" escape). With a root shell available, in order to end the development of the exploit we chose to configure generation of core dumps to the /tmp folder, mounted with rw and enough space available:


# mount
rootfs on / type rootfs (rw)
/dev/root on / type cramfs (ro)
proc on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /tmp type tmpfs (rw)
devpts on /dev/pts type devpts (rw)
/dev/mtdblock1 on /nv type jffs2 (rw)
none on /tmp type tmpfs (rw)
/dev/mtdblock4 on /web type cramfs (ro)
# df -h
Filesystem                Size      Used Available Use% Mounted on
rootfs                  20.0M    20.0M        0 100% /
/dev/root                20.0M    20.0M        0 100% /
none                    36.0M      1.1M    34.9M  3% /tmp
/dev/mtdblock1            1.3M    320.0k    960.0k  25% /nv
none                    36.0M      1.1M    34.9M  3% /tmp
/dev/mtdblock4            3.9M      3.9M        0 100% /web


To extract the core dumps we used openssl s_server and the legit web server certificate to set up a fake HTTP server, allowing external access to the /tmp directory contents. Several core dumps later we were able to make the exploit work smoothly on the real device :

msf exploit(smt_ipmi_close_window_bof) > show options

Module options (exploit/linux/http/smt_ipmi_close_window_bof):

   Name     Current    Setting  Required  Description
   ----       ---------------  --------     -----------
   Proxies                                  no         Use a proxy chain
   RHOST                                 yes       The target address
   RPORT                                 yes       The target port
   VHOST                                 no         HTTP server virtual host

Payload options (cmd/unix/generic):

   Name  Current Setting                        Required  Description
   ----  ---------------                        --------  -----------
   CMD   echo metasploit > /tmp/metasploit.txt  yes       The command string to execute

Exploit target:

   Id  Name
   --  ----
   0   Supermicro Onboard IPMI (X9SCL/X9SCM) with firmware SMT_X9_214

msf exploit(smt_ipmi_close_window_bof) > rexploit
[*] Reloading module...

[*] - Sending exploit...
[*] Exploit completed, but no session was created.


Checking the proof of success on the Supermicro's device:


ATEN SMASH-CLP System Management Shell, version 1.04
Copyright (c) 2008-2009 by ATEN International CO., Ltd.
All Rights Reserved

-> shell sh
Change shell to sh
# cd /tmp
# pwd
# cat metasploit.txt


Definitely, it you are using Supermicro's motherboard, you should review the information and updates on the Supermicro IPMI Firmware Vulnerabilities article, and apply the vendor's updates if necessary.


Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments

By guest blogger and Rapid7 customer David Henning, Director Network Security, Hughes Network Systems


A few weeks ago, Rapid7 asked me to participate in the Metasploit Tech Preview for 2013. I’ve participated in a couple of other product previews in the past. I like the interaction with the Rapid7 development teams.  This tech preview was smooth and it was easy to participate. Previous testing sessions required interactions over e-mail and there was shv-new-look.pngsome associated lag. This preview was managed via the Rapid7 community site which helped it run much more smoothly.


So now I’ve been asked to give my impressions of the latest Metasploit 4.8. My team and I have been kicking it around for a little over a week now. What’s new? Well, there are five main improvements to the tool; user interface, reporting, passive network discovery, vulnerability validation, and the validation wizard. Of these, we were asked to test two, the user interface of the single host screen and the vulnerability validation wizard.


My take on the latest Metasploit Pro? The UI is nice. It has a clean modern look you would expect in this age of sleek phones and tablets. The quick start wizards allowed me to get going quickly, but I still had the ability to walk through a new project step-by-step, if I chose. The new tabs in the single host view include summary numbers. For example, a host with three services will have the number 3 circled on the Services tab just like the mail app on my phone tells me how many messages I’ve got.


vvz-findings.pngThe big feature, though, is the Vulnerability Validation Wizard. In just a few clicks, you can use the wizard to connect from Metasploit into the Nexpose scanner product, download the recent scan data, and automatically launch tests to validate if the vulnerability can be exploited by Metasploit. This gives one the ability to prioritize vulnerabilities that need to be fixed now because they are easily exploited vs. vulnerabilities that are not easy or even are completely false positives. Once the vulnerabilities are validated or proven un-exploitable by Metasploit, the new wizard will continue the workflow and the findings are pushed back into the Nexpose console.


Collectively, I’m pleased with the new improvements to Metasploit Pro. The vulnerability validation and two-way communication with the related Nexpose scan tool is something I know I’ve asked for and suspect many other customers had as well. It saves me and my team considerable time compared to manually entering false positives or sending reports on valid vulnerabilities to our systems groups for remediation. Definitely looking forward to upgrading our production system when this is released.

Not having visibility can be dangerous in many situations. The new Metasploit 4.8 gives you better visibility in four key areas:

  • View phishing exposure in the context of the overall user risk
  • See which vulnerabilities pose the biggest risk to your organization
  • Have all host information at your fingertips when doing a pentest
  • Discover the latest risks on your network with new exploits and other modules


See Phishing Exposure as One Factor of User Risk

Users are often a weak part of the security chain, exposing organizations to attacks. This has led to a change in attacker methodology from brute force system-based attacks to deception-oriented attacks.  Especially phishing has seen a rise in recent years. Many organizations already conduct end-user trainings but find it challenging to determine how vulnerable their users really are and which users pose the largest risk.



Rapid7 Metasploit Pro measures the effectiveness of security awareness trainings by running simulated phishing campaigns and integrates with Rapid7 UserInsight to provide this information in the context of a more comprehensive user risk, including network access, cloud service usage, and compromised credentials.


What’s new – the details:

  • UserInsight can now pull phishing information through Metasploit Pro’s Remote API
  • UserInsight provides an overview of the current status of each user and incorporates the phishing risk into the overall user risk
  • Security professional can see user awareness trending over time


Here is how this helps you:

  • Clear picture of user risks: Security analysts get a quick and clear picture of a user’s accounts, network activity, cloud services, mobile devices, network activity and now phishing in one place, unifying information normally scattered across systems.
  • More effective security program: Tracking the effectiveness of security awareness trainings means you can adapt them to become more effective over time.


Metasploit Pro is the only phishing simulation solution that integrates with a solution to provide insight into user activity and risk. Unlike alternative penetration testing solutions, Metasploit Pro’s social engineering reports provides conversion rates at each step in the campaign funnel, such as how many people clicked through a phishing email, how many entered username and password on a fake website, and how many systems were compromised. Only Metasploit provides advice on how to address risk at each step in the social engineering funnel.


While some phishing simulation services can only measure user awareness, Metasploit Pro can also measure the effectiveness of technical controls. If desired, phishing web pages or email attachments can contain exploits that test patch levels, security configurations, and network-based defenses.


Simulated phishing campaigns are exclusive to Metasploit Pro users.


See which vulnerabilities pose the biggest risk to your organization


vvz-nx.pngVulnerability scanners can determine installed software and its vulnerabilities but not whether it poses a real risk in the context of your network. This is dangerous and wasteful because IT teams need to fix all vulnerabilities with equal priority.


Vulnerability validation helps you to determine if a vulnerability poses a high risk to your environment. It focuses on vulnerabilities with known public exploits that provide an easy way into your network - even for less experienced attackers.

Metasploit Pro simplifies and expedites vulnerability validation. It provides a unified, guided interface, called the Vulnerability Validation Wizard, that walks you through each step of the vulnerability validation process - from importing Nexpose data to auto-exploiting vulnerabilities to sending the validation results back to Nexpose. You can even define exceptions for vulnerabilities that were not successfully exploited.

Nexpose and Metasploit Pro seamlessly integrate to streamline the vulnerability validation workflow. It creates a closed-loop security risk assessment solution so that you can find potential vulnerabilities, exploit them, and identify the security flaws that pose a real threat to a network.


After vulnerabilities have been validated, the results are returned to Nexpose, where exploitability of a vulnerability can be used to create reports and prioritize vulnerabilities for remediation.



What’s new – the details:

  • Metasploit added a vulnerability validation wizard, greatly simplifying the vulnerability validation process.
  • Exploited vulnerabilities are now marked in Nexpose with a special icon,
  • Nexpose users can create a dynamic asset group containing validated vulnerabilities, making it easy to see how many machines fall into that group and enabling reporting and trending,
  • Nexpose users can now filter by exploited vulnerabilities and create top remediations reports that provide clear instructions for the IT teams.
  • Vulnerabilities discovered by Metasploit that were not part of the original Nexpose import are marked with a green “New” flag.
  • Clear status next to each vulnerability in Metasploit on whether the vulnerability could be exploited.
  • Faster and more robust import of vulnerability scans from Nexpose and third-party scanners


Here is how this helps you:

  • Reduced cost: Focusing on prioritized, high-risk vulnerabilities reduces the workload of the remediation team.
  • Higher security assurance: Knowing which vulnerabilities pose a high risk and addressing them first reduces the likelihood that an attacker can get in.
  • Higher credibility: Provide proof of exploitability to application owners to elevate the remediation discussion to an objective level




Only Rapid7 offers closed-loop vulnerability validation, returning information about successful validations and vulnerability exceptions into the vulnerability management solution for easy remediation, reporting, and trending.


Unlike other solutions, that require a manual XML export and import of vulnerability data, Metasploit Pro can pull existing scan data directly from Nexpose, through a supported API.


Closed-loop vulnerability validation is exclusive to Metasploit Pro users.


If you're interested to hear more about vulnerability validation and see a live demo, join our free webcast "Don’t Trust, Validate! How to Determine the Real Risk of Your Vulnerabilities."


Have all host information at your fingertips when doing a pentest


While penetration testers are used to bending technology to suit their needs, solving difficult tasks is not an end it itself. Especially in large penetration tests, it can be challenging to manage a lot of data efficiently and without losing the overview. These difficulties can quickly cause longer work hours and overdue projects.


Metasploit Pro makes it easier to carry out standard tasks and to manage the vast amount of information collected during a penetration test. This directly translates into time savings and a reduced training need for new staff. For example, Metasploit Pro manages data by tracking active projects, importing results from other sources, and now allowing manual input.


What’s new – the details:

  • Overhauled usability of the single host view, the most used screen in Metasploit Pro, to provide all important data at a glance.
  • New screen includes counts/stats for services, vulnerabilities, notes, credentials, captured data, file shares, exploit attempts, and matched modules.
  • Pentesters can now manually add services, vulnerabilities, credentials, and captured data files they have discovered outside of Metasploit.


Here is how this helps you:

  • Reduced cost: Better usability means shorter project times, lower cost, and reduced training needs for new staff


Metasploit Pro makes it much easier than Metasploit Framework to handle large penetration tests and bring new staff on board.

The new single host view is available in Metasploit Community, Metasploit Express, and Metasploit Pro.


128 New Modules in Metasploit 4.8.0: Routers, HP Enterprise Software, and Awesome Payloads


First off, we have 128 new modules since 4.7's release back in July (and you get bonus secgeek points if that count makes you a little nervous). That comes in at just about one and a half new modules a day, every day, since July 15. These modules are all over the place, since most of them come in unannounced to be cleaned up and put to work like so many Dickensian orphans. However, some themes did shake out with what we pursued in exploit-land for this release.


We have eight new modules targeting SOHO routers and access points, from Michael Messner, Craig Heffner, Brandon Perry, and Juan Vazquez. SOHO router hacking has been a focus for Metasploit for about a year now, and we're still championing the idea that if you have work-from-home employees, or even high-priority targets like the CFO's laptop, SOHO routers like these should be in scope for your engagement. It's a discussion worth having, and the availability of Metasploit modules can help a penetration tester make his case.


There are 24 new modules that exploit ZDI-disclosed vulnerabilities, 20 of which saw a bunch of work from Juan Vazquez, who I swear doesn't have it in for HP. It just so happens that over half of these ZDI vulns are targeting HP enterprise server software, including StorageWorks, LoadRunner, IMC, and Procurve Manager. ZDI bugs are great targets for exploit developers, because they represent popular software that you're likely to find in the enterprise, so penetration testers get a lot of mileage out of these.


This release was unique among most in that there are some really neat new payloads; we now have new shell bind and reverse shell payloads in Lua and Node.js from xistence and Joe Vennix, respectively. These go along with our usual bash, VBS, Perl, Python, and assorted other language shells. If your client's IDS/IPS/AV vendor isn't paying attention, these new shell spawners might slip past their tried-and-true defenses. That said, I have to say that the most exciting new payload is a Python implementation of Meterpreter from Spencer McIntyre. This brings more Meterpreter functionality to pretty much any standard Linux build, and is getting much more active development than our old C-based POSIX Meterpreter.


Oh, yes, and there's good old Windows Meterpreter. We've made huge improvements there, thanks to some phenomenal focused effort from OJ "TheColonial" Reeves. OJ has brought Meterpreter (sometimes kicking and screaming) to the modern era of C development, with a completely revamped build environment (using the free edition of Microsoft Visual Studio 2013) and continuous integration platform. Along the way, he smashed a huge pile of bugs and annoyances, both internally and externally reported. What this all means to users is that Meterpreter is slightly smaller and *much* more stable now, *and* it's totally amenable to open source C development. The days of having to incorporate every change with the tribal knowledge of James "Egypt" Lee and HD Moore are pretty much over.


For exploit developers, we have a bunch of new brand new libraries for use: FireFart's WordPress manipulation API makes WP-specific assessments much easier, and Meatballs' WDSCP protocol library takes advantage of insecure Windows Deployment Services (are there any other kind?) to get a quick foothold in a WDS-imaged enterprise. Meatballs also contributed a handful of new binary templates for use with payload generation, including templates for PowerShell, VBA, MSI installers, and more, all of which complicate Metasploit's relationship with the various anti-virus vendors.


Of course, that's not all, but those are the headline features for Metasploit Framework 4.8.0. We landed over 2,300 commits since mid-July; the summary above and the modules below represent the most visible changes. But with nearly a hundred non-Rapid7 people who got commits into the master repository for Metasploit Framework, it's really pretty impossible to give a complete rundown of every cool new thing that hit; for that, you can start by looking at the last four or five months' worth of blog posts, or even better, peruse the git shortlog (from your nearest git clone, type 'git shortlog 4.7.0...4.8.0').


So, thanks to all the volunteers listed below for all your commits (and commitment!) to our collective open source security product, sorted by commit count, then alphabetically by first name or handle. You guys make Metasploit go.


Meatballs1, FireFart, jiuweigui, Spencer McIntyre, m-1-k-3, several people calling themselves "root" (fix your .gitconfig, guys!), Nathan Einwechter, xistence, Rick Flores, Karn Ganeshen, MrXors, AverageSecurityGuy, Ramon de C Valle, Markus Wulftange, kaospunk, dummys, Bruno Morisson, RageLtMan, mubix, g0tmi1k, darknight007, bcoles, TecR0c, shellster, Charlie Eriksen, Rich Lundeen, Boris, bmerinofe, joernchen of Phenoelit, jgor, jamcut, ZeroChaos, trustedsec, Shelby Spencer, Sean Verity, Patrick Webster, Dhiru Kholia, ddouhine, Davy Douhine, Alexandre Maloteaux, Tyler Krpata, swtornio, Stephen Haywood, Ryan Wincey, Norbert Szetei, Nicholas Davis, kernelsmith, h0ng10, Frederic Basse, Daniele Martini, Brandon Perry, Brandon Knight, Winterspite, Vlatko Kosturjak, violet, tkrpata, Till Maas, scriptjunkie, Sagi Shahar, Ruslaideemin, Rick Flores, rbsec, pyoor, Paul, nmonkee, MosDefAssassin, Matt Andreko, Juushya, Joshua J. Drake, Jon Hart, Jonathan Rudenberg, Joff Thyer, Joe Barrett, Icewall, Henrik Kentsson, ethicalhack3r, Darren Martyn, corelanc0d3er, Borja Merino, Booboule, allfro, and Alexia Cole.


New modules since 4.7.0:


Exploit modules


Auxiliary and post modules


The new modules are available in all Metasploit editions, including Metasploit Pro, Metasploit Express, Metasploit Community, and Metasploit Framework.


And It's All Available Now


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

This month, a security researcher disclosed that a version of the old banking Trojan “Trojan.ibank” has been modified to look for SAP GUI installations, a concerning sign that SAP system hacking has gone into mainstream cybercrime.  Once a domain of a few isolated APT attacks, SAP appears to be in the cross hairs of hackers that know just how much sensitive data ERP systems house, including financial, customer, employee and production data.  With more than 248,500 customers in 188 countries, SAP may see an increase of attacks and their customers face the threat of data theft, fraud and sabotage.


SAP-architecture-for-pentesting.jpgThis trend is not really surprising, given that financial, customer, employee and production data reside in a company’s enterprise resource planning (ERP) systems—and they are juicy targets for all sorts of malicious hackers. What’s worse, these systems have often organically grown over decades and are so complex that few people understand their organization’s entire ecosystem, let alone some of SAP’s protocols and components that are not publically documented. If you are a security professional responsible for security audits, you may want to download Rapid7’s new free research paper on conducting penetration tests on SAP systems.


Organized cyber-crime often looks for credit card numbers contained in business transaction data, which they use to conduct fraudulent transactions. They can extract social security numbers in an employee database to conduct identity theft. By changing the payee account details in the system, they can redirect funds into their own accounts and go home with a hefty paycheck.


But cyber-crime is not the only player to worry about. State-sponsored hacking groups regularly break into enterprises for purposes of industrial espionage. ERP systems provide them with a wealth of data to pass on to their domestic industry – as well as a chance to sabotage production flows and financial data. As a result, mergers and acquisitions may fall through or foreign competitors may get a head start on copying the latest technology.


SAP is the market leader for ERP systems with more than 248,500 customers in 188 countries. In collaboration with its community contributors, Rapid7’s security researchers have published a research report on how attackers may use vulnerabilities in SAP systems to get to a company’s innermost secrets. The research report gives an overview of key SAP components, explores how you can map out the system before an attack, and gives step-by-step examples on how to exploit vulnerabilities and brute-force logins. These methods have been implemented and published in the form of more than 50 modules for Metasploit, a free, open source software for penetration testing. The modules enable companies to test whether their own systems could be penetrated by an attacker.

Many attackers will try to gain access to SAP systems by pivoting through a host on a target network, for example after compromising a desktop system through a spear phishing email. However, Rapid7 researchers found close to 3,000 SAP systems directly exposed to the Internet providing direct access to attackers.


Rapid7 security researcher Juan Vazquez has published a technical research paper summarizing the vast body of work published by security researchers and himself, many of them Metasploit open source contributors who are credited throughout the paper. The research paper is a practical, technical overview of the various SAP systems and protocols as well as over 50 Metasploit modules that can be leveraged for pentesting SAP solutions. Get your free research paper now “SAP Penetration Testing Using Metasploit - How to Protect Sensitive ERP Data”

By Guest Blogger Marius Corîci,


Before I start, I would like to thank the Metasploit team at Rapid7, and the Kali Linux team at Offensive-Security for their kindnesses to let us use their logos on our platform. I'd especially like to thank hdmoore and ckirsch at Rapid7 as well as Mati Aharoni at Offensive Security. This means a lot to us.


Note: If this article is TL;DR, then I recommend you just go to create an account, create a team and start play with it.



A little bit of history before introducing CTF365


In October 2011, we started the HackaServer Project, a web security testing platform using the power of crowd sourcing. When we were building HaS we had to come up with a way to create a spin off in case things were not moving in the direction that we anticipated. I have to mention that HaS is not open for business yet because of one simple reason: We are a very small team.


A short recap


Information Security through Gamification is not a brand new concept. In fact is quiet old, as old as the Internet: It is called CTF – Capture The Flag. The DefCon conference had one of the first CTF competitions. You can check CTF Time to see where a CTF has taken place, which are organized by CS faculties, companies or even governments agencies.


Why CTFs?

The best way to learn is to learn on the job. Gamification improves skills, and provides education and training. Learning information security through gamification increases students/employee engagement, improves retention rate and speeds up the learning curve/process. At the same time, it is entertaining, challenging, community-driven and hands-on for the students and employees participating in it.


Today's CTF competitions are very diverse, going all the way to attack-and-defense scenarios where Red Teams and Blue Teams play against each other. Teams often show an unparalleled level of effort and dedication.


However, traditional CTFs have these issues:


  • Short duration – CTFs typically only take between 24 hours and a few days.
  • On-site – Many CTFs require you to be physically present at the venue.
  • Few and far between – CTFs don't happen on a regular schedule, and they happen all over the globe.
  • Not beneficial for work – Because CTFs aren't centrally organized, there are no universal scores that are meaningful to a penetration tester's hiring manager.
  • Artificial – Many CTFs don't resemble a real-life network and restrict the players with plenty of rules.



So why another CTF when there are already so many?


We, the team behind CTF365, decided that is time to change the way CTF is designed and held by bringing a brand new approach and push security gamification at a bigger scale: World Wide. Our goal is to create the Internet replica of a real-life network where security professionals, security students and security wannabe to get continuous training on real man-made servers and infrastructures, not intentionally vulnerable servers.


How is that possible?


We did asked ourselves, too. It looks like we've made it. Although there is a lot more to do, our IaaS is flexible enough to mimic the real world. CTF365's flexible platform allows users to connect their own infrastructure, whether they are cloud-based, private or dedicated servers. We have already proven that is possible to have servers tested in the cloud, for example with Metasploitable on You can read this article right here on the Rapid7 Community.


Companies and organizations can set up their own CTF infrastructure within minutes, and all their users achievements can be added to the user's general performance. This feature will engage more users at future conference CTFs.



Who is it for?


  • Blue Teams, Red Teams, CERT/CSIRT - Offensive and defensive specialists can improve their trainings on life-like enviroments.
  • CTOs, System Administrators – Can experiment with server configurations and see if they can be defeated.
  • Security Vendors – Can test their WAFs and other software as well as hardware.
  • Security Training Companies – Improve their students retention rate on life-like environments.
  • Information Security Recruiters – Security Certificates are very important but user performance and achievements as security professional are a true testament of their abilities.
  • Web Security organizations like OWASP – Spread awareness among web developers and DevOps.
  • InfoSec Conferences – Participants really want to have fun and have their achievement count.



Where are we now?


At this moment, CTF365 is in Alpha Stage which means it's up and running with a small number of teams (over 30 teams) and there are +11,000 registered users and +900 teams ready to play all over the world. Being in Alpha means that we're still in the developing stage and those who have access to Alpha and future Beta can experiment and get a sneak peak at the live system.

Once we have scaled up our hardware, we'll be ready to let everyone to get in. During the Alpha and Beta phases, most users are security professionals from various pentesting and security training companies. As referrals for the pre-release environment, we also accept infosec professionals as well as infosec instructors/teachers. If you would like early access, just let me know.


The bottom line


“Security will never be perfect, but can be pushed to perfection.”

According to Frost & Sullivan, the global population of information security professionals will increase by 332,000 to 3.2 million at the end of year and reach ~5 million by 2017. The Internet grows faster than the world’s capacity to provide security-aware system administrators and engineers. We need to close this gap.

CTF365 aspires to build a playground to improve the training possibilities for information security professionals.

Sign up for a CTF365 account now!


Weekly Update

Posted by todb Employee Nov 6, 2013

Disclosures for SuperMicro IPMI

On the heels of last week's bundle of FOSS disclosures, we've gone a totally different direction this week with a new round of disclosures. Today, we're concentrating on a single vendor which ships firmware for Baseboard Management Controllers (BMCs): Supermicro, and their Supermicro IPMI firmware. You can read up on the details on HD's blog post which covers the five new CVEs.


It's important to stress that the vulnerabilities discussed by HD don't actually have much of anything to do with the IPMI subsystems themselves; rather, the focus was on the web and SSH management interfaces. Because of this, there is plenty of opportunity for attackers to leverage these oft-overlooked network services to gain a foothold in your datacenter, especially if you have permissive or non-existent firewall rules that expose these services to the Internet; by default SuperMicro's IPMI web and SSH interfaces listen on TCP/443 and TCP/22, as you'd expect.


A simple network misconfiguration such as a blanket "allow" rule on these ports, can accidentally expose these guys to the Internet. Experience shows that exposing management interfaces to the Internet is surprisingly common, and a quick peek at the Internet courtesy of Project Sonar shows that there are over 35,000 SUpermicro IPMI interfaces exposed to the world. Yikes.


We're toiling away on putting together some reliable exploits and scanner modules for the vulnerabilities, so keep an eye on the Metasploit Framework Repository for those. And speaking of our open source repo...


Signed Commits for Metasploit Framework

In Metasploit Framework development news, we've started getting serious about cryptographically signing our commits to Metasploit Framework. This was inspired by the most excellent blog post from Mike Gerwitz, A Git Horror Story: Repository Integrity with Signed Commits. At this point, pretty much all merges to Metasploit's master branch are signed with the committer's PGP key, and you can confirm the signatures yourself by this easy and not-so-fun two step process: First, get a hold of all the committer keys, and import them with your command line PGP/GPG application. Next, use the command "git log --show-signature --merges", and amaze at the cryptographic integrity of the most recent merges.


For me, the main reason to do something like this is to add a layer of authenticity to our open source project -- by ensuring that commits to master are signed, even if one of our committers' GitHub account gets totally compromised, the attacker would still need to also compromise the committers' PGP key in order to reasonably impersonate him. For most sensible people (our committers included), that means compromising the local key store, which is a much smaller attack vector than GitHub. GitHub is great -- seriously, it is -- but it's big, popular, and always online (pretty much), so it's an attractive target for both focused attacks and general vandalism.


Now, actually verifying these signatures automatically by end users is another story; sadly, I don't have any advice for you on how to automatically reject and revert unsigned commits. Today, I eyeball it manually, which of course, sucks. We've asked GitHub nicely to provide some kind of indicator on their web UI that a commit is signed, so I'm hopeful that that feature is Coming Soon. If you have any advice for nice signature-verifying git functionality, comment below, por favor!


New Modules

We have two new exploits this week: one for ProcessMaker Open Source by longtime contributor Brendan Coles, and one for Beetel Connecton Manager. The latter is the very first exploit module from our new hire, William Vu, so feel free to pay special attention to this module, and file lots of annoying bugs for him on our Redmine issue tracker. Thanks guys!


Exploit modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.


Ninja Update: We have just landed three new auxiliary modules for the Supermicro issues that can help in scanning efforts; they'll be in next week's Metasploit update, but those of you who are following our bleeding-edge source can fetch them from GitHub.



This post summarizes the results of a limited security analysis of the Supermicro IPMI firmware. This firmware is used in the baseboard management controller (BMC) of many Supermicro motherboards.

The majority of our findings relate to firmware version SMT_X9_226. The information in this post was provided to Supermicro on August 22nd, 2013 in accordance with the Rapid7 vulnerability disclosure policy. More information on this policy can be found online at Note that this assessment did not include the actual IPMI network services and was primarily focused on default keys, credentials, and the web management interface.

Although we have a number of Metasploit modules in development to test these issues, they are not quite ready for production use yet, so stay tuned for next week's Metasploit update. At our last count, over 35,000 Supermicro IPMI interfaces were exposed to the public internet.

Supermicro has published a new firmware version (SMT_X9_315) that appears to address many of the issues listed identified below, as well those reported by other researchers. We have updated each entry to indicate how the new firmware version impacts these issues.

A cursory review of the new firmware shows significant improvements, but we still recommend disconnecting the IPMI interface from untrusted networks and limiting access through another form of authentication (VPN, etc).


Static Encryption Keys (CVE-2013-3619)


The firmware ships with harcoded private encryption keys for both the Lighttpd web server SSL interface and the Dropbear SSH daemon. An attacker with access to the publicly available Supermicro firmware can perform man-in-the-middle and offline decryption of communication to the firmware. The SSL keys can be updated by the user, but there is no option available to replace or regenerate SSH keys.


We have not been able to determine if firmware version SMT_X9_315 resolves this issue.




Hardcoded WSMan Credentials (CVE-2013-3620)


The firmware contains two sets of credentials for the OpenWSMan interface. The first is the digest authentication file, which contains a single account with a static password. This password cannot be changed by the user and is effectively a backdoor. The second involves the basic authentication password file stored in the nv partition – it appears that due to a bug in the firmware, changing the password of the ADMIN account leaves the OpenWSMan password unchanged (still set to admin).


We have not been able to determine if firmware version SMT_X9_315 resolves this issue.



CGI: login.cgi (CVE-2013-3621)



The login.cgi CGI application is vulnerable to two buffer overflows. The first occurs when processing the name parameter, the value is copied with strcpy() into a 128 byte buffer without any length checks. The second issue relates to the pwd parameter, the value is copied with strcpy() into a 24 byte buffer without any length checks. Exploitation of these vulnerabilities would result in remote code execution as the root user account. The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).


if ( cgiGetVariable("name") )


  v2 = (const char *)cgiGetVariable("name");

  strcpy(&dest, v2);


if ( cgiGetVariable("pwd") )


  v3 = (const char *)cgiGetVariable("pwd");

  strcpy(&v13, v3);



Firmware version SMT_X9_315 removes the use of strcpy() and limits the length of the name and pwd values to 64 and 20 respectively.



CGI: close_window.cgi (CVE-2013-3623)


The close_window.cgi CGI application is vulnerable to two buffer overflows. The first issue occurs when processing the sess_sid parameter, this value is copied with strcpy() to a 20-byte stack buffer without any length checks. The second issue occurs when processing the ACT parameter, this value is copied with strcpy() to a 20-byte stack buffer without any length checks. Exploitation of these vulnerabilities would result in remote code execution as the root user account. The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).

if ( cgiGetVariable("sess_sid") )


  v1 = (const char *)cgiGetVariable("sess_sid");

  strcpy(&v19, v1);




if ( cgiGetVariable("ACT") )


  v3 = (const char *)cgiGetVariable("ACT");

  strcat(&nptr, v3);



Firmware version SMT_X9_315 completely removes this CGI from the web interface.




CGI: logout.cgi (CVE-2013-3622) [ authenticated ]



The logout.cgi CGI application is vulnerable to two buffer overflows. The first occurs when processing the SID parameter, the value is copied with strcpy() into a 20 byte buffer without any length checks. The second issue relates to further use of the SID parameter, the value is appended with strcat() into a 32 byte buffer without any length checks. Exploitation of these vulnerabilities would result in remote code execution as the root user account.The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).

if ( cgiGetVariable("SID") )


  v4 = (const char *)cgiGetVariable("SID");

  strcpy(&s, v4);



Firmware version SMT_X9_315 switches to a GetSessionCookie() function that limits the length of the SID variable returned to this code and no longer calls strcpy().


CGI: url_redirect.cgi (NO CVE) [ authenticated ]



The url_redirect.cgi CGI application appears to be vulnerable to a directory traversal attack due to lack of sanitization of the url_name parameter. This may allow an attacker with a valid non-privileged account to access the contents of any file on the system. This includes the /nv/PSBlock file, which contains the clear-text credentials for all configured accounts, including the administrative user. The vulnerable code is shown below (auto-generated from IDA Pro + HexRays).

sprintf(&v23, "%s/%s", *(_DWORD *)&ext_name_table[12 * i + 8], s);

v18 = fopen(&v23, "r");

Firmware version SMT_X9_315 appears to fix this issue.



CGI: miscellaneous (NO CVE) [ authenticated ]



Numerous unbounded strcpy(), memcpy(), and sprint() calls are performed by the other 65+ CGI applications available through the web interface. Most of these applications verify that the user has a valid session first, limiting exposure to authenticated users, but the review was not comprehensive. All instances of unsafe string and system command handling should be reviewed and corrected as necessary. Exploitation of these issues allows a low-privileged user to gain root access to the device.

Firmware version SMT_X9_315 has reorganized the web root, adding quite a few new CGI applications, removing many more, and generally purging the use of insecure functions like strcpy(). In addition, the config_tftpd.cgi and snmp_config.cgi CGI applications now validate that the user has a valid session first. They did not before, but it wasn't clear what risk this posed. In fact, the only two CGI applications that are now exposed to unauthenticated users are vmstatus.cgi and login.cgi.


Disclosure Timeline


2013-08-22 (Thu) : Initial discovery and disclosure to vendor

2013-09-07 (Fri) : Vendor response

2013-09-09 (Mon) : Disclosure to CERT/CC

2013-10-23 (Wed) : Planned public disclosure (delayed)

2013-11-06 (Wed) : Public disclosure

2013-11-06 (Wed) : Scanner modules written

2013-11-06 (Thu) : Vendor indicates a fix is available

sohorouter-webcast.jpgThis Thursday, it's my distinct pleasure to host Mike @s3cur1ty_de Messner for a German-language webcast about SOHO router security. For those not familiar with him, Mike is the author of the most comprehensive German Metasploit book (published by dpunkt) and worked several years as a Metasploit trainer. His personal passion is poking holes into the kind of routers you (and your CEO) have at home. These types of systems are very widely used but are rarely patched - even though they have critical security issues. A few months ago, for example, 420,000 embedded devices were infected by a botnet called Carna and then used for a global Internet scanning project. While the so-called Internet Census was illegal but benign, it outlined the scale of the problem.


In this German-language webcast, Mike is sharing some of his research and is giving live demos of the Metasploit modules he's using. He's covering the following topics:

  • Why is the security of SOHO routers important?
  • Typical security issues with SOHO routers
  • Technical case studies with live demos
  • Metasploit modules for testing routers
  • Results of 30 tested devices
  • Q&A


Reserve your seat in this German-language webcast now - space is limited!

Disclosure for FOSS Projects

Earlier today, we published seven modules for newly disclosed vulnerabilities that target seven free and open source (FOSS) projects, all discovered and written by long time Metasploit contributor Brandon Perry. These vulnerabilies moved through Rapid7's usual disclosure process, and as you can read in the summary blog post, it was a little bit of an adventure. These were not projects like Linux or Apache with bazillions of downloads and installed basically everywhere, but more on that second and third tier of free software projects which have merely millions of downloads or tens of thousands of users.


One thing that occurred to me is that these may be the first, or at least among the first, vulnerabilities disclosed to many of these software vendors. Collectively, these applications have been downloaded more than 16 million times, so it seems weird that the vendors' disclosure handling wasn't a little more normalized.


Of course, the way to get good at anything is to practice, so publishers of free software at this level of popularity could use some practice fielding new vulnerability disclosures. To that end, if you're a user of these applications (or other mildly popular applications), you may want to take a look at their openly published source and binaries to see if you can't uncover some vulnerabilities yourself. After all, that's part of the compact we have with FOSS publishers -- they make their materials free to open inspection, but someone actually has to do the inspection.


As you can see in the technical writeup, most of these exposures aren't terribly complicated once you start looking. These issues were uncovered and exploited by Brandon primarily during some downtime at DEFCON 2013, so it's not like it was a particularly complicated approach to bug hunting.


Inspecting open source software for security issues is a public good that pretty much anyone with technical chops can get into -- you can practice your exploit dev skills, and the software developers can practice handling disclosures once you report them -- either directly or through a third party like ZDI or your friends here at Rapid7. There are tons of books and websites on security best practices and vulnerability research to get you started, and lots of helpful researchers on the Internet to help you along the way. All I ask is that you disclose your findings reasonably and give the vendor time to patch and time to warn their user base about the issues. That way, you're not needlessly injecting extra instability into the Internet as a whole.


A Quick Respin of 4.7.2

You may have noticed that we didn't release an update for Metasploit last week. Instead, we were chasing down, fixing, and re-releasing the update to fix a bug in the way the Postgres database is upgraded for Metasploit Community and Metasploit Pro. If you haven't noticed any problems, you're in the majority, and there's no need to reapply anything -- the bug only appears to have hit (a very few) isolated platforms where the end users a) were not on supported platforms and b) had altered their own local database configurations. If you happen to be in this group, then simply reinstalling the newly re-released update will get you squared away. Again, this affected a small set of users (I can count them on one hand) and wasn't a security issue or anything, just configuration conflict.


New Modules

We're shipping a whopping 16 new exploits, including the seven from bperry, eight new auxiliary modules, and one new post module. At a grand total of 25 new modules, it's been a busy week in the People's Glorious Republic of Metasploit. Thanks to all various and sundry contributors for your efforts this week.

Exploit modules


Auxiliary and post modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Adventures in FOSS Exploitation, Part One: Vulnerability Discovery

This is the first of a pair of blog posts covering the disclosure of seven new Metasploit modules exploiting seven popular free, open source software (FOSS) projects. For technical details on the security issues for the applications discussed here, see Brandon Perry's exhaustive blog post.


Back over DEFCON, Metasploit contributor Brandon Perry decided to peek in on SourceForge, that grand-daddy of open source software distribution sites, to see what vulnerabilities and exposures he could shake loose from an assortment of popular open source enterprise applications. For his effort, he discovered a variety of vulnerabilities and exposures, and has released Metasploit modules for the following applications. All have some kind of webapp component, which was the focus of his efforts.


Affected Software Summary


SoftwareVulnerability / ExposureCVEStatusLifetime Downloads
MoodlePost-Authentication Host OS Command Execution2013-3630wontfix4,760,000
vTiger CRMPost-Authentication Host OS Command Execution2013-3591patched3,643,000
ZabbixPost-Authentication Host OS Command Execution2013-3628wontfix2,961,000
Openbravo ERPPost-Authentication XXE Arbitrary File Read2013-3617patched2,135,000
ISPConfigPost-Authentication Host OS Command Execution2013-3629patched1,561,000
OpenMediaVaultPost-Authentication Host OS Command Execution2013-3632wontfix703,000
NAS4FreePost-Authentication Host OS Command Execution2013-3631no data667,000


The most popular application on this list is Moodle, with over four and a half million downloads over its lifetime of SourceForge hosting, and the least is NAS4Free, with merely several hundred thousand downloads. While this is only an approximate figuring of popularity, and none approach the installation base boasted by Wordpress or Apache, they nevertheless are not uncommon to find on a penetration testing engagement. Across all seven projects, we're looking at a total lifetime download count of about 16 million. If only one to two percent of those are installed and still active today, that's still over a quarter million targets out there.


Despite this level of apparent popularity, though, the actual business of disclosing vulnerabilities to the software developers directly was... circuitous. Across these seven projects, I found there were at least seven different approaches to handling incoming vulnerability reports.


It's been well over a decade since the publication of Rain Forest Puppy's seminal work, the RFPolicy 2.0, and virtually everyone in the information security community can agree that some kind of vulnerability disclosure policy is useful for any serious project of note. Yet, when we contacted these vendors, it was as if the RFPolicy had never existed.  I won't trouble you with shaming details of disclosure -- I won't mention which project representative asked for a password-protected zip file of the disclosure, while another filed the issue on a public bug tracker which promptly e-mailed it back in cleartext -- but the the level of preparedness I ran into was pretty troubling. I suspect, rather strongly, that mature security issue handling that you find at organizations like the Apache Foundation or Microsoft is the exception, and not the rule.



A Vulnerability Handling Checklist

So, rather than simply dump these vulnerabilities and exposures and run, we thought we'd provide an extremely short checklist that software maintainers could use to ensure that they are holding up their end of the social contract for popular software. This is broad strokes stuff, intended for the (apparently huge) audience of software developers and maintainers who don't already have a security vulnerability handling procedure in place.


1. Have a designated security mailing alias. If your software is popular, you almost certainly already have a dedicated domain name, so is an ideal format. Try not to be creative with this naming convention; the goal is to be easily guessable, even if the reporter can't (or won't) find your most excellent web page describing your disclosure process.


2. Have a signed PGP key. Ideally, you will already be participating in a web of trust, and can collect multiple signatures, but at the very least, the PGP/GPG key associated with is signed by one or more of your core developers.


3. Publish your PGP key somewhere obvious. At Rapid7, we link to our PGP key on MIT's keyserver at CERT/CC is even better at this, hosting the key directly on their own server over HTTPS. At a minimum, it should be findable with very little work.


4. Insist on encrypted communication. Yes, the NSA has already broken everyone's encryption (let's say), but that doesn't mean every ISP, intermediate router, e-mail exchange, and bug tracker should have straight cleartext access to your security disclosure messages. I have no idea if anyone's watching your comms for reported security issues, but more importantly, neither do you. Plus, using encrypted e-mail serves as a pretty decent shhibboleth for representing yourself as Serious About Security.


5. Acknowledge receipt. If you are getting a disclosure for free you should be polite and acknowledge receipt. The vulnerability discoverer is playing by the rules, so you should make the effort as well. Worst case, you don't respond, and the discoverer just dumps his findings on Full Disclosure.


6. Have a contact at CERT/CC. I like dealing with CERT/CC a lot, since they tend to know people, and know people who know people. If something serious is discovered, we communicate with CERT/CC shortly after informing the vendor, so if they already know who you are, coordinated disclosure is all the easier.


7. Issue a patch. This may seem obvious, but not every vulnerability is a bug in code. Some -- like the ones found here by Brandon -- are "merely" exposures, which are (often unintended) features; in this case, a patch could simply be a documentation update, warning about the described behavior.


8. Issue a disclosure. Nearly always, security researchers will publish their own findings. Sometimes, CERT/CC will publish a Vulnerability Note. Public security resources such as OSVDB and Exploit-DB will often have entries for your bug. All of this is great here in infosec land, but your users may not keep abreast of these sources. For many of them, all they know about your software is what you tell them. So, take advantage of this event to help out your users, and their users, and the rest of the Internet. Have a link to some clearly worded text that describes the problem, the solution, and any workarounds.


That is really the long and the short of it. It's a little preachy, but believe me, there are many, many more things to say on disclosure (both giving and receiving). The above should get you going today if you don't already have some kind of process in place, and if you have many hundreds of thousands of downloads, you really ought to have that process ironed out and ready to go.


That's nice, what about all the "wontfix" bugs?

Please see part two of the FOSS Tricks and Treats by Brandon Perry, for technical details of these exposures and vulnerabilities. The modules described are checked into Metasploit now, and will be available as part of the regular Metasploit update. Note that all are post-authentication, which means that you already need a username and password to exercise host operating system functionality via the HTTP/HTTPS vector. Also, for some of these applications, the argument was made that these exposures were normal, designed functionality. In other words, many of these modules will still function in the latest patched versions of the software.


There is definitely room for debate as to whether or not these were particularly wise design decisions. On the one hand, many of these applications assume the user is also already in control of the host operating system. On the other, the users of these applications may not realize that by allowing regular old port 80 traffic, they are, effectively, opening a full shell to anyone able to guess a username and password. Penetration testers love these kinds of applications, since they often can provide surprising and unexpected footholds into a network.


Thanks to CERT/CC for helping with disclosure chores, and to the above vendors who responded in a timely way to our vulnerability disclosure ministrations. Regardless of their unique disclosure handling processes, every one of them reacted politely and professionally, so thanks for that.


Update: ISPConfig has reported that they are patched and has provided a link. Links also provided for the vTiger and Openbravo fixes.

Filter Blog

By date: By tag: