This week's update highlights Metasploit modules for embedded operating systems (as opposed to the usual client or server targets), so let's hop to it.
Security Camera Hackers
On Tuesday, guest blogger Justin Cacak of Gotham Digital Science talked about his module, cctv_dvr_login. The latest update for Metasploit has it now, so if you happen to run into some of these devices, you can show off all your Hollywood hacking skills by panning and zooming the security camera in the executive washroom. Definitely and eye-popper of an exploit, and we're happy to be able to share the techniques with the open source community. For more details on this nifty attack, see our blog post on this topic and the article about this Metasploit module in Wired magazine!
More SCADA, More Problems
In a related vein, this week's update also has a module for another embedded service, RuggedCom's telnet server. RuggedCom, as the name implies, makes network gear designed for harsh, outdoorsy conditions, so it's used almost exclusively in SCADA deployments. According to the researchers "JC CREW," if you know a RuggedCom device's MAC address, you can calculate the default password. Now, if you happen to be in the same broadcast domain as the device (usually the same LAN, but sometimes a little farther out), you can learn the MAC address just by talking Ethernet to the target device.
However, it's not like you have to go to the trouble to pick the MAC address out of packets from RuggedCom devices -- the vendor helpfully displays the local MAC in the telnet banner. What?
Community contributor Borja Merino put together a Metasploit module to do take advantage of this situation, telnet_ruggedcom. This module greps out the MAC address from the telnet banner, performs the password conversion magic, and stores it off into Metasploit's credential database for later use (say, with the telnet_login module).
Bugs in embedded systems like these have the added bonus for pen-testers in that they are often unpatched for months and years inside an organization. This is partly due to both vendor reluctance to patch, but moreso, because the affected devices are often in hard-to-reach locations, like railyards and oil fields.
Other than those, we have added five new modules to our exploit database this month. In no particular order, we've got:
- cisco_secure_acs_bypass by Jason Kratzer exploits CVE-2011-0951 in Cisco Secure ACS.
- vmware_update_manager_traversal by sinn3r exploits CVE-2011-4404 in Vmware Update Manager.
- wikka_spam_exec by sinn3r exploits CVE-2011-4409 in WikkaWiki.
- mozilla_attribchildremoved by Lincoln and corelanc0d3r exploits CVE-2011-3659 in Mozilla Firefox.
- distinct_tftp_traversal by sinn3r exploits OSVDB-80984 in Distinct TFTP Server.
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.