Zone Transfers for All
This week, Metasploit community contributor bonsaiviking fixed up the DNS library that Metasploit uses so we won't choke on some types of zone transfer responses. Turns out, this is a two-year old bug, but DNS servers that actually offer zone transfers are so rare any more that this this bug didn't manifest enough to get squashed.
This brings me to a larger point -- with older vulnerabilities like these, sometimes the hardest part for us is reproducing the bug in the first place. With old software, for example, it's sometimes really hard to get a hold of the vulnerable version. With this module, the problem is that it's a pain to go and configure DNS in a vulnerable way.
In this case, though, we were able to test using Robin Wood's most useful ZoneTransfer.me service, which is exactly what you think it might be. It's a live DNS server, out on the Internet, with zone transfers enabled. This allows researchers, trainers, and vulnerability archeologists to become familiar with an antique vulnerability that they may still run into in the real world from time to time. This kind of intentionally vulnerable offering is invaluable, so thanks not only to bonsaiviking for finally nailing down this fix, but also to Robin for making the fix easy to test.
For all the gritty details, see Pull Request #698 on Metasploit's GitHub site.
Exploiting SAP NetWeaver
Also in this week's update are two new SAP NetWeaver exploits, both implemented by our own Juan Vazquez, based on the research work from Michael Jordan and Martin Gallo. Juan has another blog post up that dives into the details on how he exploits CVE-2012-2611, complete with screenshots and insightful commentary on the squirelly nature of Unicode detection. If you're a fan of Juan's step-by-step war stories of exploit development, you will definitely want to check the module and blog post.
Microsoft SQL Server Tricks
So you've gained control of a Microsoft SQL Server database -- now what? Community contributor Scott "nullbind" Sutherland has two new MSSQL modules in this week's update. The first is the exceedingly handy Find and Sample Data module, which can quickly paw through a database for named keywords -- things like "CC#" or "ccval" or "password," or other likely places to find sensitive data that PCI auditors love to get a hold of. The second is a local authentication bypass, which makes it easy and fun to use an existing Meterpreter session to add an sa-level account to the target database.
Database hacking holds a special place in my heart, so I love to see these kinds of auxiliary and post modules come in from the community. Thanks for those!
Here are the new modules -- for details and usage, follow the links to our Exploit Database.
- Symantec Messaging Gateway 9.5 Default SSH Password Vulnerability by sinn3r, Ben Williams, and Stefan Viehbock exploits CVE-2012-3579
- JBoss DeploymentFileRepository WAR Deployment (via JMXInvokerServlet) by Jens Liebchen, Patrick Hof, and h0ng10 exploits CVE-2007-1036
- MobileCartly 1.0 Arbitrary File Creation Vulnerability by sinn3r and Yakir Wizman exploits BID-55399
- HP SiteScope Remote Code Execution by juan vazquez and rgod exploits ZDI-10-174
- SAP NetWeaver HostControl Command Injection by juan vazquez and Michael Jordon exploits OSVDB-84821
- SAP NetWeaver Dispatcher DiagTraceR3Info Buffer Overflow by juan vazquez and Martin Gallo exploits CVE-2012-2611
- Microsoft SQL Server - Find and Sample Data by Scott Sutherland, hdm, todb, Carlos Perez, Robin Wood, and humble-desser
- HP SiteScope SOAP Call getFileInternal Remote File Access by juan vazquez and rgod exploits ZDI-12-176
- HP SiteScope SOAP Call getSiteScopeConfiguration Configuration Access by juan vazquez and rgod exploits ZDI-12-173
- HP SiteScope SOAP Call loadFileContent Remote File Access by juan vazquez and rgod exploits ZDI-12-177
- Windows Manage Local Microsoft SQL Server Authorization Bypass by Scott Sutherland
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.