Stupid PHP Tricks
This week's Metasloit update is a cautionary tale about running unaudited PHP applications as part of your infrastructure. Metasploit community contributor Brendan Coles has discovered and written Metasploit modules for two similar root-level vulnerabilities one for OpenFiler and one for WAN Emulator (aka "WANem").
To be honest, I don't have anything personal against PHP. Some of my best friends are PHP guys. That said, these modules exploit some pretty serious flaws, and stuff like this crops up alarmingly often in PHP apps due the forty zillion ways PHP allows the developer to expose command injection vulnerabilities. Taking this as a given for the language, running a binary as setuid root (as WANem does) or having your service account be in the wheel group (as OpenFiler does), is asking for trouble.
Part of the security agreement we have with open source software is a notion of basic auditability. Ostensibly, it's not just possible, but likely, that security bugs like these won't live long in open source software, due to the fact that the code is directly auditable. Now, I don't know how long these bugs actually lived out in the wild, but thanks to Brendan for fulfilling his end of this social contract. The take-away here is, if you are considering running open source software in your environment, I hope you take advantage of the openness and perform a cursory audit for red flag warning sings like these.
Keeping Targets Fresh
In addition to the new modules this week, we've also validated some new targets for the HP SiteScope getSiteScopeConfiguration and HP SiteScope loadFileContent ZDI exploits. When research time permits, we like to loop back over recent disclosures like these to see if we can't validate more targets than the original exploit covered, so this kind of updating is pretty common. However, we don't have infinite time and bandwidth, so if you happen to notice that one of Metasploit's shipping modules works against a target that wasn't mentioned in the description, let us know! A GitHub pull request with a description update and some kind of validation like a screen capture or pcap dump is an ideal method to alert us to more targets, but e-mail, IRC, bug reports, or SecurityStreet posts will get our attention, too.
Here are the new modules -- for details and usage, follow the links to our Exploit Database.
- Openfiler v2.x NetworkCard Command Execution by Brendan Coles exploits BID-55490
- WAN Emulator v2.3 Command Execution by Brendan Coles exploits an uncategorized vulnerability
- HP SiteScope Remote Code Execution by juan vazquez and rgod exploits ZDI-12-175
- Sflog! CMS 1.0 Arbitrary File Upload Vulnerability by sinn3r and dun exploits OSVDB-83767
- ActiveFax (ActFax) 4.3 Client Importer Buffer Overflow by juan vazquez, Brandon Perry, and Craig Freyman exploits OSVDB-85175
- Winamp MAKI Buffer Overflow by juan vazquez and Monica Sojeong Hong exploits CVE-2009-1831
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.