In addition to the frankly killer 0-day in RateMyPet, we have a couple other things going on in Metasploit land.
Mac OSX 64-Bit Payloads
Probably the most significant add this week is Metasploit community contributor Nemo's two new 64-bit payloads for Mac OSX targets. While OSX isn't the most popular target on the block, we do have a steadily growing collection of exploits targeting Apple platforms, so bringing 64-Bit platforms into the fold of assessable targets is kind of a big deal. Thanks Nemo!
Fixing MSFUpdate After an Outage
DerbyCon is afoot, so naturally (let's say) it's time to update a pile of Metasploit's Ruby gem dependencies. Ruby gems include things like ActiveRecord that allows Framework to talk to the database backend, and Railties, which is an extension to Rails and handles parts of the Metasploit Community and Metasploit Pro interfaces. All told, this update has about 400,000 lines of source code change from last update. About that...
Late last week, this gem update ended up causing some problems for users who a) track our development very closely while b) on slower links or c) overseas who d) use svn or msfupdate specifically to get their daily (or hourly) fix of Metasploit updates. This doesn't describe the typical Metasploit Community or Metasploit Pro users, who get updates on a weekly basis. This would have affected only the people who fit this particular profile.
It's not the total size difference that caused problems, mind you. This week's update is slightly smaller than last week's, due to these changes, as it turns out. The problem is the way SVN tracks the changes that can cause msfupdate to bail out before it completes. This tracking is fine and normal for a source control system, but it's not all that great for a (relatively) simple software update system.
While Metasploit Pro users wouldn't have noticed anything wrong, the some of our open source Framework folks would have noticed the problems starting late last week. If you have been msfupdating lately, and not noticed anything, you're out of the woods.
I'm sorry about that. I'm so sorry, in fact, that I'm revisiting how msfupdate does its update thing. We'll be looking at better ways to pick up changes from the master branch in a reasonably quick way that doesn't drag along the entire history of Metasploit development with it, which was the crux of the problem.
Moral of the story is, we're treating this episode like a service outage. This week's update will get everyone past the 400KLOC change hump (updates like this effectively advance the pointer for you), and we'll test our new updating process on slow links so as not run into this kind of problem again.
So, happy DerbyCon everyone, bring home some 0-day, and we'll be all set for next week.
It's not all gem updates, of course. We have a smattering of new modules for you, too. For details and usage on these, just follow the links to our Exploit Database.
- ZEN Load Balancer Filelog Command Execution by Brendan Coles exploits OSVDB-85654
- Auxilium RateMyPet Arbitrary File Upload Vulnerability by sinn3r and DaOne exploits OSVDB-85554
- HP Application Lifecycle Management XGO.ocx ActiveX SetShapeNodeType() Remote Code Execution by juan vazquez and rgod exploits ZDI-12-170
- NTR ActiveX Control Check() Method Buffer Overflow by juan vazquez and Carsten Eiram exploits CVE-2012-0266
- NTR ActiveX Control StopModule() Remote Code Execution by juan vazquez and Carsten Eiram exploits CVE-2012-0267
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.