Now that I've consumed a significant percentage of my own weight in turkey (seriously, it was something like five percent), it's time to shake off the tryptophan and get this week's update out the door.
Attacking Security Infrastructure: OpenVAS
This week's update features three new module for bruteforcing three different OpenVAS authentication mechanisms, all provided by community contributor Vlatko @k0st Kosturjak. OpenVAS is an open source security management stack that's pretty popular, so if you're a pen-tester and you run into this on a site, you can be quite nearly guaranteed that it's a pretty decent target, full of domain administrator credentials and their equivalents. If you're not familiar with OpenVAS already, you can look at their architecture diagrams to get a sense of what it offers. Kost's modules hit the OpenVas Management Protocol (OMP), the OpenVas Transport Protocol (OTP), and the Greenbone Security Assistant daemon (GSAD), so you can take your pick on which vector you'd like to exploit for bruteforcing. If you are familiar with OpenVAS, and you have decent passwords, this shouldn't concern you at all. Of course, running a quick password audit with Metasploit might ease any concerns that you might have -- after all, it's kind of a "who watches the Watchmen?" situation.
Return of the SAP Modules
As mentioned last week, community contributor @nmonkee gave up a huge braindump of SAP auxiliary modules. This is week two of the Great SAP Integration -- we've got four new SAP modules to leverage some known SAP credentials into command injection. That brings the total number of new SAP modules to 12, with what looks like two or three more on the way. You can read up on why this is all significant over on the MWR Labs blog, with the short story of: lots of orgs use SAP, and you should be able to use Metasploit as a SAP client to leverage intended and sometimes unintended functionality therein.
In addition to round two of SAP modules and OpenVAS bruteforcing, we've got three new exploits (for Quicktime, Narcissus, and NetIQ), and a pretty neat single-command psexec-style command runner for Windows targets. Check them out at Metasploit's Exploit Database.
- Narcissus Image Configuration Passthru Vulnerability by sinn3r and Dun exploits OSVDB-87410
- Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow by juan vazquez and Arezou Hosseinzad-Amirkhizi exploits CVE-2012-3752
- NetIQ Privileged User Manager 2.3.1 ldapagnt_eval() Remote Perl Code Execution by juan vazquez and rgod exploits OSVDB-87334
- Microsoft Windows Authenticated Command Execution by Royce @R3dy__ Davis exploits CVE-1999-0504
- Splunk Web interface Login Utility by sinn3r and Vlatko Kosturjak
- OpenVAS gsad Web interface Login Utility by Vlatko Kosturjak
- OpenVAS OMP Login Utility by Vlatko Kosturjak
- OpenVAS OTP Login Utility by Vlatko Kosturjak
- SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Injection by nmonkee
- SAP /sap/bc/soap/rfc SOAP Service SXPG_COMMAND_EXEC Function Command Injection by nmonkee
- SAP /sap/bc/soap/rfc SOAP Service SXPG_CALL_SYSTEM Function Command Execution by Agnivesh Sathasivam and nmonkee
- SAP SOAP RFC SXPG_COMMAND_EXECUTE by Agnivesh Sathasivam and nmonkee
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.