Rails Injection Bug
The big news this week turned out to be the new Rails injection bug, aka, CVE-2013-0156, which you can read about in detail over on HD Moore's blog post. Soon after the vulnerability was disclosed, @hdmoore had a functional auxiliary scanner module put together, so as of this moment, you're encouraged to scan the heck out of your environment, repeatedly, for vulnerable Rails apps. Every Rails application developed and deployed is vulnerable to this (absent a fix or workaround) -- and that includes the ones in your development environment, so don't forget to audit port 3000 as well. All those WEBrick servers in dev-land just became tasty internal vectors for exploitation.
Given that Metasploit itself is written in Ruby, we have a fair bit of Ruby and Rails know-how in both Rapid7 and the general Metasploit security community. I don't expect to be waiting long for a proper exploit (beyond the local version promulgated by HD).
Update: As casually predicted above, we now have a working remote Metasploit module available for all versions of Metasploit, and you can check the code here. Special thanks to everyone who came together on this. HD and @_sinn3r worked with charliesome and community contributors espes and lian to get this out the door in record time. Hooray open source exploit dev!
In other news, Metasploit exploit developer @_juan_vazquez_ delivered a brand-new exploit for a ZDI bug -- in this case, he exploits a vulnerability in IBM's Cognos Analytic Server Admin. Juan has a prediliction for digging into interesting-looking ZDI vulns. It's a little bit masochistic, since ZDI advisories tend not to have a whole bunch of information, but they are often server-side targets, so it's often worth our while to reverse out an exploit from what little is reported.
I'm told that my Whiteboard Wednesday video is up -- while it's not specifically part of the Metasploit Update, I do spend a couple minutes yammering about my unreasonable affection for this project. The thing was pretty much one long unscripted take once the doodling on the whiteboard is up, so please excuse the rambling; I just get all choked up when I talk about the philosophy (and philanthropy) of open source security development.
Here are the details on our latest modules, including community contributor Charlie Eriksen's new WordPress Plugin exploits.
- eXtplorer v2.1 Arbitrary File Upload Vulnerability by Brendan Coles exploits OSVDB-88751
- Ruby on Rails XML Processor YAML Deserialization Code Execution by hdm, charliesome, espes, and lian exploits CVE-2013-0156
- WordPress Plugin Advanced Custom Fields Remote File Inclusion by Charlie Eriksen exploits OSVDB-87353
- WordPress Plugin Google Document Embedder Arbitrary File Disclosure by Charlie Eriksen exploits CVE-2012-4915
- Honeywell Tema Remote Installer ActiveX Remote Code Execution by juan vazquez, Billy Rios, and Terry McCorkle exploits OSVDB-76681
- Microsoft Internet Explorer Option Element Use-After-Free by sinn3r, juan vazquez, and Ivan Fratric exploits MS11-081
- Enterasys NetSight nssyslogd.exe Buffer Overflow by juan vazquez, Jeremy Brown, and rgod exploits ZDI-11-350
- IBM Cognos tm1admsd.exe Overflow by juan vazquez and Unknown exploits ZDI-12-101
- Ruby on Rails XML Processor YAML Deserialization Scanner by hdm exploits CVE-2013-0156
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see Brandon Turner's most excellent release notes.