Rails Injection Bug

The big news this week turned out to be the new Rails injection bug, aka, CVE-2013-0156, which you can read about in detail over on HD Moore's blog post. Soon after the vulnerability was disclosed, @hdmoore had a functional auxiliary scanner module put together, so as of this moment, you're encouraged to scan the heck out of your environment, repeatedly, for vulnerable Rails apps. Every Rails application developed and deployed is vulnerable to this (absent a fix or workaround) -- and that includes the ones in your development environment, so don't forget to audit port 3000 as well. All those WEBrick servers in dev-land just became tasty internal vectors for exploitation.

Given that Metasploit itself is written in Ruby, we have a fair bit of Ruby and Rails know-how in both Rapid7 and the general Metasploit security community. I don't expect to be waiting long for a proper exploit (beyond the local version promulgated by HD).

Update: As casually predicted above, we now have a working remote Metasploit module available for all versions of Metasploit, and you can check the code here. Special thanks to everyone who came together on this. HD and @_sinn3r worked with charliesome and community contributors espes and lian to get this out the door in record time. Hooray open source exploit dev!

ZDI-12-101 Exploit

In other news, Metasploit exploit developer @_juan_vazquez_ delivered a brand-new exploit for a ZDI bug -- in this case, he exploits a vulnerability in IBM's Cognos Analytic Server Admin. Juan has a prediliction for digging into interesting-looking ZDI vulns. It's a little bit masochistic, since ZDI advisories tend not to have a whole bunch of information, but they are often server-side targets, so it's often worth our while to reverse out an exploit from what little is reported.

Whiteboard Wednesday

I'm told that my Whiteboard Wednesday video is up -- while it's not specifically part of the Metasploit Update, I do spend a couple minutes yammering about my unreasonable affection for this project. The thing was pretty much one long unscripted take once the doodling on the whiteboard is up, so please excuse the rambling; I just get all choked up when I talk about the philosophy (and philanthropy) of open source security development.

New Modules

Here are the details on our latest modules, including community contributor Charlie Eriksen's new WordPress Plugin exploits.

Exploit modules

Auxiliary modules

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandon Turner's most excellent release notes.