The big news this week are the UPnP / SSDP vulnerability announcements that we've been coordinating between CERT/CC, open source vendors, and device manufacturers over the last couple months. We have a pretty excellent white paper on the subject, written by Metasploit founder and international superhacker HD Moore, so I won't attempt to rehash that here, but the TL;DR of what you can do next is to take a quick scan of your infrastructure with the retooled UPnP SSDP M-SEARCH Information Discovery module. With that, you can pick out endpoints that are specifically vulnerable to CVE-2013-0229, CVE-2013-0230, CVE-2012-5958, and CVE-2012-5959.
Incidentally, even if you find that you're not vulnerable to these particular exploit vectors, it's safe to say that there is no reason why your organization should be responsive to UPnP on an Internet-facing interface. One hundred percent of the time, this is a misconfiguration. So take a look. Please. Pretty please. With a cherry on top.
Also, I'm especially grateful to Jared Allar and Art Manion at CERT/CC up in Pittsburgh for coordinating with the various international CERTs and the dozens of manufacturers around the world. This kind of thing isn't easy to do on the down-low, especially given our progressive disclosure policy that we work against. Thanks guys!
Another Rails Exploit: CVE-2013-0333 Exposed
In the meantime, Metasploit core engineer James @egyp7 Lee and longtime contributor Jeff @jjarmoc Jarmoc teamed up to bring forth a fresh new exploit for CVE-2013-0333. According to my clock, it took approximately two and a half hours from the announcement of the vulnerability to jjarmoc's hack job on the exploit for CVE-2013-0156 using Postmodern's technique.
From there, Egypt picked up the ball and put together a proper new exploit, and incidentally refactored the ARCH_RUBY payload type in order to be a little easier to work with between the two exploits. Thanks to that work, the next exploit for a Rails vuln (heaven forbid) should be even easier to drop in.
This week's update also has a pile of new auxiliary scanners for Joomla, thanks to mysterious newcomer Newpid0. He graciously provided a new Joomla Version Scanner, a Joomla Plugins Scanner, and a Joomla Page Scanner. Think of these as a mini-framework that can allow you to quickly audit your organization's CMS for some low-hanging fruit -- especially the Plugins scanner. While Joomla isn't as popular as Wordpress, and might not get the auditing attention that Wordpress is subject to, it's still plenty common. Thanks, masked stranger!
- Linksys WRT54GL Remote Command Execution by m-1-k-3 exploits OSVDB-89421
- Titan FTP XCRC Directory Traversal Information Disclosure by Brandon McCann @zeknox and jduck exploits OSVDB-65533
- Joomla Version Scanner by newpid0
- Joomla Plugins Scanner by newpid0
- Joomla Version Scanner by newpid0
- Ray Sharp DVR Password Retriever by hdm and someluser
- MS12-020 Microsoft Remote Desktop Checker by Brandon McCann @zeknox and Royce Davis @R3dy_ exploits MS12-020
- Novell eDirectory 8 Buffer Overflow by juan vazquez, David Klein, and Gary Nilson exploits CVE-2012-0432
- Movable Type 4.2x, 4.3x Web Upgrade Remote Code Execution by Gary O'Leary-Steele, Kacper Nowak, and Nick Blundell exploits CVE-2013-0209
- Ruby on Rails JSON Processor YAML Deserialization Code Execution by egyp7, jjarmoc, and lian exploits CVE-2013-0333
- SonicWALL GMS 6 Arbitrary File Upload by juan vazquez, Julian Vilas, and Nikolas Sotiriu exploits CVE-2013-1359
- ZoneMinder Video Server packageControl Command Execution by Brendan Coles
- Windows Manage Memory Payload Injection by sinn3r and Carlos Perez
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For reader who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see Brandon Turner's most excellent release notes.