UPnP Scanning

The big news this week are the UPnP / SSDP vulnerability announcements that we've been coordinating between CERT/CC, open source vendors, and device manufacturers over the last couple months. We have a pretty excellent white paper on the subject, written by Metasploit founder and international superhacker HD Moore, so I won't attempt to rehash that here, but the TL;DR of what you can do next is to take a quick scan of your infrastructure with the retooled UPnP SSDP M-SEARCH Information Discovery module. With that, you can pick out endpoints that are specifically vulnerable to CVE-2013-0229, CVE-2013-0230, CVE-2012-5958, and CVE-2012-5959.

Incidentally, even if you find that you're not vulnerable to these particular exploit vectors, it's safe to say that there is no reason why your organization should be responsive to UPnP on an Internet-facing interface. One hundred percent of the time, this is a misconfiguration. So take a look. Please. Pretty please. With a cherry on top.

Also, I'm especially grateful to Jared Allar and Art Manion at CERT/CC up in Pittsburgh for coordinating with the various international CERTs and the dozens of manufacturers around the world. This kind of thing isn't easy to do on the down-low, especially given our progressive disclosure policy that we work against. Thanks guys!

Another Rails Exploit: CVE-2013-0333 Exposed

In the meantime, Metasploit core engineer James @egyp7 Lee and longtime contributor Jeff @jjarmoc Jarmoc teamed up to bring forth a fresh new exploit for CVE-2013-0333. According to my clock, it took approximately two and a half hours from the announcement of the vulnerability to jjarmoc's hack job on the exploit for CVE-2013-0156 using Postmodern's technique.

From there, Egypt picked up the ball and put together a proper new exploit, and incidentally refactored the ARCH_RUBY payload type in order to be a little easier to work with between the two exploits. Thanks to that work, the next exploit for a Rails vuln (heaven forbid) should be even easier to drop in.

Auditing Joomla

This week's update also has a pile of new auxiliary scanners for Joomla, thanks to mysterious newcomer Newpid0. He graciously provided a new Joomla Version Scanner, a Joomla Plugins Scanner, and a Joomla Page Scanner. Think of these as a mini-framework that can allow you to quickly audit your organization's CMS for some low-hanging fruit -- especially the Plugins scanner. While Joomla isn't as popular as Wordpress, and might not get the auditing attention that Wordpress is subject to, it's still plenty common. Thanks, masked stranger!

New Modules

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For reader who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandon Turner's most excellent release notes.