It's Raining Crypto
This week's update brings a pile of new payloads to the Metasploit Framework -- namely, SSL versions of most of the Unix payloads we've all grown to love, courtesy of Metasploit community contributor Boris RageLtMan Lukashev. We've landed SSL versions of a bunch of reverse connectback payloads, including command shells from Perl, Python, Bash, PHP, Ruby, and Telnet, so now your shells will be a little more private from those pesky network defenders. Thanks RageLtMan!
An Exploit for UPnP: CVE-2012-5858
Since Rapid7's disclosure on various UPnP exposures and vulnerabilities, we've been hard at work to get some sample exploits out the door. Last week, we released a UPnP scanner that will detect fingerprintable, vulnerable versions of UPnP. This week, the efforts of HD Moore, Alex Eubanks, and Richard Harman have culminated in an exploit for the unique_service_name() vulnerability identified in pre-patched versions of the libupnp library. Of course, the best course of action is to disable UPnP access over untrusted networks, and ramp up your IDS/IPS monitoring to detect and prevent attacks. To borrow a phrase from the L0pht, this exploit moves this set of vulnerabilities from the theoretical to the practical, and should signal a ramp up in remediation efforts to get these UPnP endpoints shut down, at least over public networks.
More Video Camera System Bypasses
We also have another return to an old favorite, DVR security camera insecurity. This week, Metasploit exploit developer Juan Vazquez implemented the various authentication bypasses documented by Alejandro Ramos on his blog, Security By Default (en Español). Turns out, a number of DVRs present configuration information for unauthenticated download -- this includes credentials for not just the DVR, but associated Dynamic DNS providers, PPOE, and remote FTP servers. So, even if you're in that one percent of users that change your DVR's default password (a statistic I just made up), you're still exposed if you allow for HTTP connections over untrusted networks.
Normalizing Target URIs
Finally, this week's update brings some sanity back to the URI variables favored by exploit and auxiliary module developers. We've been going a little back and forth on the normalize_uri() method call used by the HTTP client mixin, but thanks to Metasploit exploit developer Wei @_sinn3r Chen and community contributor Chris John Riley, I'm pretty sure we've nailed down the the double slash / missing slash problem that some modules have been suffering for the last several weeks.
So, if you're a Metasploit exploit developer with a penchant for writing HTTP-based modules, you will want to pay special attention to sinn3r's HOWTO on writing effective, sensible HTTP requests on the Metasploit Framework dev wiki.
- Netgear SPH200D Directory Traversal Vulnerability by m-1-k-3 exploits BID-57660
- Multiple DVR Manufacturers Configuration Disclosure by juan vazquez and Alejandro Ramos exploits CVE-2013-1391
- MS12-020 Microsoft Remote Desktop Checker by Brandon McCann and Royce Davis exploits MS12-020
- Portable UPnP SDK unique_service_name() Remote Code Execution by hdm, Alex Eubanks, and Richard Harman exploits CVE-2012-5958
- DataLife Engine preview.php PHP Code Injection by juan vazquez and EgiX exploits CVE-2013-1412
- Linux Gather PPTP VPN chap-secrets Credentials by sinn3r
- Windows Gather AD Enumerate Computers by Ben Campbell
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see Brandon Turner's most excellent release notes.