Sudo password bypass on OSX
This week's update includes a nifty local exploit for OSX, the sudo bug described in CVE-2013-1775. We don't have nearly enough of these Apple desktop exploits, and it's always useful to disabuse the Apple-based cool-kids web app developer crowd of the notion that their computing platform of choice is bulletproof.
Joe Vennix, the principle author of this module, is, in fact, of that very same Apple-based developer crowd, and usually busies himself on cranking out features for Metasploit Pro. But, he's been hanging out with the wrong crowd -- the exploit devs here at Rapid7 -- so over the weekend, he put together this implementation of Todd C. Miller's and Marco Schoepl's sudo time-changing bug. Turns out, OSX allows regular users to adjust the system time. This, in turn, creates the opportunity to promote and escalate the privileges of a compromised user account to root without having to know that user's password, assuming the victim user has used sudo at least once before (which is often the case for local OSX users).
Pretty neat trick. For more details on why this works, see the oss-sec post from early this year. Thanks Joe!
So, I don't know if you noticed, but over the last couple weeks, we've managed to hack and slash our way through a great big pile of Metasploit Framework bugs. First off, we just came off a Rapid7 push to shore up the continuous integration test infrastructure -- you can peek in on that at Travis-CI, and see that we juiced up the number of automated tests from about 980 to (as of now) 1,437 automatic tests that run with every build. Pretty much everyone here in the Rapid7 Metasploit hideout helped out with that, and so today, we have a really solid foundation for you, the community contributor, to start putting together useful regression testing on your favorite chunk of Metasploit.
In addition, our own Wei @sinn3r Chen took up the cause of cleaning up a bunch of existing modules to conform to our current code standards, opening and resolving about 50 tickets just on his own.
The moral of this story is that contributing to Metasploit Framework can be more than what most people think of -- writing exploit modules that exercise vulnerabilities. While that kind of work is probably the most fun and glamorous part of Metasploit, there are a lot of areas that could use automated testing, cleanup, and focused bug hunting. So, if you're more of a general Ruby hacker and not so much a security-focused hacker, that's totally okay by me. Feel free to jump in and fire off pull requests in our direction that provide repeatable testing for core Metasploit functionality, and you'll have a direct impact on improving the state of the art of open source security.
We've got three new exploits this week. A little less than usual, but man did we clean up a bunch of older modules. Twenty four in all were touched for this release.
- Mac OS X Sudo Password Bypass by juan vazquez, Todd C. Miller, and joev exploits CVE-2013-1775
- Graphite Web Unsafe Pickle Handling by Charlie Eriksen exploits CVE-2013-5093
- Oracle Endeca Server Remote Command Execution by juan vazquez and rgod exploits ZDI-13-190
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.