Simulating the Adversary

A big part of what we do here at Metasploit is "simulating bad guys." On a good week, we can focus on taking real exploits that are being actively used on the Internet, clean them up to our standards for publishing, make sure they actually work as reported, and publish a Metasploit module. This last week has been very good indeed, at least from our point of view, since there's been loads of exploitation going on lately that's come into public view.

vBulletin's accidental backdoor

Last week, there was a report of a dangerous vBulletin exploit in the wild. vBulletin is a proprietary community / forum PHP application, and the vulnerability in question looks to be some installation-time artifacts accidentally left over after installing the the software. What it actually amounts to is a (almost certainly) accidental backdoor into account creation, whereby an attacker can create new administrator accounts.

However, the disclosure timeline of this vulnerability is a little troubling. vBulletin (the vendor) appears to have known about this exploit vector since at least August 27th, 2013, as evinced by this blog post. The attack was reported by a victim at least as early as September 5, 2013, which was the same day as this security patch tweet, which may or may not address the issue -- there appear to be no public release notes for this patch. The first time there's any real public knowledge posted publicly is the above Imperva analysis, was the genesis for the OSVDB entry, and now, this module.

So, if you're responsible for a vBulletin community, you might want to leap on this patch. If you're like me, and wondering if the patch is effective, you can test it with the vBulletin Metasploit module. If it tests out okay, feel free to mention your results somewhere that vBulletin users are likely to see it. I'm sure they'd appreciate it.

D-Link's intentional backdoor

While the vBulletin thing is quite likely to be accidental, the D-Link backdoor is absolutely not accidental. For starters, it's an authentication bypass that is triggered by a custom User-Agent string (the thing that your browser uses to tell the server about itself). The string could technically be more obviously malicious, but it's a stretch. Reverse the string: "xmlset_roodkcableoj28840ybtide," and you get, "editby04882joelbackdoor_teslmx." So, intent here is pretty clear.

The most recent discoverer of this backdoor has some pretty solid evidence that intelligence on this has been floating around, at least in Russia, since 2010.

There is at least one unattributed quote that D-Link was also aware of the backdoor, and it was implemented on purpose as "a failsafe." Simpler times, I guess, if it's true. At any rate, we have an easy-to-use DLink User-Agent Backdoor Scanner, and there's active R&D work on turning out a proper remote code execution module.

The other MSIE 0-day

As promised last week, we also have a working exploit for the other Microsoft Internet Explorer vulnerability patched by MS13-080: MS13-080 Microsoft Internet Explorer CDisplayPointer Use-After-Free. I won't beat on this too much, primarily because this disclosure horse is quite dead. However, we have a situation now where IT shops may feel like they've bought some time with Microsoft's Fix-It or EMET solutions for the originally reported vulnerability patched by MS13-080, the SetMouseCapture Use-After-Free bug (aka CVE-2013-3893), when in fact, they're still vulnerable to CVE-2013-3897, the CDisplayPointer UAF.

Since the former bug got more attention than the latter, your 3rd party proxy or IPS-based protections may not be aware of this. So, obviously, while patching is the best recourse, we know from the continued usability of good old MS08-067, some organizations put off patching for a long, long time. In particular, according to Metasploit researcher Wei Chen, original in-the-wild exploit for the CDisplayPointer UAF bug was pretty incomplete, even though it had been floating around since mid-September. The Metasploit module that exploits this vulnerability is much more solid and clear about the vulnerability itself, which can help defenders better understand the problem.

Why do this?

This whole philosophy of delivering clean, reliable exploits to the good guys (penetration testers, quality testers, and IT admins, among others) has been kind of front and center the last couple weeks here at Metasploit. Maybe the reasons are obvious (at least to security folks) why we do this, but to be explicit:

    Sun Tzu, Art of War, Chapter 3
If you know others and know yourself, you will not be imperiled in a hundred battles; if you do not know others but know yourself, you win one and lose one; if you do not know others and do not know yourself, you will be imperiled in every single battle. 
    Sun Tzu (translated)

Thanks, WikiQuote! Also, thanks tons to Juan Vazquez, sinn3r, and m-1-k-3 for putting these modules togther.

New Modules

We're shipping ten new modules this week, including the ones discussed above. Five are exploits, four are auxiliary, and one post. Note that the WRT110 module replaces the existing WRT110 command exec module, so it's not technically new.

Exploit modules

Auxiliary and post modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.