Metasploit 4.8.1 Released
Thanks to the revelations around the recent Ruby float conversion denial of service, aka CVE-2013-4164 discovered and reported by Charlie Somerville, this week's release is pretty slim in terms of content; on Friday (the day of the first disclosure), we pretty much dropped everything and got to work on testing and packaging up new Metasploit installers that ship with Ruby 1.9.3-p484, which fixes the bug.
As far as we are able to tell, it's merely a denial of service, so the worst that happens is that your given Ruby application can crash out with a segfault. Like most other Ruby bugs that lead to segfaults, we haven't been able to tease any code exec out, but it's not completely impossible.
So, in case it's not absolutely clear, Metasploit Community, Express, and Pro are all vulnerable as of Metasploit 4.8.0 and prior; again, we don't have a remote code exec path, but getting your assessment knocked out from under you can be more than a little unpleasant. Update to Metasploit 4.8.1 before you start your next engagement, and you'll be golden. We've also updated the Metasploit Framework repo to suggest ruby-1.9.3-p484, so take a moment to install that as well on your development environment if you're that sort.
We're not the only ones who were exposed to this, of course. If you have control over your Ruby installations, you'll want to update if you haven't already. If you rely on a cloud provider or some other kind of provisioning service, you should get with them; to take just one example, Sebastian Saunier has a procedure to update all your Heroku apps, all nicely scripted out in this gist.
PS: ruby-lang.org, it's a little unneighborly to disclose on a Friday; I'm sure the world's Ruby administrators could have used an extra weekday or two. No time is a good time for new vulns, but when Rapid7 discloses, we make every effort to make sure we coordinate around Wednesdays.
Alas, we just have the one new exploit that managed to get landed before the Ruby code review and update freak out. I Promise we'll have more next week, including the Metasploit module that exercises the aforementioned bug (it's landed on our development repo, but that won't be released until next week).
- DesktopCentral AgentLogUpload Arbitrary File Upload by Thomas Hibbert
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.