SAP SAPpy SAP SAP
We've been all SAP all the time here in the Independent Nations of Metasploit, and expect to be for the rest of the week. You might recall that Metasploit exploit dev, Juan Vazquez published his SAP survey paper a little while back; on Tuesday, we did a moderated twitter chat on the hashtag #pwnSAP with the major SAP-focused Metasploit contributors Bruno Morrison, Chris John Riley, and Dave Hartley; and today (Thursday, December 5), Juan and I will be hosting a webcast on the various and sundry SAP exposures that Metasploit covers, and There Will Be Demos and Q&A, so it should be fun.
The whole thing has been pretty eye-opening for me; there's been a bunch of movement in the research over the last 18-24 months or so, and I'm delighted that so many talented people are making noise about this in the form of Metasploit modules. Hopefully all this will raise some awareness of the risks and exposures involved with running huge, complex, interconnected systems like ERP in general.
In other (non-SAP) news, this week, we're shipping our first ever Silverlight exploit, which exploits MS12-022 (aka, CVE-2013-0074). That's exciting. Use your DNS MITM attacks to jack the Netflix domains, wait for Orange is the New Black fans to connect, and profit!
It's important to know that the vulnerability is in Silverlight proper, and not IE, so while our exploit targets Microsoft Internet Explorer only today, the vulnerability is actually cross-platform. So, now that we've done this groundwork of demoing how to write a Silverlight exploit in Metasploit, all we need now is some enterprising young researcher to port this to a working Apple implementation. Have at it!
I know, I know, last week we kind of cheated you out of your usual complement of new modules, thanks to the the Ruby float bug. To make it up to you, we have 14 new modules this week, including the Silverlight module mentioned above. Have at it! There's a lot of neat new attacks in there, so thanks again to our beloved community contributors for their efforts on these.
- NETGEAR ReadyNAS Perl Code Evaluation by juan vazquez, hdm, and Craig Young exploits CVE-2013-2751
- Apache Roller OGNL Injection by juan vazquez and Unknown exploits CVE-2013-4212
- Cisco Prime Data Center Network Manager Arbitrary File Upload by juan vazquez and rgod exploits ZDI-13-254
- Kimai v0.9.2 'db_restore.php' SQL Injection by Brendan Coles and drone
- MS12-022 Microsoft Silverlight ScriptObject Unsafe Memory Access by juan vazquez, James Forshaw, and Vitaliy Toropov exploits MS13-087
- MS13-090 CardSpaceClaimCollection ActiveX Integer Underflow by juan vazquez and Unknown exploits MS13-090
- Microsoft Tagged Image File Format (TIFF) Integer Overflow by sinn3r and Unknown exploits CVE-2013-3906
- ABB MicroSCADA wserver.exe Remote Code Execution by juan vazquez and Brian Gorenc exploits ZDI-13-270
Auxiliary and post modules
- ZyXEL GS1510-16 Password Extractor by Daniel Manser and Sven Vetsch
- Ruby on Rails JSON Processor Floating Point Heap Overflow DoS by todb, Charlie Somerville, and joev exploits CVE-2013-4164
- OpenMind Message-OS Portal Login Brute Force Utility by Karn Ganeshen
- Oracle ILO Manager Login Brute Force Utility by Karn Ganeshen
- OSX Network Share Mounter by Peter Toth and joev
- Windows Enumerate LSA Secrets by Rob Bathurst
- DesktopCentral AgentLogUpload Arbitrary File Upload by Thomas Hibbert
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.