Back from the UK!
As I mentioned last blog post, I was off last week in London, where I finally got the chance to meet an overflow of far-flung Metasploit and security luminaries, including the folks from 44Con and MWR Labs. My bucket list just got shorter. And yes, "overflow" is the correct collective noun for a gathering of security professionals and hackers.
Sadly, this means I managed to completely miss last week's blog post, so this week will be a two-week wrap up. We had some neat stuff land while I was away, so lets get to it.
OpenSSH Username Disclosure
First off, this isn't the fake OpenSSH memory disclosure bug, but instead, something real and useful, and incidentally unpatched. William Vu worked with Metasploit open source contributor kenkeiras to implement an old school timing attack on OpenSSH servers, where differences in response time for login attempts can be used to suss out what usernames are valid on a given system. While this module feels like a 90s-era info disclosure, the surprising bit is that this information leak does not appear to have a patch or any reasonable workaround.
As security professionals, we seem to be of two minds when it comes to username security. Passwords are obviously secret, and disclosing those is a Bad Thing, but we seem to be less sure about the confidentiality of usernames. On the one hand, they're significantly not passwords. They're intended to be talked about, shared, and tied to particular people and services. On the other hand, determining valid usernames in the blind makes the job of a bruteforce attack about a million times easier.
When determining if something like this is a "real" vulnerability, it seems to mostly come down to the intent of the software. With OpenSSH, there is an implicit guarantee that usernames should not be harvestable, just like DNS zone transfers and SMTP VRFY commands shouldn't spill these weak secrets. How big of a deal is it when that guarantee is violated? It all depends on how seriously you take username security. It sure feels insecure. If you feel like this is a bigger deal, or not a deal at all, you're invited to comment below.
I really hope you also hear that title in Freddie Mercury's voice. If not, then I'm kind of sad for you. You're really missing out, and you probably mistook the photo at right for a scene from one of the 300 movies.
That said, we have another two modules for the seemingly endless parade of Flash bugs. Both were originally disclosed by that rascal of a security researcher, "Unknown," and implemented by our own Juan Vazquez, with some help from his shadowy network of contacts and informants in general and one Bannedit in particular.
Take a moment at read up on the module and the references for the Flash Integer Underflow bug and the Flash Type Confusion issue, because you're going to need that background for next week's release, I'm sure. In case you haven't noticed, this spring is starting to feel a lot like last year's Javapocolypse. Maybe it's time to give Silverlight another chance? What could go wrong?
The 2014 T-Shirt Cometh
As of this moment, you have another week to get your T-shirt design in for the Second Annual Metasploit T-Shirt Design Contest. Right now the 99Designs page is claiming something like two hours to go, but never mind on that -- believe me, you have a week. So, forget all those findings reports and boring IT meeting you need to prepare for, and finish off your chest-mounted masterpeice. Feel free to include some kind of weird 80s sci-fi references, since that will obviously work for me.
For the last two weeks, we've got ten new modules for your exploitation pleasure, including those discussed above. The Wireshark vulnerability is especially close to my heart, since approximately 99% of all people who are likely to get owned by an exploit in Wireshark are terribly, terribly interesting targets: security analysts, network engineers, and the like. These are people who tend to have cached credentials to lots of infrastructure.
- AlienVault OSSIM SQL Injection and Remote Code Execution by Sasha Zivojinovic and xistence exploits OSVDB-106252
- Apache Struts ClassLoader Manipulation Remote Code Execution by Mark Thomas, Przemyslaw Celej, and Redsadic exploits CVE-2014-0112
- Mac OS X NFS Mount Privilege Escalation Exploit by joev and Kenzley Alphonse
- Adobe Flash Player Integer Underflow Remote Code Execution by juan vazquez and Unknown exploits CVE-2014-0497
- Adobe Flash Player Type Confusion Remote Code Execution by juan vazquez, Unknown, and bannedit exploits CVE-2013-5331
- Wireshark wiretap/mpeg.c Stack Buffer Overflow by Wesley Neelen and j0sm1 exploits CVE-2014-2299
- Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) by Ben Campbell, Donato Capitella, Jon, and Nils exploits CVE-2013-1300
Auxiliary and post modules
- F5 BigIP Backend Cookie Disclosure by Thanat0s
- SSH Username Enumeration by kenkeiras exploits CVE-2006-5229
- Multiplatform WLAN Enumeration and Geolocation by Tom Sellers
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.