First things first -- today is International Talk Like a Pirate Day, which is great for me, given my office decor. Arrr! So grab a flagon of grog, and read on, ye landlubbers!

Updates to the Android Universal XSS bug (CVE-2014-6041)

This has been a pretty busy week for us here in Metasploit Nation. You probably heard about Rafay Baloch's kind of massive SOP-busting Android disclosure affecting the stock Android Open Source browser. Well, we've been digging into this some more, and have a couple new findings to report.

First off, it's not limited to just the AOSP browser. Other browsers that use the vulnerable version of WebView are also affected. We've successfully exploited both the Maxthon Browser (which claims 600 million downloads) and the CM Browser (which is has 10 million to 50 million installs). We're confident there are plenty of apps that use WebView that are vulnerable to this UXSS, and so far, I haven't seen a lot of patching activity beyond Google's upstream patches to Android (reported to us by Paul Irish of Google). Of course, patching upstream doesn't really help the downstream users, unless and until the carriers and handset manufacturers roll it out. So, if you're on a pre-4.4 phone (which is likely, given that 75% of all active Android devices are pre-KitKat), be careful out there. Consider using an alternative, non-vulnerable browser -- Google Chrome and Mozilla Firefox are fine choices, assuming you have enough hardware oomph to run them.

Second, we've landed a fix to the Metasploit module to better enable integration with BeEF, the Browser Exploitation Framework. BeEF, by Wade Alcorn and friends, is a pretty powerful exploit toolkit that takes advantage of cross-site scripting bugs to "hook" browsers into doing the bidding of the BeEF operator. In fact, we shot a quick five minute video yesterday to demonstrate this functionality.

While most demos involving BeEF do silly things like play pirate sea shanties on the victim's device, keep in mind that the security context of the code executed is that of the XSS-vulnerable site. With a universal XSS bug (UXSS) like this, all sites are vulnerable. It becomes trivial for attackers to GET and POST on behalf of the user to any site the user is authenticated to -- Facebook, company webmail, Amazon Ali Baba... the level of hijinks is really only limited by the imagination of the attacker. This is why a breakdown of the Same Origin Policy is so damaging; it's just about the worst thing that can happen to a web browser, or anything with browser-like functionality, short of a full shell.

Obfuscating Metasploit-Delivered Javascript

Also this week, Wei sinn3r Chen has been busily updating the Metasploit Framework Wiki with new material on obfsucating Javascript code for Metasploit module developers. One of the challenges penetration testers face is not being able to use an exploit against a vulnerable target due to layers of signature-based detections or preventions. As an exploit dev, it's important to take this into consideration during development. There are many ways to do this, of course. Javascript-based exploits are relatively easy to modify, so usually you can just change a few lines and make your exploit undetectable by your target's anti-virus, HIDS, or other protection mechanisms. You can make the browser not cache anything, so some anti-virus products simply do not even see the malicious code. Or you can obfuscate, which provides more automation and easier to maintain. To learn more about Metasploit's JavaScript obfuscation APIs, you can read up on them here.

In addition, Wei and Joe Vennix (and friends) are also in the process of spinning out JSObfu as a Ruby gem. It was originally written by James Egypt Lee back in 2011, and it's high time for a refresh. We just stood up the GitHub repo today, so if you'd like to follow along and help out, pull requests accepted.

New Modules

Over the last week, we've added four new modules -- one exploit, and three auxiliary modules.

Exploit modules

Auxiliary and post modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness upon the next official update; you can check for these updates through the Software Updates menu under Administration.