A Post-POODLE World
Well, it's another week, and another infosec community panic attack. If you're reading this blog, you're almost certainly the sort of person who already heard about the POODLE attack on SSLv3 from Google, or saw our own Jen Ellis's writeup over on Rapid7's Information Security blog. This week's Metasploit release addresses POODLE in a few ways to make sure that our beloved penetration testers don't get bit by this bug, as well as to ensure that our own exploits and auxiliary modules still function as expected in a post-POODLE networked world.
The Metasploit Web UI
Metasploit Pro, Metasploit Express, and Metasploit Community now only support TLSv1 and later as minimum cipher levels. If you're using a browser that doesn't support TLSv1, well... you probably shouldn't be mucking around with penetration testing software, since you're on a browser and operating system that almost certainly has other remote code execution bugs. It would be a bummer if one of your targets started hacking you back, after all.
Metasploit modules which target services over HTTPS now automatically negotiate TLS/SSL versions by default. This is an important change, because previously, we preferred SSLv3 for targets. Before this week, nearly all web servers -- especially those hosting vulnerable applications -- would accept SSLv3, but may or may not accept TLSv1. In today's post-POODLE world, though, we can't be sure that's the case. This is an improvement to SSL negotiation for attack traffic that's been a long time coming anyway, so thanks to Google for making this announcement! Also, if there is an attack or probe that must use SSLv3 due to legacy enforcements, then module writers can prefer that version specifically. Handy!
Meterpreter sessions now prefer TLSv1, but can fall back to SSLv3 if needed. Like the module change, this is mostly to ensure continued functionality. We're predicting that sites that have deep packet inspection (DPI) devices, such as intrusion prevention systems (IPSes) and protocol-aware firewalls, will likely start blocking SSLv3 as a matter of course to avoid giving away their users' secrets to nosy Internet scoundrels. Therefore, we want to ensure our not-quite-benign traffic can also communicate across these egress-controlled networks. You can see the difference in Meterpreter traffic on OJ @TheColonial Reeve's testing screenshots.
The Metasploit RPC client now prefers TLSv1 over SSLv3, like all normal clients should.
This flurry of activity is but one example of custom, non-browser, SSL-aware software that needed human intervention to ensure functionality in the face of the death of SSLv3. I doubt we're alone here; I imagine there are hundreds to thousands of similar applications that use the normal SSL APIs common for all operating systems that chose SSLv3 as a then-sensible default, banking on the fact that pretty much anything can talk SSLv3. Thanks to Cloudflare's statistics, we now know that SSL traffic (as opposed to TLS traffic) seems to account for around two percent of all Internet traffic -- and most of that is automated crawlers and malicious traffic. Hey, who's calling Meterpreter malicious? It's merely a remote administration tool... right?
Since I somehow managed to skip last week's update blog post, here are the new modules landed in the last couple weeks. Of special note is the Bluetooth Personal Area Networking (BthPan.sys) local privilege elevation exploit from our friends at @KoreLogic. You remember that XP is end of life, right? This means the liklihood of a patch for this vuln is extremely small -- you can bet that this will remain a reliable vector for extending control on XP platforms forever.
- F5 iControl Remote Root Command Execution by bperry exploits CVE-2014-2928
- Wordpress InfusionSoft Upload Vulnerability by g0blin and us3r777 exploits CVE-2014-6446
- Rejetto HttpFileServer Remote Command Execution by Daniele Linguaglossa and Muhamad Fadzil Ramli exploits CVE-2014-6287
- Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation by Jay Smith and Matt Bergin exploits CVE-2014-4971
Auxiliary and post modules
- Microsoft SQL Server - Escalate Db_Owner by nullbind
- HP Operations Manager Perfd Environment Scanner by Roberto Soares Espreto
- Jenkins-CI Login Utility by Nicholas Starke
- ARRIS / Motorola SBG6580 Cable Modem SNMP Enumeration Module by Matthew Kienow exploits OSVDB-110555