Internet Explorer "unicorn" bug: CVE-2014-6332
This week, we shipped a brand new exploit for the "unicorn" bug in Microsoft Internet Explorer, CVE-2014-6332, not-so-prosaically entitled, Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution. This is a big deal client-side vulnerability for the usual reason that Internet Explorer 11 accounts for about a quarter of browser traffic today; nearly always, remote code execution bugs in latest IE are usually particularly dangerous to leave unpatched in your environment. The buzz around this bug, though, is that it's been exploitable since at least Internet Explorer 3. Old bugs are old, of course, so that's not particularly exciting, but this does mean that all those old and crusty workstations that litter factory floors, retail warehouses, and other dark and dusty corners of the Internet are likely to see some new activity.
The Metasploit implementation currently does require Windows PowerShell, so you won't have much luck using this exploit against IE3 in the real world -- PowerShell is really only reasonable to expect to see on Windows 2008 and later, so patches are definitely accepted to get this exploit vector more generalized -- check out the discussion on Pull Request 4255 if you're interested in working with Wei sinn3r Chen and spdfire on solving some of the current limitations.
A New Hire Approaches!
This has been an exciting week here at the People's Republic of Metasploit. We've hired on Brent Cook as "Payload Wizard" here at Rapid7. Brent is longtime Austin-area hacker, programming generalist, and on the LibreSSL development team. Brent has been to getting his hands (and brain) dirty this week getting up to speed on the various flavors of Meterpreter, and will be working closely with the open source community to ensure portability and feature completeness for the Linux, Python, Java, and as-yet-to-be-implemented versions of Metasploit's flagship payload. In addition to the various Meterpreters (Meterpoli?), Brent is also going to be guiding the discussion that starts with, "So, I have shells on all these computers/phones/devices... now what?" We've never had someone focused specifically on post-exploit payloads, and Brent has hands-on familiarity with lots of interesting platforms and architectures, so expect to have a lot more post-exploit options coming up soon. Finally, and as if that weren't enough, Brent will be pitching in with Project Sonar and other Rapid7 Labs initiatives and projects, since he also happens to be pretty whiz-bang at network programming and backend optimization.
I've known Brent for a few years now, and am super excited to have him full time on the Rapid7 Metasploit Framework team. Feel free to send your Internet high fives to @busterbcook and get ready for 2015's overhaul of the Meterpreter landscape.
Since we last left our heroes, we've picked up eight new modules for your exploitation pleasure.
- Pandora FMS SQLi Remote Code Execution by Jason Kratzer and Lincoln
- Tincd Post-Authentication Remote TCP Stack Buffer Overflow by Martin Schobert and Tobias Ospelt exploits CVE-2013-1428
- Mac OS X IOKit Keyboard Driver Root Privilege Escalation by joev and Ian Beer exploits CVE-2014-4404
- Microsoft Internet Explorer Windows OLE Automation Array Remote Code Execution by GradiusX, Rik van Duijn, Robert Freeman, Wesley Neelen, b33f, and yuange exploits CVE-2014-6332
Auxiliary and post modules
- Microsoft SQL Server SUSER_SNAME Windows Domain Account Enumeration by antti and nullbind
- Microsoft SQL Server - SQLi SUSER_SNAME Domain Account Enumeration by antti and nullbind
- WildFly Directory Traversal by Roberto Soares Espreto exploits CVE-2014-7816
- Windows Active Directory Wordlist Builder by Thomas Ring