Metasploit 4.11.1 Released!

Hi all! I'm happy to announce that Metasploit 4.11.1, the latest dot version of Metasploit Community, Express, and Pro has been released. You can fetch the updates using the usual methods -- in the UI, with msfupdate, or with apt-get, depending on your binary distribution. Git source checkouts don't really notice these version bumps, of course, since the normal bundle install && git pull -r commands will take care of everything, and if you're that sort, you're tracking bleeding-edge HEAD anyway.

The release notes have been published here, thanks to Metasploit Documentrix Thao Doan, but the fundamental reason for this update is to get Metasploit up to Ruby 2.1.5. So, you should enjoy some fairly significant performance speedups once you get yourself updated -- it's like adding racing stripes to the side.

Adventures in UXSS

This has been a pretty big week with universal cross-site scripting (UXSS) bugs. Unlike your usual XSS, UXSS bugs live in your browser, not a particular web page, which spells trouble for your view of the World Wide Web. In order to demonstrate the disastrous effects of leaving UXSS unpatched, we disclosed R7-2015-02, a bug in the implementation of X-Frame-Options (XFO) on the web version of Google's Play Store. This XFO gap can be combined with previously disclosed UXSS bugs present in several Android browsers.

Unfortunately, it looks like Google is pretty adamant about not developing patches for pre-KitKat Android browsers, so expect to see the trend in Android malware masquerading as legitimate Play Store apps march steadily forward. More broadly, non-malicious, but merely unscrupulous, app developers have every incentive to continue preying on these (often brand new) lower-end devices, since installing and triggering their apps without user knowledge or assent is pretty drop-dead easy and I imagine a fine way to boost your installation numbers.

It's important to reiterate that the module by Joe Vennix depends on a gap in X-Frame-Option based protections around the Play store. It's possible that Google could mitigate this attack for pre-KitKat browsers on that front, but unfortunately, XFO protections are really difficult to implement correctly today. XFO is great for isolating certain, valuable pages from getting iframed in some other web site for the purpose of clickjacking. However, relying on XFO as a defense against all Javascript injection seems to be a bit Quixotic quest. It's just too easy to miss one important vector, especially if you have a domain footprint as big as google.com -- or come to think of it, microsoft.com.

Speaking of Microsoft, this week, Metasploit exploit warrior-monk Wei _sinn3r Chen also banged out a UXSS exploit for a vulnerability disclosed in the most recent versions of Microsoft Internet Explorer. Patch Tuesday has come and gone, but alas, this Same-Origin Policy (SOP) busting bug has not been fixed yet. So, if your current penetration testing engagement includes a phishing component, and your client makes heavy use of Internet Explorer and some intranet-based Web services, now is a pretty excellent time to get some XSS action on those sweet, sweet trusted local intranet zones. Metasploit ships with a few sample UXSS snippets to get you thinking about how to best leverage a UXSS to demonstrate risk.

Note, while the currently committed module does not support automatic XFO-busting today (unlike the Play store module), it doesn't mean that evading XFO is impossible. While such evasions tend to be fairly site-specific, the tactic of sending an overlong URL to trigger a 414 (rather than a 404) response code seems to be pretty reliable for many web server configurations. In other words, if you'd like to take a crack at updating the IE UXSS module to be more generally useful in the face of XFO, patches are accepted.

New Modules

Since last week, we have four new exploits, and two new auxiliary modules (the latter being the two above-discussed UXSS-based modules). At long last, we're now shipping a towelroot-workalike module for local rooting of Android devices, thanks primarily to Tim Wright, Brent Cook, and of course, noted iPhone hacker and gentleman-about-town, Geohot. Also in the realm of local privilege escalation is Jay Smith and Matt Bergin's implementation of MS14-070, a tricky elevation bug in some versions of tcpip.sys (details on Korelogic's blog). We don't often do a lot in the way of local exploits, given that Metasploit is much more remote-oriented, but it's nice to see two come in on the same week.

Exploit modules

Auxiliary and post modules

For additional details on what's changed and what's current in 4.11.1, please see Thao's most excellent release notes.