This week's release sees a quiet vulnerability fix, an exploit against an unpatched vulnerability in Microsoft's XML Core Services, and some helpful new/old commands, as well as the usual pile of exploity goodness you've come to expect from the Metasploit kitchen.
Vulnerabilities? In My Metasploit?
It's more likely than you think. Like all reasonably complex software packages, Metasploit occasionally ships with security vulnerabilities. Lucky for us, our user base tends to be pretty sophisticated when it comes to discovering and reporting vulns in our product, so these bugs are usually pretty short-lived. This week, Borja Merino discovered one, reported it in over the weekend, and we rolled an emergency fix out that day.
If you have a security vulnerability in Metasploit, I would be super-grateful if you reported it to security@metasploit.com so that we can roll out a fix. Here at Metasploit we stick to a 60-day disclosure policy for vulnerabilities that we discover independently, so we'd appreciate the heads-up the next time a Metasploit vuln surfaces. In return, we'll be sure you get credited with discovery and all that.
Speaking of Zero-Day...
This release contains a module for an unpatched vulnerability in Microsoft's XML Core Services. The module exercises the vuln via Internet Explorer, and is currently unpatched. For more details on that, see Wei "sinn3r" Chen's blog post from earlier this week. For tips on how to avoid getting exploited out on the wild Internet, keep an eye on Microsoft's Security Advisory 2719615. In the mean time, the Metasploit module appears to be the best way to test your exposure, given whatever mitigation you settle on while waiting for a patch.
Deprecated Commands
This week, Metapsloit core developer James "egyp7" Lee tackled a persistent problem we've been having on the IRC channel -- people who have read Metasploit: The Penetration Tester's Guide and who subsequently notice that commands like db_host are no longer functional. Egypt has instituted a deprecated commands system for msfconsole now, so users who try db_hosts, db_services, etc. get a helpful redirect to the correct "hosts" or "services" command. In addition, since it's been about eight months since db_autopwn was deprecated out and people still ask about it, we suspect that's floating around in documentation as well -- so that command gives a helpful link to HD Moore's blog post, Six Ways to Automate Metasploit.
New Modules
Finally, here's the list of this week's new modules. Thanks to all of our open source contributors for their work on these.
- Intersil (Boa) HTTPd Basic Authentication Password Reset by Claudio "paper" Merloni, Luca "ikki" Carettoni, and Max Dietz exploits BID-25676
- F5 BIG-IP SSH Private Key Exposure by egypt exploits CVE-2012-1493
- WordPress plugin Foxypress uploadify.php Arbitrary Code Execution by Sammy FORGIT and patrick exploits BID-53805
- MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption by juan vazquez, Dark Son, Unknown, and Yichong Lin exploits MS12-037
- Microsoft XML Core Services MSXML Uninitialized Memory Corruption by sinn3r, juan vazquez, binjo, and inking26 exploits CVE-2012-1889
- Lattice Semiconductor PAC-Designer 6.21 Symbol Value Buffer Overflow by sinn3r, juan vazquez, and Unknown exploits CVE-2012-2915
- TFM MMPlayer (m3u/ppl File) Buffer Overflow by Brendan Coles and RjRjh Hack3r exploits OSVDB-80532
- ComSndFTP v1.3.7 Beta USER Format String (Write4) Vulnerability by ChaoYi Huang, corelanc0d3r, mr_me, and rick2600 exploits OSVDB-82798
- EZHomeTech EzServer v6.4.017 Stack Buffer Overflow Vulnerability by modpr0be exploits EDB-19266
- PHP apache_request_headers Function Buffer Overflow by juan vazquez and Vincent Danen exploits CVE-2012-2329
Availability
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.
For additional details on what's changed and what's current, please see the most excellent release notes.
