Exploiting Internet Explorer (MS13-055)
This week, we open with a new IE exploit. This is a pretty recent patch (from July, 2013), and more notably, it appears it was silently patched without attribution to the original discoverer, Orange Tsai. So, if you're a desktop IT admin, you will certainly want to get your users revved up to the latest patch level. Thanks tons to Peter WTFuzz Vreugdenhil and of course Wei sinn3r Chen for knocking this exploit out.
While the silent patch killed Orange's 0-day a week before he was scheduled to present it at Hitcon, this does seem to imply that the folks at Microsoft are getting better and better at running their own fuzzers at Internet Explorer. That's ultimately Good News for the Internet, and demonstrates that software vendors continue to take post-development security seriously.
That said, let's take a look at the other end of the spectrum...
GE Proficy Directory Traversal (ICSA-13-022-02)
Also this week, we have a new module from our own Juan Vazquez, exploting a bug found in something called GE Proficy Cimplicity. For details, see the link below. With it, unauthenticated users can snag pretty much any file off of the target (Windows-based) machine, which of course includes sensitive files.
I bring this module up in particular because this GE Proficy is used in SCADA applications, which, if you've been paying attention, means that there is a huge, untapped attack surface there. Take this bug for example; it's a straight directory traversal. No need for fancy encodings, tricky filter evasions, or anything like that; just ../../../../ your way up to the goods on the machine running this web server.
I know, pretty leet.
I don't want to knock GE too hard on this, of course, since this is pretty much the state of affairs with any class of security bug you care to name when it comes to SCADA and embedded devices. Working on auditing these applications is like stepping back into the 20th Century while being armed with fancy, free exploit toolkits from the 21st.
I've worked on some disclosure material with ISC-CERT, which is the clearinghouse for these kinds of vulnerabilities, and I know those guys are plenty capable and know what they're doing. I just feel like we see this kind of thing in SCADA-land over, and over, and over again, so I kind of feel like we're getting something wrong, as a security industry, when it comes to educating these hardware vendors on how to conduct themselves when releasing software. What can we do better? How can we impart the last 10 years of secure coding know-how to the people that are providing critical infrastructure? I'm hopeful that if Metasploit modules attacking this stuff gets out there in the public, it'll be a wake-up call. Is there a better way?
It was as if a million tabs cried out in terror, and were suddenly silenced. As threatened in last week's blog post, we pulled the trigger on retabbing two big chunks of Metasploit, the /lib and /modules directories. If you're a Metasploit contributor, and you notice that your recent or upcoming pull request is suddenly in a conflicted state, this is almost certainly why. Dealing with it is pretty straight forward -- please see http://r-7.co/MSF-TABS for some instructions on how to unconflict your shiny new patches and feature additions.
Note, this won't interefere at all with entirely new modules (which is why not all of the outstanding PRs were conflicted), but even so, you should get used to normal two-space tabs for your Metasploit programming. In the meantime, now is a fine time to rebase your own fork of rapid7/metasploit-framework master branch against ours. On normal ISP speeds, this should take but a moment, even though it's more than a half-million lines of change. Aren't you glad we ditched SVN last year?
We've got five new modules this week, two exploits, two auxiliary modules, and one post.
- MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free by sinn3r, Orange Tsai, and Peter Vreugdenhil exploits MS13-055
- HP SiteScope Remote Code Execution by juan vazquez and rgod exploits ZDI-13-205
Auxiliary and post modules
- GE Proficy Cimplicity WebView substitute.bcl Directory Traversal by juan vazquez and Unknown exploits CVE-2013-0653
- Samba read_nttrans_ea_list Integer Overflow by Jeremy Allison and dz_lnly exploits CVE-2013-4124
- CUPS 1.6.1 Root File Read by Jann Horn and joev exploits CVE-2012-5519
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.