Disclosure for FOSS Projects
Earlier today, we published seven modules for newly disclosed vulnerabilities that target seven free and open source (FOSS) projects, all discovered and written by long time Metasploit contributor Brandon Perry. These vulnerabilies moved through Rapid7's usual disclosure process, and as you can read in the summary blog post, it was a little bit of an adventure. These were not projects like Linux or Apache with bazillions of downloads and installed basically everywhere, but more on that second and third tier of free software projects which have merely millions of downloads or tens of thousands of users.
One thing that occurred to me is that these may be the first, or at least among the first, vulnerabilities disclosed to many of these software vendors. Collectively, these applications have been downloaded more than 16 million times, so it seems weird that the vendors' disclosure handling wasn't a little more normalized.
Of course, the way to get good at anything is to practice, so publishers of free software at this level of popularity could use some practice fielding new vulnerability disclosures. To that end, if you're a user of these applications (or other mildly popular applications), you may want to take a look at their openly published source and binaries to see if you can't uncover some vulnerabilities yourself. After all, that's part of the compact we have with FOSS publishers -- they make their materials free to open inspection, but someone actually has to do the inspection.
As you can see in the technical writeup, most of these exposures aren't terribly complicated once you start looking. These issues were uncovered and exploited by Brandon primarily during some downtime at DEFCON 2013, so it's not like it was a particularly complicated approach to bug hunting.
Inspecting open source software for security issues is a public good that pretty much anyone with technical chops can get into -- you can practice your exploit dev skills, and the software developers can practice handling disclosures once you report them -- either directly or through a third party like ZDI or your friends here at Rapid7. There are tons of books and websites on security best practices and vulnerability research to get you started, and lots of helpful researchers on the Internet to help you along the way. All I ask is that you disclose your findings reasonably and give the vendor time to patch and time to warn their user base about the issues. That way, you're not needlessly injecting extra instability into the Internet as a whole.
A Quick Respin of 4.7.2
You may have noticed that we didn't release an update for Metasploit last week. Instead, we were chasing down, fixing, and re-releasing the update to fix a bug in the way the Postgres database is upgraded for Metasploit Community and Metasploit Pro. If you haven't noticed any problems, you're in the majority, and there's no need to reapply anything -- the bug only appears to have hit (a very few) isolated platforms where the end users a) were not on supported platforms and b) had altered their own local database configurations. If you happen to be in this group, then simply reinstalling the newly re-released update will get you squared away. Again, this affected a small set of users (I can count them on one hand) and wasn't a security issue or anything, just configuration conflict.
We're shipping a whopping 16 new exploits, including the seven from bperry, eight new auxiliary modules, and one new post module. At a grand total of 25 new modules, it's been a busy week in the People's Glorious Republic of Metasploit. Thanks to all various and sundry contributors for your efforts this week.
- D-Link DIR-605L Captcha Handling Buffer Overflow by juan vazquez and Craig Heffner exploits OSVDB-86824
- ISPConfig Authenticated Arbitrary PHP Code Execution by Brandon Perry exploits CVE-2013-3629
- Moodle Remote Command Execution by Brandon Perry exploits CVE-2013-3630
- NAS4Free Arbitrary Remote Code Execution by Brandon Perry exploits CVE-2013-3631
- Openbravo ERP XXE Arbitrary File Read by Brandon Perry exploits CVE-2013-3617
- OpenMediaVault Cron Remote Command Execution by Brandon Perry exploits CVE-2013-3632
- vTigerCRM v5.4.0/v5.3.0 Authenticated Remote Code Execution by Brandon Perry exploits CVE-2013-3591
- Zabbix Authenticated Remote Command Execution by Brandon Perry exploits CVE-2013-3628
- Mac OS X Persistent Payload Installer by Marcin 'Icewall' Noga and joev
- Open Flash Chart v2 Arbitrary File Upload by Braeden Thomas, Brendan Coles, Gjoko Krstic, and Halim Cruzito exploits CVE-2009-4140
- WebTester 5.x Command Execution by Brendan Coles
- EMC Replication Manager Command Execution by Davy Douhine and Unknown exploits ZDI-11-061
- HP Intelligent Management Center BIMS UploadServlet Directory Traversal by juan vazquez and rgod exploits ZDI-13-238
- Persistent Payload in Windows Volume Shadow Copy by Jedediah Rodriguez
- Windows Management Instrumentation (WMI) Remote Command Execution by Ben Campbell exploits CVE-1999-0504
- Interactive Graphical SCADA System Remote Command Injection by Luigi Auriemma and MC exploits CVE-2011-1566
Auxiliary and post modules
- HP Intelligent Management SOM Account Creation by juan vazquez and rgod exploits ZDI-13-240
- SMB File Delete Utility by mubix
- SMB File Download Utility by mubix
- Node.js HTTP Pipelining Denial of Service by Marek Majkowski, joev, and titanous exploits CVE-2013-4450
- HP Intelligent Management BIMS DownloadServlet Directory Traversal by juan vazquez and rgod exploits ZDI-13-239
- HP Intelligent Management SOM FileDownloadServlet Arbitrary Download by juan vazquez and rgod exploits ZDI-13-242
- Jenkins Enumeration by Jeff McCutchan
- Radware AppDirector Bruteforce Login Utility by Karn Ganeshen
- Windows Single Sign On Credential Collector (Mimikatz) by Ben Campbell
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.