Upgrading to Ruby 2.1.5
As you probably know, Metasploit is a fairly complex set of programs written in my favorite language, Ruby. Specifically, we've been on Ruby version 1.9.3 for a long while now. Well, time marches on, and the 1.9.3 branch has been in maintenance mode for most of 2014, and will reach end of life by February of 2015. So, we need to get moving on the upgrade to version 2.1.
This is a welcome upgrade, to be sure, if for no other reason than the performance gains between versions 1.9.3 and 2.1.5. Check out the comparisons on Is Ruby Fast Yet? if you don't believe me. And unlike the shift from the 1.8 to 1.9 branch, backwards compatibility with Ruby 1.9.3 is pretty painless for us.
Of course, major version changes of the Ruby interpreter need to be handled carefully so as not to introduce new and exciting bugs. To that end, James egypt Lee and Luke KronicDeth Imhoff have been performing the due diligence required to ensure that the transition is as smooth as possible for the penetration testers of the world. Once Pull Request #4084 lands next week, we should be ready to rock on the new Ruby hotness.
For those of you who use the installed versions of Metasploit -- Metasploit Community, Express, and Pro -- you don't have to do anything special. We'll have a point release of those versions of Metasploit that ships with Ruby 2.1 in the first week of January, 2015.
For the open source developer community, we'll have documentation ready next week on how to work with Metasploit with Ruby 2.1 -- essentially, you'll be updating your local .ruby-version, installing Ruby 2.1 in the usual way, and re-install your bundled gems. The whole procedure should take maybe 10 minutes.
Update: Documentation for devs is now available at the usual MSF-DEV wiki.
Update: As of November 14, 2014, the latest Ruby version is now 2.1.5.
Upgrading to Ruby 1.9.3-p550
Speaking of upgrading Ruby, there was a security bulletin for Ruby 1.9.3. CVE-2014-8080 describes a bug where untrusted data can trigger a DoS condition in the rexml mixin (which we use in quite a few Metasploit modules). It would be a bummer to have your penetration testing workstation get all its memory consumed by a malicious target. It's not a hair-on-fire, pre-auth code execution bug or anything, but an upgrade is certainly in order.
Again, Metasploit Community, Express, and Pro users don't need to do anything other than upgrade Metasploit to the latest, (which will be ready for the next release as well) and developers will want to install Ruby version 1.9.3-p550 (bumped up from 1.9.3-p547) when they get a chance.
Since last week, we've landed four new exploits and eight new auxiliary and post modules. Especially interesting is the local exploit for CVE-2014-4113, which leverages a local kernel vulnerability to get elevated privileges on most every version of Windows out there.
- Centreon SQL and Command Injection by juan vazquez and MaZ exploits CVE-2014-3829
- CUPS Filter Bash Environment Variable Code Injection by Brendan Coles, Stephane Chazelas, and lcamtuf exploits CVE-2014-6278
- Joomla Akeeba Kickstart Unserialize Remote Code Execution by Johannes Dahse and us3r777 exploits CVE-2014-7228
- Windows TrackPopupMenu Win32k NULL Pointer Dereference by juan vazquez, OJ Reeves, Spencer McIntyre, and Unknown exploits CVE-2014-4113
Auxiliary and post modules
- Microsoft SQL Server - SQLi Escalate Db_Owner by nullbind
- Xerox Administrator Console Password Extract by Deral "Percentx" Heiland and Pete "Bokojan" Arzamendi
- Xerox Workcentre 5735 LDAP Service Redential Extractor by Deral "Percentx" Heiland and Pete "Bokojan" Arzamendi
- Buffalo NAS Login Utility by Nicholas Starke
- Western Digital MyBook Live Login Utility by Nicholas Starke
- GNU Wget FTP Symlink Arbitrary Filesystem Access by hdm exploits CVE-2014-4877
- LastPass Master Password Extractor by Alberto Garcia Illera, Jon Hart, and Martin Vigo
- Shell to Meterpreter Upgrade by Tom Sellers