Metasploit 4.11.1 Released!
Hi all! I'm happy to announce that Metasploit 4.11.1, the latest dot version of Metasploit Community, Express, and Pro has been released. You can fetch the updates using the usual methods -- in the UI, with msfupdate, or with apt-get, depending on your binary distribution. Git source checkouts don't really notice these version bumps, of course, since the normal bundle install && git pull -r commands will take care of everything, and if you're that sort, you're tracking bleeding-edge HEAD anyway.
The release notes have been published here, thanks to Metasploit Documentrix Thao Doan, but the fundamental reason for this update is to get Metasploit up to Ruby 2.1.5. So, you should enjoy some fairly significant performance speedups once you get yourself updated -- it's like adding racing stripes to the side.
Adventures in UXSS
This has been a pretty big week with universal cross-site scripting (UXSS) bugs. Unlike your usual XSS, UXSS bugs live in your browser, not a particular web page, which spells trouble for your view of the World Wide Web. In order to demonstrate the disastrous effects of leaving UXSS unpatched, we disclosed R7-2015-02, a bug in the implementation of X-Frame-Options (XFO) on the web version of Google's Play Store. This XFO gap can be combined with previously disclosed UXSS bugs present in several Android browsers.
Unfortunately, it looks like Google is pretty adamant about not developing patches for pre-KitKat Android browsers, so expect to see the trend in Android malware masquerading as legitimate Play Store apps march steadily forward. More broadly, non-malicious, but merely unscrupulous, app developers have every incentive to continue preying on these (often brand new) lower-end devices, since installing and triggering their apps without user knowledge or assent is pretty drop-dead easy and I imagine a fine way to boost your installation numbers.
Speaking of Microsoft, this week, Metasploit exploit warrior-monk Wei _sinn3r Chen also banged out a UXSS exploit for a vulnerability disclosed in the most recent versions of Microsoft Internet Explorer. Patch Tuesday has come and gone, but alas, this Same-Origin Policy (SOP) busting bug has not been fixed yet. So, if your current penetration testing engagement includes a phishing component, and your client makes heavy use of Internet Explorer and some intranet-based Web services, now is a pretty excellent time to get some XSS action on those sweet, sweet trusted local intranet zones. Metasploit ships with a few sample UXSS snippets to get you thinking about how to best leverage a UXSS to demonstrate risk.
Note, while the currently committed module does not support automatic XFO-busting today (unlike the Play store module), it doesn't mean that evading XFO is impossible. While such evasions tend to be fairly site-specific, the tactic of sending an overlong URL to trigger a 414 (rather than a 404) response code seems to be pretty reliable for many web server configurations. In other words, if you'd like to take a crack at updating the IE UXSS module to be more generally useful in the face of XFO, patches are accepted.
Since last week, we have four new exploits, and two new auxiliary modules (the latter being the two above-discussed UXSS-based modules). At long last, we're now shipping a towelroot-workalike module for local rooting of Android devices, thanks primarily to Tim Wright, Brent Cook, and of course, noted iPhone hacker and gentleman-about-town, Geohot. Also in the realm of local privilege escalation is Jay Smith and Matt Bergin's implementation of MS14-070, a tricky elevation bug in some versions of tcpip.sys (details on Korelogic's blog). We don't often do a lot in the way of local exploits, given that Metasploit is much more remote-oriented, but it's nice to see two come in on the same week.
- Android Futex Requeue Kernel Exploit by Pinkie Pie, geohot, and timwr exploits CVE-2014-3153
- WordPress WP EasyCart Unrestricted File Upload by Kacper Szurek and Rob Carr exploits OSVDB-116806
- Windows tcpip!SetAddrOptions NULL Pointer Dereference by Jay Smith and Matt Bergin exploits CVE-2014-4076
- Achat v0.150 beta7 Buffer Overflow by Balazs Bucsay and Peter Kasza
Auxiliary and post modules
- Android Browser RCE Through Google Play Store XFO by joev and Rafay Baloch exploits CVE-2014-6041
- Windows File Gather File from Raw NTFS by Danil Bazin