It has been an intense couple of weeks in infosec since the last Wrapup and we've got some cool things for you in the latest update.
Hacking like No Such Agency
I'll admit I was wrong. For several years, I've been saying we'll never see another bug like MS08-067, a full remote hole in a default Windows service. While I'm not yet convinced that MS17-010 will reach the same scale as MS08-067 did, EternalBlue has already done substantial damage to the internet. Rapid7 bloggers covered a bunch of the details last week.
- More on the EternalBlue Metasploit module
- How to scan your network for the WannaCry vulnerability with InsightVM and Nexpose
- A deep dive into the WannaCry vulnerability
Since the last Wrapup, we've added an exploit for EternalBlue that targets x64 on the Windows 7 kernel (including 2008 R2). Updates are in the works to cover x86 and other kernels. There is also a scanner that can reliably determine exploitability of MS17-010, as well as previous infection with DOUBLEPULSAR, the primary payload used by the original leaked exploit.
While EternalBlue was making all the headlines, we also landed an exploit module for the IIS ScStoragePathFromUrl bug (CVE-2017-7269) for Windows 2003 from the same dump. This one requires the victim to have WebDAV enabled, which isn't default but is really common, especially on webservers of that era. Since 2003 is End of Support, Microsoft is not going to release a patch.
Dance the Samba
In the few days since we spun this release, we also got a shiny new exploit module for Samba, the Unixy SMB daemon that runs on every little file sharing device ever. Expect some more discussion about it in the next wrapup. In the mean time, you can read more about the effects of the bug.
WordPress, which powers large swaths of the internet, embeds a thing called PHPMailer for sending email, mostly for stuff like password resets. Earlier this May, security researcher Dawid Golunski published a vulnerability in PHPMailer. The vulnerability is similar to CVE-2016-10033, discovered by the same researcher. Both of these bugs allow you to control arguments to
Now, vulns in WordPress core are kind of a big deal, since as previously mentioned, WP is deployed everywhere. Unfortunately (or maybe fortunately depending on your perspective), there is a big caveat -- Apache since 2.2.32 and 2.4.24 changes a default setting,
HttpProtocolOptions to disallow the darker corners of RFC2616, effectively mitigating this bug for most modern installations.
The intrepid @wvu set forth to turn this into a Metasploit module and came out the other side with some shells and interesting discoveries that he'll cover in a more detailed technical post coming soon to a Metasploit Blog near you.
While Meterpreter is a very powerful and flexible tool for post exploitation on its own, sometimes you need the flexibility to go beyond the functionality that it provides directly. There may be a special API that needs to be called to extract a credential, or a certain system call that is required to trigger an exploit. For a long time, Windows Meterpreter users have enjoyed the use of the Railgun extension, which provides a way to do just that, similar to FFI (Foreign Function Interface) that is available in many scripting languages, but operating remotely. Thanks to an enormous effort by Metasploit contributor, zeroSteiner, Linux users can now also take advantage of Railgun, as it is now implemented as part of Python Meterpreter! This functionality opens the door to many new post-exploitation module possibilities, including the ability to steal cleartext passwords from gnome-keyring. See zeroSteiner’s blog and his more technical companion piece for more details.
Steal all the things
This week's update also continues the fine tradition of Stealing All the Things(tm). The aforementioned gnome-keyring dumper allows you to steal passwords from a logged-in user. In a similar vein, if you have a shell on a JBoss server,
post/multi/gather/jboss_gather will give you all the passwords. The fun thing about both of these is that they work on the principle that you have permission to read these things -- there is no exploit here, and nothing to be patched.
On the other side of things,
auxiliary/admin/scada/moxa_credentials_recovery does take advantage of a vulnerability to grab all the creds from a cute little SCADA device.
Exploit modules (10 new)
- Crypttech CryptoLog Remote Code Execution by Mehmet Ince
- Quest Privilege Manager pmmasterd Buffer Overflow by m0t exploits CVE-2017-6553
- BuilderEngine Arbitrary File Upload Vulnerability and execution by Marco Rivoli, and metanubix
- MediaWiki SyntaxHighlight extension option injection vulnerability by Yorick Koster exploits CVE-2017-0372
- WordPress PHPMailer Host Header Command Injection by wvu, and Dawid Golunski exploits CVE-2016-10033
- Dup Scout Enterprise GET Buffer Overflow by Daniel Teixeira, and vportal
- Serviio Media Server checkStreamUrl Command Execution by Brendan Coles, and Gjoko Krstic(LiquidWorm)
- Sync Breeze Enterprise GET Buffer Overflow by Daniel Teixeira
- Microsoft IIS WebDav ScStoragePathFromUrl Overflow by Chen Wu, Dominic Chell, Lincoln, Rich Whitcroft, Zhiniang Peng, firefart, and zcgonvh exploits CVE-2017-7269
- MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption by Dylan Davis, Equation Group, Sean Dillon, and Shadow Brokers exploits CVE-2017-0148
Auxiliary and post modules (6 new)
- Moxa Device Credential Retrieval by K. Reid Wightman, and Patrick DeSantis exploits CVE-2016-9361
- Intel AMT Digest Authentication Bypass Scanner by hdm exploits CVE-2017-5689
- Module to Probe Different Data Points in a CAN Packet by Craig Smith
- Gnome-Keyring Dump by Spencer McIntyre
- Jboss Credential Collector by Koen Riepe (koen.riepe
- Multi Manage Network Route via Meterpreter Session by todb, and Josh Hale "sn0wfa11"
As always, you can update to the latest Metasploit Framework with
msfupdate and you can get more details on the changes since the last blog post from GitHub: