security.crudtastic.com

The last two days have been pretty busy. I have been analyzing the latest Adobe vulnerability. It all began when HD alerted me to a post on Mila Parkour’s “contagio malware dump” blog. After giving the blog post a once over, it was pretty clear that he had discovered a live sample of a previously unpublished and currently unpatched vulnerability. The clearest indicator was the screen shot of the Adobe Reader “About” dialog with dropped files showing. Great image! This most definitely piqued my interest.

Read the rest of jduck’s post on the Metasploit blog

In case you’ve missed the news lately .. there’s been a few little issues with the way Microsoft handles some dll’s. A quick look on exploit-db will show a tonne of new dll hijacking exploits. HD from Metasploit has released version 2 of his DLLHijackAudit Kit that will basically check all the file associations on your machine for DLL hijack vulnerabilities, if it finds that a DLL is vulnerable, it will then create a POC and save it for you.

Due to an overwhelming amount of interest in the initial DLLHijackAuditKit released on Monday, I rewrote the tool to use native JScript, automatically kill spawned processes, reduce the memory usage by ProcMon, and automatically validate every result from the CSV log. The result is DLLHijackAuditKit v2. This kit greatly speeds up the identification process for vulnerable applications. An extremely simple HOWTO:

1. Download the DLLHijackAuditKit v2 and extract it into a local directory on the system you would like to test.

2. Browse to this directory and launch 01_StartAudit.bat as an Administrator. The Administrator bit is important, as it will allow the script to kill background services that are spawned by the handlers and prevent UAC popups.

3. After the audit script completes (15-30 minutes), switch to the Process Monitor window, and access File->Save from the menu. Save the resulting log in CSV format to the local directory with the name “Logfile.CSV”.

4. Launch 02_Analyze.bat as an Administrator. This will scan through the CSV log, build test cases for each potential vulnerability, try them, and automatically create a proof-of-concept within the Exploits directory should they succeed.

5. Identify the affected vendor for each generated proof-of-concept and ask them nicely to fix their application. Send them the calc.exe-launching PoC if necessary.

Thanks again to everyone who provided feedback (positive or negative) on the original tool, especially Rob Fuller, who let me forkbomb his system in the process of testing the new kit.

Full posting on the Metasploit blog

This post describes the process for identifying and exploiting applications vulnerable to the DLL hijack vulnerability disclosed last week. For background information on this vulnerability, as well as remediation information, please see my post on the Rapid7 Blog.

This vulnerability is triggered when a vulnerable file type is opened from within a directory controlled by the attacker. This directory can be a USB drive, an extracted archive, or a remote network share. In most cases, the user will have to browse to the directory and then open the target file type for this exploit to work. The file opened by the user can be completely harmless, the flaw is that the application launched to handle the file type will inadvertently load a DLL from the working directory.

In practice, this flaw can be exploited by sending the target user a link to a network share containing a file they perceive as safe. iTunes, which was affected by this flaw until last week, is associated with a number of media file types, and each of these would result in a specific DLL being loaded from the same directory as the opened file. The user would be presented with a link in the form of \\server\movies\ and a number of media files would be present in this directory. If the user tries to open any of these files, iTunes would search the remote directory for one or more DLLs and then load these DLLs into the process. If the attacker supplied a malicious DLL containing malware or shellcode, its game over for the user.

Read the rest of H D Moore’s post on the Metasploit blog

Microsoft Windows and about 40 applications that run on it are vulnerable to remote-code execution attacks that are “trivial” to carry out, a noted security researcher warned Wednesday.

The flaw involves the way Windows loads “safe” file types from remote network locations, and is almost identical to one that Apple excised in iTunes last week, H D Moore, CSO and chief architect of the Metasploit project, told The Register. He said the bug is “trivial” to remotely exploit, but wasn’t authorized to provide additional details about techniques or other vulnerable applications.

According to a more detailed advisory for the iTunes fix, the “binary planting” vulnerability allowed attackers to execute malicious code on Windows machines by getting the media player to open a file located on the same network share as a maliciously designed DLL file.

“All a remote attacker has to do is plant a malicious DLL with a specific name on a network share and get the user to open a media file from this network location in iTunes – which should require minimal social engineering,” the advisory, which was written by ACROS Security, stated.

Read the rest of the story on theregister.co.uk

A new GUI for Metasploit has been added by ScriptJunkie to the Metasploit SVN Repository. This new GUI is multi-platform and it is based on Java!

Over to you Carlos for a full rundown!! – http://pauldotcom.com/2010/07/metasploit-new-gui.html

The Metasploit Project is proud to announce the release of the Metasploit Framework version 3.4.1.  As always, you can get it from our downloads page, for Windows, Linux or as an OS-independent tarball.  This release sees the first official non-Windows Meterpreter payload, in PHP as discussed last month (http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html).

 Rest assured that more is in store for Meterpreter on other platforms.  A new extension called Railgun is now integrated into Meterpreter courtesy of Patrick HVE, giving you scriptable access to Windows APIs and an unprecedented amount of control over post-exploitation.  For those of you wishing to contribute to the framework, a new file called HACKING has been introduced that lays out a few guidelines for making it easier.

 This release has 16 new exploits, 22 new auxiliary modules and 11 new Meterpreter scripts for your pwning enjoyment.  For more in-depth information about this release, see the 3.4.1 release notes at

https://www.metasploit.com/redmine/projects/framework/wiki/Release_Notes_341

 - The Metasploit Team

Downloads and more information at http://www.metasploit.com/

** NEWS JUST IN **

Downloads and more information: http://www.metasploit.com

After five months of development, version 3.4.0 of the Metasploit Framework has been released. Since the last major release (3.3) over 100 new exploits have been added and over 200 bugs have been fixed.

This release includes massive improvements to the Meterpreter payload; both in terms of stability and features, thanks in large part to Stephen Fewer of Harmony Security. The Meterpreter payload can now capture screenshots without migrating, including the ability to bypass Session 0 Isolation on newer Windows operating systems. This release now supports the ability to migrate back and forth between 32-bit and 64-bit processes on a compromised Windows 64-bit operating system. The Meterpreter protocol now supports inline compression using zlib, resulting in faster transfers of large data blocks. A new command, “getsystem”, uses several techniques to gain system access from a low-privileged or administrator-level session, including the exploitation of Tavis Ormandy’s KiTrap0D vulnerability. Brett Blackham contributed a patch to compress screenshots on the server side in JPG format, reducing the overhead of the screen capture command. The pivoting backend of Meterpreter now supports bi-directional UDP and TCP relays, a big upgrade from the outgoing-only TCP pivoting capabilities of version 3.3.3.

This is the first version of Metasploit to have strong support for bruteforcing network protocols and gaining access with cracked credentials. A new mixin has been created that standardizes the options available to each of the brute force modules. This release includes support for brute forcing accounts over SSH, Telnet, MySQL, Postgres, SMB, DB2, and more, thanks to Tod Bearsdley and contributions from Thomas Ring.

Metasploit now has support for generating malicious JSP and WAR files along with exploits for Tomcat and JBoss that use these to gain remote access to misconfigured installations. A new mixin was creating compiling and signing Java applets on fly, courtesy of Nathan Keltner.
Thanks to some excellent work by bannedit and Joshua Drake, command injection of a cmd.exe shell on Windows can be staged into a full Meterpreter shell using the new “sessions -u” syntax.

This marks the first major release developed under the Rapid7 label and coincides with general availability of Metasploit Express, our first commercial product. We hope you enjoy using the framework as much as we like working on it.

- The Metasploit Team