Tag Archives: Metasploit

More tricks than treats with today’s Metasploit blog disclosures?

Today, Tod Beardsley posted part one and part two on the Metasploit blogs titled “Seven FOSS Tricks and Treats. Unfortunately, this blog comes with as many tricks as it does treats.

In part one, he gently berates the vendors for their poor handling of the issues. In many cases, they are labeled as “won’t fix” without an explanation of why. During his berating, he also says “I won’t mention which project … filed the issue on a public bug tracker which promptly e-mailed it back in cleartext“. In part two, the only disclosure timeline including a bug report is for Moodle and ticket MDL-41449. If this is the case he refers to, then he should have noted that the tracker requires an account, and that a new account / regular user cannot access this report. Since his report was apparently mailed in the clear, the ticket system mailing it back is not the biggest concern. If this is not the ticket he refers to, now that the issues are public the ticket should be included in the disclosure for completeness.

Next, we have the issue of “won’t fix”. Zabbix, NAS4Free, and arguably OpenMediaVault are all intended functionality by the vendor. In each case, they require administrative credentials to use the function being ‘exploited’ by the metasploit modules. I won’t argue that additional circumstances make exploitation easier, such as XSS or default credentials, but intended functionality is often a reason a vendor will not “fix” the bug. As you say in part one, a vendor should make this type of functionality very clear as to the dangers involved. Further, they should strive to avoid making it easier to exploit. This means quickly fixing vulnerabilities that may disclose session information (e.g. XSS), and not shipping with default credentials. Only at the bottom of the first post do you concede that they are design decisions. Like you, we agree that admin of a web interface does not imply the person was intended to have root access on the underlying operating system. In those cases, we consider them a vulnerability but flag them ‘concern’ and include a technical note explaining.

One of the most discouraging things about these vulnerability reports is the lack of version numbers. It is clear that Beardsley downloaded the software to test it. Why not include the tested version so that administrators can more easily determine if they may be affected? For example, if we assume that the latest version of Moodle was 2.5.2 when he tested, it is likely vulnerable. This matters because version 2.3.9 does not appear to be vulnerable as it uses an alternate spell check method. This kind of detail is extremely helpful to the people who have to mitigate the vulnerability, and the type of people who use vulnerability databases as much as penetration testers.

Finally, the CVE assignments are questionable. Unfortunately, MITRE does not publish the “CVE ID Reservation Guidelines for Researchers” on their CVE Request Page, instead offering to mail it. This may cut down on improper assignments and may explain why these CVE were assigned. When an application has intended functionality that can only be abused by an attacker with administrator credentials, that does not meet the criteria for a CVE assignment. Discussion with CVE over each case would help to ensure assignment is proper (see above re: implied permission / access).

As always, we love seeing new vulnerabilities disclosed and quickly fixed. However, we also prefer to have disclosures that fully explain the issue and give actionable information to all parties involved, not just one side (e.g. penetration testers). Keep up the good work and kindly consider our feedback on future disclosures!

August 2012, A Few Small Updates

Our dev team tackled some of the ticket backlog on the OSVDB project. While many changes are ‘behind the scenes’ and only affect the daily manglers, there are a few that are helpful to anyone using the database:

  • Metasploit links have been fixed. At some point, the Metasploit project changed the URL scheme for the search engine. Our incoming links stopped matching the format and resulted in landing at the main search page. We now use the new URL scheme, so links from OSVDB will directly load the Metasploit module again.
  • Microsoft changed their URL scheme yet again. Our links for MS bulletins were redirecting, but sometimes 2 or 3 times on Microsoft’s side. It’s cool that they kept up the redirects, but our links have been updated to be more efficient and land without the 30x magic.
  • Immunity CANVAS references have been added. In our quest to add as much vulnerability information to each entry, we have used Immunity’s API to pull in data about their exploit availability. While it is a commercial offering, such exploit frameworks are invaluable to pen-testing teams, as well as administrators that mitigate based on the availability of exploits. An example of an OSVDB entry with a CANVAS reference is OSVDB 60929.
  • Continued backfilling; we have still been pushing to backfill vulnerability data from prior years, focusing on 2011 currently. The data is coming from a variety of sources including bug trackers, changelogs, and Exploit-DB. We have been working with EDB so that each site has a more thorough cross-reference available. The EDB team has been outstanding to work with and continues to show diligence in their data quality and integrity. Moving forward, we will continue to focus on more vulnerability data imports and more information backfill.

Metasploit Reference Support Added & More

This week, HDMoore of Metasploit and OSVDB moderators discussed cross-reference support for each product. As many are now seeing, Metasploit has a search module that allows for fast searches by a number of external references, including OSVDB.

On the OSVDB side, we now support a ‘Metasploit ID’ that currently uses the corresponding OSVDB ID to link and auto-search their database. Based on our testing, this is working great and offers cross-references to 400 Metasploit exploit modules! At the risk of pre-empting HDMoore, I am happy to announce that this is only the first step in the support each project will offer.

In the coming weeks, Metasploit will migrate to a numeric ID scheme to catalog their exploit archive. Each exploit will have it’s own page with what you see now, plus a lot more. With those unique IDs, OSVDB will change the way we link to Metasploit so there is a 1:1 mapping between projects. This will allow us to have accurate coverage for 100% of the Metasploit modules. When this happens, we will display these links under “Tools & Filters” instead of “References” along with a Metasploit logo.

If you weren’t aware, HDMoore created the concept of OSVDB and participated in the original design (~ Aug 2002). That means he has been supporting OSVDB for over seven years now. We’re pretty sure that means we owe him a beer.

How to piss off the A-V community

H D Moore had a great post on DailyDave regarding the whole WMF vulnerability fiasco, and some reaction to his Metasploit vulnerability code being released. Some of the amusing quotes:

The AV industry sure doesn’t like it when their products are completely inneffective against the biggest exploit of the year. They like it even less when you publish a one-byte change that breaks their signatures.

On a somewhat funny note, a poll was added to the ISC web site (by Swa Frantzen) that I figured the folks on here would appreciate .. I contacted the ISC team about this — introducing the exploit authors as people that need to be “brought to justice” is about one step from libel.


Get every new post delivered to your Inbox.

Join 4,759 other followers