AndroidWebViewExploit,70%DevicesVulnerable

Thisweek,thebiggestnewsIthinkwehaveisthereleasethisweekofJoeVennixandJosh@jduckDrake'shotnew/oldAndroidWebViewexploit.I'vebeenrunningitforthelastdayorsooutontheInternet,withattractivepostersaroundtheRapid7offices(asseenhere)inanattempttopwnsomethinggood.I'vepoppedacoupleshells,IguessIdidn'tmakemyQRCodeattractiveenough.

Seriously,though,thisvulnerabilityiskindofahugedeal.I'mhopefulthatbypublishinganE-Z-2-UseMetasploitmodulethatexploitsit,wecanmaybepushsomevendorstowardensuringthatsingle-clickvulnerabilitieslikethisdon'tlastfor93+weeksinthewild.Don'tbelievemethatthisthingisthatold?Justtakealookatthemodule'sreferencesifyoudon'tbelieveme.

Itshouldbenotedthatthebugonly("only,"hesays!)affectsversionsofAndroidbelow4.2(earlyJellybean).Inacompletelyunsurprisingtwist,Ididaquicksurveyofthephonesavailabletodayontheno-contractrackatacouplebig-boxstores,andeveryonethatIsawwerevulnerableoutofthebox.Andyes,that'shereintheU.S.,notsomefar-awayplacelikeMoscow,Russia.ThislinesupwithwhatAndroidCentralreports,inthatwhileAndroid4.4(KitKat)hasachieved1.8%penetration,thesamechartindicatesthatover70%ofallAndroiddevicesouttherearevulnerabletothisbug,withtheplurariltyofdevicesat4.0and4.1.

There'salotmoretosayhere,soexpectmoreonthisinthecomingdays.We'veslappedtogetheraquickvideo,butfeelfreetomakeabetteroneandgraballtheInternetinfamyforyourself.Thevideoshouldopeninanewwindow.

Asyoucansee,theattackshownhere--QRcodeonaMetasploitexploit--isaprettydangeffectivewaytogetashellonatargetAndroiddevice,assumingyourQRmarketingskillsarebetterthanmine.

Incidentally,whodoyouleanontogetthispatched?Thebigboxretailerwhosoldittoyou?Themanufacturerofthephonehardware?Thecellphoneserviceprovider?Google?Itmayseemalittlespurious,butit'saquestionthat'sgoingtobeaskedbyjournalists,wonks,and(hopefully)consumerprotectiongroupsinthecomingweeks.

MassCheck!

Itemtwoonthisweek'sreleaseisWei@_sinn3rChen'sreworkofhowMetasploitexploitsusethe"check"functionality.Youcanreaduponitoveratsinn3r'sblogpostabouthowitallworks--really,goreadit,it'sgood.I'llwait.

Nowthatyou'vegotthebackgroundandit'soutinthisweek'srelease,younolongerneedtoguessathowmanyofyourin-scopeWindowsmachinesreallyarevulnerabletoMS08-067beforeyoutrytotagthem.ThisisnottosaythatMetasploitissuddenlyapropervulnerabilityscanner.We'renot,andneverreallywillbe.This"check"functionalityismuchmorefocusedontargetacquisitionthancompliancecheckingorriskmanagementoranythinglikethat.So,goodforpenetrationtesters,maybenotsogoodforyourday-to-dayvulnscanningduties.

MeterpreterClipboardMonitor

Alsoonthisrelease(dang,thisisaprettygoodonethisweek),isthenewclipboardmonitorfunctionalityforMeterpreter,thanksinlargeparttoOJ@TheColonialReeves.OJgotanicelittlewriteupoveratCSOOnlinewhereinTheColonialexplainshowtheclipboard-erasingprotectionsofKeePassarecompletelyobliterated.

Thismakesmesad,asI'manavidKeepassXuserandhavebeenforyearsandyears.Ohwell,IguessIjustbettermakesurethatI'mnotalreadyownedwhenIgocheckingTheFacebookformyfriendscat-and-babypictures.

But,alas,movingsecurityforwardisn'tjustaboutmeandwhatsoftwareIuse.Thefactofthematteris,passwordssuck.Period.You'releftwiththechoiceofa)keepingeasytorememberpasswordsinyourhead(easytoguess),b)useaclipboard-basedpasswordmanagerandhopenothing'swatchingyourclipboard,c)usesomehand-typingsystemofpasswordmanagementandhopeyou'renotgettingyourkeystrokeslogged,ord)useabrowser-basedautofillsystemandhopeyou'renotarecentvictimofauniversal,persistentXSSbug.Timetotakeanotherlookatyourtwo-factorauthentication(2FA)choices.

Incidentally,we'llhavemoreontheUXSSthinginthenextcoupleweeks.You'rewelcome,inadvance.

NewModules

IncludingtheWebViewexploittheabove,we'reshippingsixnewexploitsandsevennewauxiliaryandpostmodules.MostoftheauxmaterialthisweekrevolvesaroundIBMSametime,anenterprisesocial-media-in-a-boxoffering,allfromthecruelly-namedKicks4Kittens.

Exploitmodules

  • AndroidBrowserandWebViewaddJavascriptInterfaceCodeExecutionbyjoevandjduck

  • KloxoSQLInjectionandRemoteCodeExecutionbyjuanvazquezandUnknown

  • PandoraFMSRemoteCodeExecutionbyxistence

  • KingScadakxClientDownload.ocxActiveXRemoteCodeExecutionbyjuanvazquezandAndreaMicalizziexploitsZDI-14-011

  • WindowsTrackPopupMenuExWin32kNULLPagebyDanZentner,MatiasSoler,SethGibson,andSpencerMcIntyreexploitsCVE-2013-3881

  • WindowsCommandShellUpgrade(Powershell)byBenCampbell

Auxiliaryandpostmodules

  • IBMLotusSametimeWebPlayerDoSbyChrisJohnRileyandkicks4kittensexploitsCVE-2013-3986

  • DoliWamp'jqueryFileTree.php'TraversalGatherCredentialsbyBrendanColes

  • IBMLotusNotesSametimeUserEnumerationbykicks4kittens

  • IBMLotusNotesSametimeRoomNameBruteforcebykicks4kittens

  • IBMLotusSametimeVersionEnumerationbykicks4kittens

  • A10NetworksAXLoadbalancerDirectoryTraversalbyxistenceexploitsOSVDB-102657

  • WindowsGatherActiveDirectoryUserCommentsbyBenCampbell

Ifyou'renewtoMetasploit,youcangetstartedbydownloadingMetasploitforLinuxorWindows.Ifyou'realreadytrackingthebleeding-edgeofMetasploitdevelopment,thenthesemodulesarebutanmsfupdatecommandaway.ForreaderswhopreferthepackagedupdatesforMetasploitCommunityandMetasploitPro,you'llbeabletoinstallthenewhotnesstodaywhenyoucheckforupdatesthroughtheSoftwareUpdatesmenuunderAdministration.

Foradditionaldetailsonwhat'schangedandwhat'scurrent,pleaseseeBrandont'smostexcellentreleasenotes.

更多相关文章

  1. 代码中设置drawableleft
  2. android 3.0 隐藏 系统标题栏
  3. Android开发中activity切换动画的实现
  4. Android(安卓)学习 笔记_05. 文件下载
  5. Android中直播视频技术探究之—摄像头Camera视频源数据采集解析
  6. 技术博客汇总
  7. android 2.3 wifi (一)
  8. AndRoid Notification的清空和修改
  9. Android中的Chronometer

随机推荐

  1. nodejs的交叉(跨平台)编译(to android)
  2. 【Android】强大的SpannableStringBuilde
  3. Android(安卓)Audio代码分析=Audio Strat
  4. Android(安卓)recovery流程解析
  5. android中使用adb查看sqlite数据库
  6. Android(安卓)RxHttp在实战中的运用
  7. android 模拟器 快捷键
  8. C调用Java
  9. [Android实例] android登录Web以及登录保
  10. Mars服务器和客户端demo运行教程