Security News #0x89

• Metasploit has a new Browser Autopwn module! If you want to learn how it works, take a look at Part 2 of that series.
• There is a new OS X 10.10 local root privilege escalation attack, that is so sophisticated it fits in a tweet. Yeah, it is in Metasploit.
• There is also a new Metasploit module for local privilege escalation on Windows; this affects Windows 7 and Windows Server 2008 R2. The underlying vulnerability is CVE 2015-1701 and was patched by MS 15-051.
• There is another Windows local privilege escalation attack available; this one coming from the results of the Hacking Team. This underlying problem is CVE 2015-2426 and patched by MS 15-078.
• There is a new Metasploit module for Adobe Flash, Adobe Flash Player Drawing Fill Shader Memory Corruption. This targets CVE 2015-3105. The exploit has been tested on a number of combinations, including Windows 7 (32 bit), Flash 17.0.0.188 and IE 11 or Firefox 38.0.5; it also works against Windows 8.1 (32 bit) with Flash 17.0.0.188 and Firefox 38.0.5. More interestingly, it also works against Mint 17.1 (Rebecca) (32 bits) with Firefox 33.0 and Adobe Flash 11.2.202.460. This success against Linux targets differentiates this Flash exploit from previous ones.
• There is another new Metasploit module for Adobe Flash, Adobe Flash Player ShaderJob Buffer Overflow; this one exploits CVE 2015-3090. Like the previous, this one also hits both Windows and Linux targets, including Windows 7 SP1 (32 bit) with Flash 17.0.0.169 and either IE11 or Firefox 38.0.5; Windows 8.1 with FLash 17.0.0.169 and Firefox 38.0.5, and Mint 17.1 (Rebecca) (32 bits) with Firefox 33.0 and Adobe Flash 11.2.202.457.
• As proof positive that I have spent too much time on my book and not enough on the blog, here is a third Metasploit module attacking Adobe Flash; this one exploits CVE 2015-5122 and impacts a range of Adobe Flash versions, including Adobe Flash 18.0.0.203 on Windows 8.1 (32 bit). Take a look at the module’s source code for a list of tested targets.
• Another new module is VNC Keyboard Remote Code Execution, which attacks VNC servers on Windows or Linux.
• Did you know it is possible to perform SSL certificate verification on your Metasploit shells? Well, I didn’t.
• There is a Metasploit module module to forge certificates to allow and SSL MITM attack. The underlying problem, CVE 2105-1793 impacts OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c. Qihoo 360 has some technical details of the flaw.
• There is a local privilege escalation attack now available for Ubuntu 15.04, 14.10, 14.04, and 12.10. The underlying vulnerability is CVE 2015-1328.
• Cisco apparently has default SSH keys on a number of their applicances.
• Vlad Tsyrklevich has an interesting discussion on the state of the 0-day market based on fallout from the Hacking Team dumps.
• One of the attacks described in my forthcoming book is a brute force attack against an SSH server. Well, there is now a better way to run such attacks, at least against OpenSSH. Try Ars Technica for some perspective.
• One interesting bit of fallout from the Hacking Team leak is the fact that they had a UEFI BIOS rootkit that would provide persistence across even replacing the hard drive.