Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Urgent/11 vulnerability scanner #12399

Merged
merged 30 commits into from Oct 21, 2019

Conversation

@busterb
Copy link
Member

busterb commented Oct 4, 2019

This is a quick port of the Urgent/11 vulnerability scanner from https://github.com/ArmisSecurity/urgent11-detector as an external Metasploit module. This set of vulnerabilities has been getting a lot of attention lately, so having a scanner in Metasploit might be useful.

Verification

  • Start msfconsole
  • use auxiliary/scanner/discovery/urgent11
  • Set rhosts / rport to proper target values
  • Verify the module can identify a vulnerable target
  • Verify the thing does not identify safe targets

Note, I don't have an actual vulnerable target yet, so I'm not sure if this works in reality. Also, the module wants to do some iptables tweaking, which I made conditional on the python3 platform being Linux, since iptables is Linux-only. This module might also be portable to Ruby directly, but I was more interested in being able to track upstream changes to the detector with minimal effort.

msf5 auxiliary(scanner/discovery/urgent11) > run

[*] Running for 127.0.0.1...
[*] Running against 127.0.0.1:8080
[*] 	TcpMalformedOptionsDetection  	VxWorks: -100	IPnet: -100
[*] 	TcpDosDetection               	VxWorks: 0	IPnet: 0
[*] 	IcmpCodeDetection             	VxWorks: 0	IPnet: -20
[*] 	IcmpTimestampDetection        	VxWorks: 0	IPnet: 0
[*] IP 127.0.0.1 detected as NOT IPnet
[*] IP 127.0.0.1 detected as NOT VxWorks
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
@busterb

This comment has been minimized.

Copy link
Member Author

busterb commented Oct 4, 2019

On second glance, the license of this module might require some clean-room reimplementation, since I don't think we have any AGPL code elsewhere and generally avoid GPL. I think external modules avoid any kind of linking problems, trying to decide if this is worth it. The port blocking code feels like something packetfu should be able to do as well in a more portable way as well...

@wvu-r7 wvu-r7 self-assigned this Oct 11, 2019
@wvu-r7 wvu-r7 added the feature label Oct 11, 2019
@busterb

This comment has been minimized.

Copy link
Member Author

busterb commented Oct 11, 2019

Note: this module is getting rewritten to avoid portability & license issues.

@acammack-r7 acammack-r7 added the delayed label Oct 11, 2019
@wvu-r7 wvu-r7 force-pushed the busterb:urgent11 branch from 1b34f67 to 1b0b0e8 Oct 15, 2019
wvu-r7 and others added 5 commits Oct 15, 2019
Authored by busterb two commits ago and recommitted by wvu now. Oops.
Typo defaulted @vxworks_score and @ipnet_score to 100 instead of -100.
This commit also refactors the method to align with the others.
@busterb busterb assigned bwatters-r7 and unassigned wvu-r7 Oct 21, 2019
@busterb busterb removed the delayed label Oct 21, 2019
@busterb

This comment has been minimized.

Copy link
Member Author

busterb commented Oct 21, 2019

We now have verification that this works against a real target, woo hoo!

busterb added 2 commits Oct 21, 2019
bwatters-r7 added a commit that referenced this pull request Oct 21, 2019
Merge branch 'land-12399' into upstream-master
@bwatters-r7 bwatters-r7 merged commit cc8ed04 into rapid7:master Oct 21, 2019
1 of 3 checks passed
1 of 3 checks passed
Metasploit Automation - Sanity Test Execution Running automation sanity tests. Details available on completion.
Details
continuous-integration/travis-ci/pr The Travis CI build is in progress
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
msjenkins-r7 added a commit that referenced this pull request Oct 21, 2019
Merge branch 'land-12399' into upstream-master
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

bwatters-r7 commented Oct 21, 2019

Release Notes

This PR add a scanner for the recent URGENT/11 vulnerability allowing attackers to exploit certain devices relying on a third-party network packet parser, IPnet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.