Friday evening a metasploit module was released that will exploit the Citect ODBC vulnerability that Core discovered earlier this year.  There isn’t not a whole lot to talk about in relation to the vulnerability itself, the details previously released (along with the patch) were more than enough for any reasonably skilled attacker to create reliable exploit for, but the working code released into metasploit might change things just a bit.  More on that in just a second, but first I want to point out that the community has been oddly silent since this was released.  This is what I find more than a bit disturbing, as I honestly expected quite a stir once I saw the email come into my inbox, but as of yet the uproar hasn’t come.

There are a lot of reasons why that might be so, and I have my suspicions ranging from responsible parties taking the weekend off to being speechless at the “reckless nature” of the release, to being oblivious to the information being published.  I’ll let our readers speculate on that in the comments, but I suspect the last one is most likely, and the second not very likely at all (when was someone in this area speechless about anything?).

For those of you not familiar with metasploit, it’s a framework for developing and delivering exploits, and it is a part of almost every penetration tester’s toolbox having thousands of users.  The bar for exploiting this service has been lowered from low to “script kiddy” level, and it looks like they took an interest early.  Let’s all remember that correlation does not equal causality, but looking at DShields activity and trends pages, something is going on, and the time looks right.  From looking at that information I would wager that if for some reason you have this service reachable from the internet, its already been exploited, and I would start investigating that system immediately.