Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/03/04/metasploit-wrap-up-150/

This week’s Metasploit Framework release brings us seven new modules.

IP Camera Exploitation

Rapid7’s Jacob Baines was busy this week with two exploit modules that target IP cameras. The first module exploits an authenticated file upload on Axis IP cameras. Due to lack of proper sanitization, an attacker can upload and install an eap application which, when executed, will grant the attacker root privileges on the device. This vulnerability, discovered by Baines in 2017, has yet to be patched.

The second module exploits an unauthenticated command injection vulnerability in a number of Hikvision IP cameras. A PUT request to the /SDK/webLanguage endpoint passes the contents of its request body’s <language> tag to snprintf(), which then passes its resultant data to a call to system(), resulting in code execution with root privileges. This vulnerability has been reported as exploited in the wild.

Privilege Escalation in pkexec

Community contributor RootUp submitted a module that exploits a privilege escalation vulnerability in Polkit’s pkexec utility, an SUID binary that is present on most major Linux distributions. Additionally, this vulnerability has likely existed in pkexec since 2009.

Any user can escalate their privileges to root by exploiting an out-of-bounds read and write that exists in pkexec’s executable path-finding logic. The logic always assumes that an argument is passed to pkexec, resulting in a read of the data that follows arguments in memory. Environment variables follow program arguments, so pkexec reads the first environment variable, resolves its full path, and replaces the environment variable with the full path. Leveraging the GCONV_PATH environment variable coerces pkexec into loading arbitrary libraries, leading to escalation of privileges.

New module content (7)

• WordPress Modern Events Calendar SQLi Scanner by Hacker5preme (Ron Jost), h00die, and red0xff, which exploits CVE-2021-24946 – This exploits an unauthenticated SQL injection vulnerability in the Modern Events Calendar plugin for WordPress.

• WordPress Secure Copy Content Protection and Content Locking sccp_id Unauthenticated SQLi by Hacker5preme (Ron Jost), Krzysztof Zając (kazet), and h00die, which exploits CVE-2021-24931 – A new module has been added to exploit CVE-2021-24931, an unauthenticated SQLi vulnerability in the sccp_id parameter of the ays_sccp_results_export_file AJAX action in Secure Copy Content Protection and Content Locking WordPress plugin versions before 2.8.2. Successful exploitation allows attackers to dump usernames and password hashes from the wp_users table which can then be cracked offline to gain valid login credentials for the affected WordPress installation.

• Axis IP Camera Application Upload by jbaines-r7 – The "Apps” feature in Axis IP cameras allow allows third party developers to upload and execute ‘eap’ applications on the device, however no validation is performed to ensure the application comes from a trusted source. This module takes advantage of this vulnerability to allow authenticated attackers to upload and execute malicious applications and gain RCE. Once the application has been installed and the shell has been obtained, the module will then automatically delete the malicious application. No CVE is assigned to this issue as a patch has not been released as of the time of writing.

• Hikvision IP Camera Unauthenticated Command Injection by Watchful_IP, bashis, and jbaines-r7, which exploits CVE-2021-36260 – This module exploits an unauthenticated command injection in a variety of Hikvision IP cameras (CVE-2021-36260). The module inserts a command into an XML payload used with an HTTP PUT request sent to the /SDK/webLanguage endpoint, resulting in command execution as the root user.

• Local Privilege Escalation in polkits pkexec by Andris Raugulis, Dhiraj Mishra, Qualys Security, and bwatters-r7, which exploits CVE-2021-4034 – This adds an LPE exploit for CVE-2021-4034 which leverages an out-of-bounds read and write in polkit’s pkexec utility. It also adds support to Metasploit for generating Linux SO library payloads for the AARCH64 architecture.

• Firefox MCallGetProperty Write Side Effects Use After Free Exploit by 360 ESG Vulnerability Research Institute, maxpl0it, and timwr, which exploits CVE-2020-26950 – This adds a module for CVE-2020-26950, a use after free browser exploit targeting Firefox and Thunderbird.

• #16202 from zeroSteiner – This adds an exploit for CVE-2022-21882 which is a patch bypass for CVE-2021-1732. It updates and combines both techniques into a single mega-exploit module that will use the updated technique as necessary. No configuration is necessary outside of the SESSION and payload datastore options.

Bugs fixed

• #16228 from zeroSteiner – This fixes a bug where the framework failed to check if a payload would fit in the space defined by an exploit if the payload was not encoded.
• #16235 from bcoles – This change fixes an issue with APK injection when in some configurations an invalid apktool version string would cause injection to fail.
• #16251 from zeroSteiner – This fixes an error when executing commands using the Python Meterpreter where not all results were returned to msfconsole.
• #16254 from heyder – This fixes an issue in the Shodan search module where recent changes to randomize the user agent were causing the results returned to the module to be in an unexpected format.
• #16255 from zeroSteiner – This fixes a parsing issue with kiwi_cmd arguments which contained spaces, such as kiwi_cmd 'base64 /in:off /out:off'.
• #16257 from bcoles – This change adds a warning when a user tries to inject the Android payload into an APK using an older version of apktool.
• #16264 from bwatters-r7 – This fixes a crash when attempting to create create local module documentation with the info -d command when the provided GitHub credentials were invalid.
• #16266 from smashery – This fixes bugs in how msfconsole tab-completes directory paths.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.31…6.1.32
• Full diff 6.1.31…6.1.32

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).