Metasploit Weekly Wrap-Up

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/01/06/metasploit-weekly-wrap-up-4/

Back from a quiet holiday season

Metasploit Weekly Wrap-Up

Thankfully, it was a relatively quiet holiday break for security this year, so we hope everyone had a relaxing time while they could. This wrapup covers the last three Metasploit releases, and contains three new modules, two updates, and five bug fixes.

Make sure that your OpenTSDB isn’t too open

Of particular note in this release is a new module from community contributors Erik Wynter and Shai rod
which adds a new exploit module for CVE-2020-35476, an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB <= 2.4.0.

OpenTSDB is a monitoring software that runs on top of Hadoop and HBase to allow users to serve large amounts of time-series data without losing any granularity in the data itself. If you are wondering what that host mess of buzzwords means, it simply means that it is a database optimized to store events or measurements that are time-stamped. This also means that the target is likely to be storing a lot of metrics data, which may also include sensitive internal operations, making it a prime target for exploitation.

Successful exploitation of this vulnerability will result in remote code execution as the root user, meaning that an attacker can go from being completely unauthenticated to having full control over affected OpenTSDB devices. This could then allow the attacker
to pivot further into the target network, using either the privileges they have gained on the OpenTSDB device, or details from the logs on the OpenTSDB device, which may provide insight into weaknesses of the network or give access to sensitive information.

New module content (3)

Enhancements and features (2)

  • #17258 from h00die – This updates the SharpHound post module to use version 1.1.0 of SharpHound, which works with Bloodhound 4. This includes both the .ps1 and binary from the original repository.
  • #17380 from smashery – The list of user agent strings inside lib/rex/user_agent.rb has been updated to reflect the latest user agents as of December 2022.

Bugs fixed (5)

  • #17334 from bcoles – Multiple improvements to modules/post/linux/gather/enum_commands, including fixing a crash when attempting to search a path that doesn’t exist
  • #17389 from ErikWynter – log4shell_header_injection bugfix to prevent NoMethodError for nil:NilClass
  • #17409 from adfoster-r7 – Update rhost walker to handle interrupt signal
  • #17416 from MegaManSec – The jenkins_gather.rb module has been updated to use .blank? instead of .empty? when handling SSH Key details to prevent crashes should the various elements of the SSH Key be empty or nil.
  • #17435 from jmartin-r7 – A bug has been fixed whereby some modules were accidentally updated to use smtp_send_recv when they did not import the required Exploit::Remote::SMTPDeliver mixin. These modules have been updated to use the appropriate raw_send_recv method instead.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).