Metasploit Weekly Wrap-Up

Post Syndicated from Zachary Goldman original https://blog.rapid7.com/2023/03/03/metasploit-weekly-wrap-up-195/

2022 Vulnerability Intelligence Report Released

Metasploit Weekly Wrap-Up

Rapid7’s broader vulnerability research team released our 2022 Vulnerability Intelligence Report this week. The report includes Metasploit and research team data on exploitation, exploitability, and vulnerability profiles that are intended to help security teams understand and prioritize risk more effectively. Put simply, security teams have way too much to do in a threat climate that’s seen some pretty crazy escalation the past few years, and understanding attack trends can help them make better risk-based choices.

There are some longer threads on key findings on Twitter and Mastodon. Some of the highlights:

  • Rapid7 researchers saw a modest decrease in both widespread exploitation and zero-day exploitation of new vulnerabilities in 2022. Alas, widespread threats are still the majority of 2022 vulnerabilities in our dataset, and are double what they were in 2020.
  • Attackers keep getting faster — more than half the vulns in the report were exploited within a week.
  • Ransomware CVE stats got weird in 2022. There are probably a lot of intersectional reasons for this.

Read the full report here!

New module content (4)

Softing Secure Integration Server Login Utility

Author: Imran E. Dawoodjee
Type: Auxiliary
Pull request: #17676 contributed by ide0x90

Description: This adds a login module for the Softing Secure Integration Server software.

Oracle E-Business Suite (EBS) Unauthenticated Arbitrary File Upload

Authors: HMs, l1k3beef, and sf
Type: Exploit
Pull request: #17624 contributed by sfewer-r7
AttackerKB reference: CVE-2022-21587

Description: This pull request adds an exploit module for an arbitrary file upload vulnerability in Oracle Web Applications Desktop Integrator, as shipped with Oracle E-Business Suite versions 12.2.3 through to 12.2.11, which results in remote code execution. This has been observed to have been exploited in the wild.

Lucee Authenticated Scheduled Job Code Execution

Author: Alexander Philiotis
Type: Exploit
Pull request: #17638 contributed by JBince

Description: This adds a module to execute code using Lucee’s scheduled job functionality. The feature requires authentication as an administrator by default and allows a ColdFusion page to be rendered which is used to execute an OS command using the cfexecte directive. The module works on both Linux and Windows targets.

Disable ClamAV

Author: DLL_Cool_J
Type: Post
Pull request: #17672 contributed by archcloudlabs

Description: This PR includes a post module that will disable ClamAV on Linux systems. The bug resides in the ClamAV Unix socket permitting any user to submit the "shutdown" command which will disable ClamAV.

Enhancements and features (2)

  • #17635 from dwelch-r7 – Updates the admin/kerberos/inspect_ticket module to display the ticket checksum and full PAC checksum
  • #17699 from gwillcox-r7 – This adds SCHANNEL authentication support to LDAP modules.

Bugs fixed (5)

  • #17562 from gwillcox-r7 – This fixes some incorrect Railgun definitions for the wldap32 Windows library.
  • #17679 from adfoster-r7 – This PR fixes the broken payload selection for Metasploit RPC
  • #17696 from zeroSteiner – The version of Metasploit Payloads in use by Metasploit has been bumped, which brings in support for the getprivs and getdesktop commands to Python Meterpreters running on Windows, and also adds support for getting the handle of processes opened via the session. Additionally, fixes were made to support Python 2.5 and to fix the getdesktop output of Python Meterpreters.
  • #17697 from jheysel-r7 – This updates the exploit/linux/http/froxlor_log_path_rce module to note that Foxlor 2.0.7 is the last vulnerable version.
  • #17700 from zeroSteiner – The argument validation for the route command has been reworked to improve the way it validates arguments and to print out more accurate error messages.

Documentation added (3)

  • #17680 from adfoster-r7 – Improves the UX of the docs.metasploit.com module explorer. Adds ‘expand all’ and ‘collapse all’ buttons to the module explorer. Adds support for automatically opening descendant folders that only contain 1 item. Adds an additional parent folder to make it clearer to the user that the folders are clickable.
  • #17687 from archcloudlabs – This PR contains additional examples on the ERB format required for the HTTPRawHeaders option for HTTP clients.
  • #17695 from zeroSteiner – The LDAP query and collection projects have been removed from the GSOC 2023 list since they have already been implemented in https://github.com/rapid7/metasploit-framework/pull/16598.

You can always find more documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).