Post Syndicated from Jack Heysel original https://blog.rapid7.com/2024/02/09/metasploit-weekly-wrap-up-02-09-2024/
Go go gadget Fortra GoAnywhere MFT Module
This Metasploit release contains a module for one of 2024’s hottest vulnerabilities to date: CVE-2024-0204. The path traversal vulnerability in Fortra GoAnywhere MFT allows for unauthenticated attackers to access the InitialAccountSetup.xhtml endpoint which is used during the products initial setup to create the first administrator user. After setup has completed, this endpoint is supposed to be no longer available. Attackers can use this vulnerability to create a user with Administrator privileges. Once Administrative privileges have been obtained for the GoAnywhere MFT application, uploading a .jsp payload in order to achieve RCE is trivial.
New module content (3)
runc (docker) File Descriptor Leak Privilege Escalation
Authors: Rory McNamara and h00die
Type: Exploit
Pull request: #18780 contributed by h00die
Path: linux/local/runc_cwd_priv_esc
Description: This adds a local privilege escalation exploit that leverages an internal file descriptor leak in runc versions prior to 1.1.12. An attacker with docker privileges is able write an arbitrary file on the host file system with the permissions of runc (typically root). With this, the module uploads a payload, sets the execute and the SUID permissions to escalate privileges.
Cacti RCE via SQLi in pollers.php
Authors: Aleksey Solovev and Christophe De La Fuente
Type: Exploit
Pull request: #18769 contributed by cdelafuente-r7
Path: multi/http/cacti_pollers_sqli_rce
Description: This PR adds an exploit module which leverages a SQLi (CVE-2023-49085) and a LFI (CVE-2023-49084) vulnerability in Cacti versions prior to 1.2.26 to achieve RCE.
Fortra GoAnywhere MFT Unauthenticated Remote Code Execution
Authors: James Horseman, Zach Hanley, and sfewer-r7
Type: Exploit
Pull request: #18762 contributed by sfewer-r7
Path: multi/http/fortra_goanywhere_mft_rce_cve_2024_0204
Description: This pull request adds an exploit module for CVE-2024-0204 which is a path traversal vulnerability which results in unauthenticated RCE in Fortra GoAnywhere MFT. GoAnywhere MFT versions 6.x from 6.0.1, and 7.x before 7.4.1 are vulnerable.
Enhancements and features (3)
- #18696 from zgoldman-r7 – Introduces a standalone MSSQL client class that can be used in new contexts not tied to a specific module.
- #18718 from cgranleese-r7 – Updates the
auxiliary/scanner/mysql/mysql_login.rbmodule to include a newCreateSessionoption that opens an interactive session. This functionality is currently behind a feature flag which can be enabled withfeatures set mysql_session_type true. - #18761 from dwelch-r7 – Adds a user notification that new modules support a
CreateSessionoption. This functionality is currently behind a feature flag which can be enabled with thefeaturescommand.
Bugs fixed (3)
- #18704 from dwelch-r7 – Fixes a bug with framework having 0 registered nop modules when the defer-module-loads feature was enabled.
- #18773 from sjanusz-r7 – Fixes an issue where
Ctrl+ZandCtrl+Cwhen in the context of an interactive PostgreSQL shell prompt inside the PostgreSQL session type did work correctly. - #18803 from dwelch-r7 – Fixes a crash when using
exploit/multi/handlerwith an invalid payload name.
Documentation added (1)
- #18782 from ekalinichev-r7 – Updates our existing Windows installation documentation to mention that Administrator privileges are required when installing via our
.msipackage.
You can always find more documentation on our docsite at docs.metasploit.com.
Get it
As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:
If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
commercial edition Metasploit Pro