Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/02/19/metasploit-wrap-up-99/

GSoC Rocks!

In a rare double whammy, one of our 2020 Google Summer of Code (GSoC) participants has authored a PR containing both enhancements & a new module! Improvements to our SQL injection library now allow PostgreSQL injection, and this new functionality has been verified with both a test module AND a fully functioning module exploiting CVE-2019-13375, a (Postgre)SQL Injection vuln in the D-Link Central WiFi Manager allowing both DB dumping and user insertion in all versions before v1.03R0100_BETA6. Big thanks to red0xff for authoring these changes and showing that students can hack it with the best of them.

For anyone interested in working with Metasploit in this year’s Google Summer of Code, you’ll have to wait until March 9th to find out if we’ve been accepted as mentors. However, you can get a head start by checking out our current project shortlist. Said shortlist is still being worked on, and applicants can suggest their own project ideas, so get looking and see what jumps out at you!

King KLog vs Colezilla

Our copious community contributor bcoles has written a new module exploiting CVE-2020-35729, an unauthenticated command injection vulnerability in KLog (An english translated version of their site can be found here). KLog is a Syslog server providing a time stamp service packaged in a Linux VM, and if Google Translate is to be believed, includes "Kamu SM approved SHA-512 hash algorithm has log signing feature", which is nice. By making a POST request to authenticate.php, the module can perform code execution in the VM via the PHP shell_exec() function. Additionally, the KLog VM configuration allows the apache user to execute sudo without supplying a password, ultimately allowing code execution with root privileges.

Short. Sweet. Screenshot.

Wrapping up this wrapup, timwr has fixed an issue with our Java Meterpreter that prevented screenshots from being taken. As an added bonus, it also prevents uploading a screenshot dll on non-native Windows meterpreter sessions.

New Modules (4)

• WordPress ChopSlider3 id SQLi Scanner by Callum Murphy, SunCSR, and h00die, which exploits CVE-2020-11530 This adds a new module to exploit a SQL injection vulnerability in iDangero.us ChopSlider 3 WordPress plugin version 3.4 and prior. It is able to remotely dump usernames and password hashes from the WordPress database without any authentication. This vulnerability is identified as CVE-2020-11530.
• D-Link Central WiFiManager SQL injection by M3 and Redouane NIBOUCHA, which exploits CVE-2019-13373 GSoC 2020 project supporting SQLi library usage with PostgreSQL. This support comes with a new module utilizing CVE-2019-13373 to dump database information or insert additional users into D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6.
• Klog Server authenticate.php user Unauthenticated Command Injection by Metin Yunus Kandemir, b3kc4t, and bcoles, which exploits CVE-2020-35729 This adds an exploit module that targets an unauthenticated command injection vulnerability in Klog Server versions 2.4.1 and below. A POST request to authenticate.php can result in code execution on the target due to improper sanitization of the user parameter, which gets passed to the shell_exec() function. Additionally, Klog Server’s configuration allows the apache user to execute sudo without supplying a password, so this exploit ultimately achieves code execution with root privileges.
• Micro Focus Operations Bridge Manager Local Privilege Escalation by Pedro Ribeiro, which exploits ZDI-20-1326 (CVE-2020-11858) Allows privilege escalation assuming victim machine is running a vulnerable version of OBM & user already has a session on said machine that supports Powershell. Module writes payload to specific folder, then sends request to OBM process via the loopback address to trigger payload execution.

Enhancements and features

• #14733 from adfoster-r7 Adds the latest rubocop rules
• #14747 from dwelch-r7 Updates exploit/linux/http/saltstack_salt_api_cmd_exec to correctly show failure messages to the user under error scenarios
• #14756 from bcoles Updates msftidy to warn when a module is missing its Notes metadata
• #14762 from adfoster-r7 Adds support for ignoring Rubocop’s ExtraSpacing rules for BinData objects

Bugs Fixed

• #14602 from red0xff Improved length detection for Time Based MySQLi injections & expand support for empty strings to hex_encode_strings.
• #14738 from timwr Fixes multi/manage/shell_to_meterpreter on macOS by using Python reflection to upgrade a shell session on macOS to a meterpreter session, in memory, without dropping a file to disk
• #14751 from bcoles A bug has been fixed within the msftidy.rb developer tool whereby a typo was preventing several checks from being run against exploit modules to ensure they conformed to standards. This has now been fixed, along with some grammar issues that were noticed in related modules.
• #14758 from timwr Fix platform check in Meterpreter stdapi screenshot command. This ensures Java Meterpreter can take screenshots on Windows platforms and prevents unnecessarily uploading the screenshot DLL when using the screenshot command on non-native Windows sessions.
• #14741 from zeroSteiner Fixes typo for exchange_ecp_dlp_policy target

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.0.30…6.0.31
• Full diff 6.0.30…6.0.31

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).

Post Syndicated from Adam Galway original https://blog.rapid7.com/2021/02/12/metasploit-wrap-up-98/

MicroFocus? More like MacroVuln

MicroFocus’s Operations Bridge Manager is a security information and event management (SIEM) tool designed to collect and parse security logs from multiple disparate sources. OBM has a large attack surface—something Pedro Ribeiro was able to take advantage of with his new RCE module. This module leverages a Java deserialization bug to allow payload execution as either root or SYSTEM, depending on the victim OS.

We’ve one other OBM module currently in the process of being landed, but for anyone who needs their fix of MicroFocus hacks right away, we’d recommend pedrib’s super detailed writeup of his findings.

Patches? We don’t need no stinkin’ patches!

While PR #14607 doesn’t add a totally new exploit for Microsoft Exchange Server, that’s only because zeroSteiner was able to update an earlier module to support a bypass for the patch that was supposed to fix the vuln it exploited.

CVE-2020-16875 originally allowed remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server so long as they were authenticated as a user who had an active mailbox and who was assigned the Data Loss Prevention role. This was believed to have been patched in the Exchange Server 2016 Cumulative Update 18 (September 15 2020) and Exchange Server 2019 Cumulative Update 7 (September 15 2020). However, this patch was later bypassed and assigned CVE-2020-17132. Microsoft’s second patch was also later bypassed—a tough shake for organizations’ patch cycles. Both the original vulnerability and the patch bypass) were discovered by Steven Seeley, and the Metasploit code is based on his work.

zeroSteiner’s changes allow the exchange_ecp_dlp_policy module to exploit the two patched versions of Exchange Server and the unpatched server.

External modules, internal quality

Last but not least, cgranleese-r7 has spearheaded our efforts to improve usability of Metasploit’s external modules by providing more informative error messages for users when they lack the required languages in their environment (#14480). This will help avoid instances of users missing out on useful modules due to their not knowing some languages outside of ruby can be needed for the full metasploit experience.

msf6 > use auxiliary/scanner/msmail/host_id
[-] Failed to load module: LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
msf6 >

New modules (1)

• Micro Focus Operations Bridge Manager Authenticated Remote Code Execution by Pedro Ribeiro, which exploits ZDI-20-1327 / CVE-2020-11853 This adds an exploit module that leverages an insecure Java deserialization vulnerability in multiple Micro Focus products. This allows remote code execution as the root user on Linux or the SYSTEM user on Windows. Initial authentication is required, but any low-privileged user can be used to successfully run this exploit.

Enhancements and features

• #14154 from cgranleese-r7 This ensures that all modules that previously used manual AutoCheck behavior now leverage the AutoCheck mixin instead.
• #14480 from cgranleese-r7 Improves the handling of external modules when they’re missing runtime dependencies and gives the user a more useful error. It will now return which runtime language the user is missing on their environment (this has been implemented for both Python and Go).
• #14607 from zeroSteiner This updates the Exchange ECP DLP Policy module exploit to leverage a new technique that bypasses the original patch. This new technique also works on unpatched versions.
• #14669 from jmartin-r7 Improves error message feedback when using the auxiliary/analyze/crack_* modules. Examples include notifying the user that the database needs to be active, and having JohnTheRipper Jumbo patch installed
• #14685 from geyslan Reduced the size of the linux/x64/shell_bind_tcp_random_port payload while maintaining the functionality.
• #14708 from timwr Add offsets to the exploit/osx/browser/safari_proxy_object_type_confusion exploit module for Mac OSX 10.13.1 and 10.13.2.
• #14721 from bcoles This adds a target for Debian 10 to the sudo exploit CVE-2021-3156.
• #14728 from FireFart Updates have been made to lib/msf/core/module/reference.rb as well as associated tools and documentation to update old WPVDB links with the new WPVDB domain and to also ensure that the new URL format is properly checked in the respective tools.
• #14725 by h00die moves creds to a default-cred "userpass" list instead of splitting known cred pairs across files.

Bugs fixed

• #14714 from adfoster-r7 Updates the sqlite gem in preparation for Ruby 3.0 support & fixes SQLite3 deprecation warning.
• #14720 from dwelch-r7 Fixed an issue in the lib/msf/core/exploit/remote/http_client.rb and lib/msf/core/opt_http_rhost_url.rb libraries where the VHOST datastore variable would be set incorrectly if a user used an /etc/hosts entry for resolving a hostname to an IP address.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate and you can get more details on the changes since the last blog post from GitHub:

• Pull Requests 6.0.29…6.0.30
• Full diff 6.0.29…6.0.30

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).