Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/05/05/metasploit-weekly-wrap-up-9/

Throw another log [file] on the fire

Our own Stephen Fewer authored a module targeting CVE-2023-26360 affecting ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier. The vulnerability allows multiple paths to code execution, but our module works by leveraging a request that will result in the server evaluating the ColdFusion Markup language on an arbitrary file on the remote system. This allows a user to execute markup language in an arbitrary file on the remote host. The attack writes this markup language to the remote host by sending an incorrect JSON blob containing ColdFusion Markup language to the server, and the server recognizes the incorrect JSON and logs it to a log file. We then request to evaluate the log file which now contains the arbitrary ColdFusion Markup that we wish evaluated, and collect shells.
This vulnerability was added to the CISA’s Known Exploited Vulnerabilities catalog in March.

WOW64 Hashdump Support

One of Meterpreter’s oldest features is the ability to dump hashes from LSASS. Until recently, this capability required that the Meterpreter instance running on the Windows target system matched the hosts native architecture. When users attempted to dump hashes from a Meterpreter running in a WOW64 process they’d see the following cryptic error that was tribal knowledge among Metasploit users for “you need to open a new session with a 64-bit Meterpreter”.

meterpreter > hashdump 
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

In our latest release, we have shipped new support allowing hashdump to work in WOW64 environments with no changes or further actions required on the users’ part. Simply run the hashdump command and Meterpreter will take care of the rest.

For those interested in the technical details, the old limitation was related to the way in which Meterpreter carved the code to inject into LSASS out of itself. This was where the requirement that the two architectures matched came from. Since LSASS would always be the host’s native architecture, Meterprter would also need to be the host’s native architecture. The new approach uses Reflective DLL Injection to encapsulate the injected code which allows Meterpreter to select the correct one at runtime.

New module content (3)

Icingaweb Directory Traversal in Static Library File Requests

Authors: Jacob Ebben, Thomas Chauchefoin, and h00die
Type: Auxiliary
Pull request: #17915 contributed by h00die
AttackerKB reference: CVE-2022-24716

Description: A new module has been added in for CVE-2022-24716, an unauthenticated arbitrary file read in Icinga Web 2 versions 2.9.0 to 2.9.5 inclusive, and 2.8.0 to 2.8.5 inclusive that can be used to leak sensitive configuration information from a target server.

Adobe ColdFusion Unauthenticated Remote Code Execution and Unauthenticated Arbitrary File Read

Author: sf
Type: Exploit
Pull request: #17856 contributed by sfewer-r7
AttackerKB reference: CVE-2023-26360

Description: This adds two modules; an RCE exploit for CVE-2023-26360 (Adobe ColdFusion) and an auxiliary gather module for the same vulnerability that can be leveraged to read arbitrary files. ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier are affected.

Enhancements and features (2)

• #16390 from sempervictus – Two new libraries, Rex::Proto::DNS::CachedResolver and Rex::Proto::DNS::Cache, have been added to extend the functionality of Rex::Proto::DNS::Resolver and add the ability for users to cache DNS responses, specify the name server that they would like to use when trying to resolve DNS names, and load and cache existing DNS entries in their hostfile.
• #17963 from h00die – Updates auxiliary/scanner/nfs/nfsmount to include a reference to CVE-1999-0554 – which is related to finding sensitive files on an NFS mount.

Bugs fixed (4)

• #17910 from cgranleese-r7 – Fixes false positives in the auxiliary/scanner/couchdb/couchdb_login module which incorrectly reported successful user authentication when connection timeouts occurred.
• #17911 from cgranleese-r7 – Updates the setting missing datastore values validation to produce a warning instead of an error. This fixes an edgecase where setting options on multi/handler without having first set a payload would fail.
• #17944 from zeroSteiner – A new release of metasploit-payloads is out which adds long awaited WOW64 support for hashdump, fixes an issue with building payloads using MingGW, and adds memory read/write abilities to Windows version of Python Meterpreter.
• #17947 from bcoles – Updates exploits/osx/local/feedback_assistant_root.rb to no longer assume that OSX version nil/zero is vulnerable – which may occur when running against non-OSX systems.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.14…6.3.15
• Full diff 6.3.14…6.3.15

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2023/01/06/metasploit-weekly-wrap-up-4/

Back from a quiet holiday season

Thankfully, it was a relatively quiet holiday break for security this year, so we hope everyone had a relaxing time while they could. This wrapup covers the last three Metasploit releases, and contains three new modules, two updates, and five bug fixes.

Make sure that your OpenTSDB isn’t too open

Of particular note in this release is a new module from community contributors Erik Wynter and Shai rod
which adds a new exploit module for CVE-2020-35476, an unauthenticated command injection vulnerability in the yrange parameter in OpenTSDB <= 2.4.0.

OpenTSDB is a monitoring software that runs on top of Hadoop and HBase to allow users to serve large amounts of time-series data without losing any granularity in the data itself. If you are wondering what that host mess of buzzwords means, it simply means that it is a database optimized to store events or measurements that are time-stamped. This also means that the target is likely to be storing a lot of metrics data, which may also include sensitive internal operations, making it a prime target for exploitation.

Successful exploitation of this vulnerability will result in remote code execution as the root user, meaning that an attacker can go from being completely unauthenticated to having full control over affected OpenTSDB devices. This could then allow the attacker
to pivot further into the target network, using either the privileges they have gained on the OpenTSDB device, or details from the logs on the OpenTSDB device, which may provide insight into weaknesses of the network or give access to sensitive information.

New module content (3)

• Linear eMerge E3-Series Access Controller Command Injection by Gjoko Krstic (gjoko[at]applied-risk.com) and h00die-gr3y, which exploits CVE-2019-7256, an unauthenticated command injection vulnerability in Linear eMerge E3 versions 1.00-06 and below in the No and door parameters of card_scan_decoder.php. Successful exploitation results in RCE as the root user.
• OpenTSDB 2.4.0 unauthenticated command injection by ErikWynter and Shai rod, which exploits CVE-2020-35476, an unauthenticated command injection vulnerability in OpenTSDB through 2.4.0.
• SolarWinds Orion Secrets Dump by Rob Fuller and npm-cesium137-io – This adds a post module for extracting encrypted credentials from SolarWinds Orion NPM.

Enhancements and features (2)

• #17258 from h00die – This updates the SharpHound post module to use version 1.1.0 of SharpHound, which works with Bloodhound 4. This includes both the .ps1 and binary from the original repository.
• #17380 from smashery – The list of user agent strings inside lib/rex/user_agent.rb has been updated to reflect the latest user agents as of December 2022.

Bugs fixed (5)

• #17334 from bcoles – Multiple improvements to modules/post/linux/gather/enum_commands, including fixing a crash when attempting to search a path that doesn’t exist
• #17389 from ErikWynter – log4shell_header_injection bugfix to prevent NoMethodError for nil:NilClass
• #17409 from adfoster-r7 – Update rhost walker to handle interrupt signal
• #17416 from MegaManSec – The jenkins_gather.rb module has been updated to use .blank? instead of .empty? when handling SSH Key details to prevent crashes should the various elements of the SSH Key be empty or nil.
• #17435 from jmartin-r7 – A bug has been fixed whereby some modules were accidentally updated to use smtp_send_recv when they did not import the required Exploit::Remote::SMTPDeliver mixin. These modules have been updated to use the appropriate raw_send_recv method instead.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.31…6.2.34
• Full diff 6.2.31…6.2.34

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/12/16/metasploit-weekly-wrap-up-187/

A sack full of cheer from the Hacking Elves of Metasploit

It is clear that the Metasploit elves have been busy this season: Five new modules, six new enhancements, nine new bug fixes, and a partridge in a pear tree are headed out this week! (Partridge nor pear tree included.) In this sack of goodies, we have a gift that keeps on giving: Shelby’s Acronis TrueImage Privilege Escalation works wonderfully, even after the software is uninstalled.

If you prefer elf files to holiday elves, we’ve still got you covered

Jan Rude submitted two modules targeting Syncovery for Linux. One takes advantage of an insecure session token generator and allows for the brute-force creation of a token that matches that of a logged-in user, and the other allows an authenticated user to create a job that will run when a user’s profile is run.

New module content (5)

• Syncovery For Linux Web-GUI Session Token Brute-Forcer by Jan Rude, which exploits CVE-2022-36536 – A new login scanner module that brute-forces a valid session token for the Syncovery File Sync & Backup Software Web-GUI. This will work if the default user is already logged in the application. If they do not logout, the token stays valid until the next reboot.
• Acronis TrueImage XPC Privilege Escalation by Csaba Fitzl and Shelby Pace, which exploits CVE-2020-25736 – This module exploits a local privilege escalation vulnerability in Acronis TrueImage versions 2019 update 1 through 2021 update 1 on macOS. This vulnerability is identified as CVE-2020-25736. By abusing a local helper executable, it is possible to execute arbitrary commands as the root user.
• Syncovery For Linux Web-GUI Authenticated Remote Command Execution by Jan Rude, which exploits CVE-2022-36534 – This adds a module that exploits an authenticated remote code execution vulnerability identified as CVE-2022-36534 in the Web GUI of Syncovery File Sync & Backup Software for Linux. The module leverages a flaw in the application that allows the creation of jobs that will be executed when a profile is run. This allows the execution of arbitrary commands as the root user.
• F5 Big-IP Gather Information from MCP Datastore by [Ron Bowes] (https://github.com/rbowes-r7) – This adds a post module for gathering facts from an F5 system’s MCP database protocol.

Enhancements and features (6)

• #17191 from liangjs – This PR fixes a bug where the Windows Subsystem for Linux crashes when using a reverse_tcp x64 stager because of data in the upper bits of the RDI register when the syscall occurs.
• #17255 from JustAnda7 – The command payloads have been updated to allow specifying the file system path for several of their commands within datastore options. This should allow users to specify these commands locations should they not be contained within the searchable PATH.
• #17346 from adfoster-r7 – The logic for counting threads within lib/metasploit/framework/spec/threads/suite.rb has been updated to appropriately count and document the known threads that can be left behind when running the rspec test suite. This fixes an intermittent rspec crash.
• #17355 from adfoster-r7 – The creds command has been updated to show the full SSH key contents when running the creds -v command or when exporting to a file with creds -o output.txt. Previously only a shortened fingerprint string would be shown to the user.
• #17357 from adfoster-r7 – The docs site has been updated to support mermaid graphs for rendering diagrams to assist with explanations.
• #17387 from smashery – The hosts, services, vulns and notes command have been updated to support tab expansion in paths using the ~ character when using the -o option to specify the path to the file to write the output to.

Bugs fixed (9)

• #17345 from adfoster-r7 – A crash has been fixed when using the report API with verbose mode enabled and no active DB.
• #17350 from smashery – This updates three UAC bypass modules to remove a hard coded delay in favor of using the module’s builtin cleanup method. This results in the user having access to the interactive session without needing to wait.
• #17351 from smashery – This fixes an issue in the exploit/windows/local/s4u_persistence module where the default value for FREQUENCY would cause an error.
• #17352 from smashery – A bug has been fixed in the file_version method for Windows Meterpreter, which would cause the session to crash if it was run on a file that did not exist on the target system.
• #17361 from jmartin-r7 – A bug has been fixed that would cause a crash when running the exit command from within msfconsole when running msfconsole with a 3.1.x release of Ruby.
• #17366 from zeroSteiner – The upload and download commands used by shell sessions have been updated to handle directory destinations in the same way as the Meterpreter equivalents do, and to fix some bugs when uploading and downloading files that would prevent errors from being displayed and might cause session crashes.
• #17368 from adfoster-r7 – Fixes a regression issue with msfvenom payload generation for large payloads taking more than 5 minutes to generate when outputting as hex format. Now it takes a few seconds as normal.
• #17370 from jmartin-r7 – A bug has been fixed in the smb_enumshares.rb whereby if a SMBv1 connection is used a call was made to the net_share_enum_all function on the wrong object. This has since been updated to address this error.
• #17378 from gwillcox-r7 – A bug has been fixed in the Meterpreter payloads that was preventing Python Meterpreter from being able to utilize its EventLog API properly. Additionally a bug has been fixed in the COFFLoader that prevented BOFLoader from working with some COFF files.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.30…6.2.31
• Full diff 6.2.30…6.2.31

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/11/04/metasploit-weekly-wrap-up-182/

C is for cookie

And that’s good enough for Apache CouchDB, apparently. Our very own Jack Heysel added an exploit module based on CVE-2022-24706 targeting CouchDB prior to 3.2.2, leveraging a special default ‘monster’ cookie that allows users to run OS commands.

This fake computer I just made says I’m an Admin

Metasploit’s zeroSteiner added a module to perform Role-based Constrained Delegation (RBCD) on an Active Directory network. If you need someone to vouch for your credentials as an Administrator on a local host and you have a set of specific permissions, this module will allow you to create your own friendly computer object to vouch for you!

Proving your Mettle while watching a fire

FLIR Cameras measure the heat given off by an exothermic reaction, but they also execute Metasploit’s ARM Meterpreter (formerly known as Mettle) payloads as root, thanks to a module by Samy Younsi that takes advantage of CVE-2022-37061, an unauthenticated command injection vulnerability in FLIR AX8 cameras up to and including 1.46.16.

That OpenSSL Vuln was certainly not greater than or equal to the hype

It was a tense and scary Halloween for many when it shouldn’t have been, thanks to a “cryptic” early announcement of an OpenSSL vulnerability that proved to be a bust. On AttackerKB Rapid7 researchers break down why this was not the vuln you feared, or much of a vuln at all.

New module content (5)

• FLIR AX8 unauthenticated RCE by Samy Younsi (https://www.linkedin.com/in/samy-younsi), Thomas Knudsen (https://www.linkedin.com/in/thomasjknudsen), and h00die-gr3y, which exploits CVE-2022-37061 – This adds an exploit module that targets FLIR AX8 thermal cameras. A command injection vulnerability exists in the id POST parameter to the res.php endpoint, which can be leveraged by an unauthenticated attacker to achieve RCE as the root user.
• Webmin File Manager RCE by faisalfs10x and jheysel-r7, which exploits CVE-2022-0824 – This adds a module that exploits improper access controls in Webmin File Manager. An authenticated attacker can coerce Webmin into downloading a malicious CGIcgi script from an attacker-controlled http server. After that, the attacker can further use File Manager utilities to set execute permissions on the cgi script, execute it, and achieve RCE as the root user.
• Apache CouchDB Erlang RCE by 1F98D, Konstantin Burov, Milton Valencia (wetw0rk), _sadshade, and jheysel-r7, which exploits CVE-2022-24706 – A new module has been added to exploit CVE-2022-24706 an RCE within Apache CouchDB prior to 3.2.2 via the Erlang/OTP Distribution protocol, which used a default cookie of "monster" to allow users to connect and run OS commands.
• Linux Gather ManageEngine Password Manager Pro Password Extractor by Charles Yost, Christophe De La Fuente, Rob Simon, and Travis Kaun – This post module gathers ManageEngine’s Password Manager Pro credentials from the local ManageEngine database.
• #17181 from zeroSteiner – Adds a new auxiliary/admin/ldap/rbcd module which uses LDAP to set the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on the user provided delegate_to datastore option within Active Directory. This technique is used as part of Role Based Constrained Delegation (RBCD) attacks. Example usage: run rhost=192.168.123.13 [email protected] password=p4$$w0rd delegate_to=dc3$ action=WRITE delegate_from=fake_computer. This new module can be used in conjunction with the existing auxiliary/admin/dcerpc/samr_computer module to create the required fake computer account.

Enhancements and features (6)

• #17155 from h00die – This PR updates version checking for the recent Remote mouse RCE module and updates the docs with a vulnerable version download link.
• #17184 from adfoster-r7 – Updates the metashell upload/download commands to work for powershell and windows sessions.
• #17186 from adfoster-r7 – Fixes broken file writes on windows targets when newlines are present within the uploaded file.
• #17195 from adfoster-r7 – Fixes uploading binary files with identical names to a Windows shell session. Previously this would silently error and not write the new file contents, now the file contents will successfully be written out.
• #17196 from bcoles – Adds new get_hostname library support for Windows sessions.
• #17207 from memN0ps – Updates msfvenom and msfconsole to support formatting shellcode as a Rust array. Example usage: msfvenom -p windows/x64/exec cmd='calc.exe' -f rust.

Bugs fixed (3)

• #17188 from zeroSteiner – Fixes a regression issue that stopped Python Meterpreter working for v3.1-3.3.
• #17190 from zeroSteiner – This sets the bufptr parameter in multiple netapi32 railgun functions to the PLPVOID data type and consequently fixes a crash in the post/windows/gather/enum_domain_tokens module caused by improper data types being set for the bufptr parameter.
• #17213 from bwatters-r7 – Fixes a bug that stopped the post/linux/gather/vcenter_secrets_dump module from loading.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.24…6.2.25
• Full diff 6.2.24…6.2.25

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/06/10/metasploit-weekly-wrap-up-161/

A Confluence of High-Profile Modules

This release features modules covering the Confluence remote code execution bug CVE-2022-26134 and the hotly-debated CVE-2022-30190, a file format vulnerability in the Windows Operating System accessible through malicious documents. Both have been all over the news, and we’re very happy to bring them to you so that you can verify mitigations and patches in your infrastructure. If you’d like to read more about these vulnerabilities, Rapid7 has AttackerKB analyses and blogs covering both Confluence CVE-2022-26134 (AttackerKB, Rapid7 Blog)and Windows CVE-2022-30190 (AttackKB, Rapid7 Blog).

Metasploit 6.2

While we release new content weekly (or in real-time if you are using github), we track milestones as well. This week, we released Metasploit 6.2, and it has a whole host of new functionality, exploits, and fixes

New module content (2)

• Atlassian Confluence Namespace OGNL Injection by Spencer McIntyre, Unknown, bturner-r7, and jbaines-r7, which exploits CVE-2022-26134 – This module exploits an OGNL injection in Atlassian Confluence servers (CVE-2022-26134). A specially crafted URI can be used to evaluate an OGNL expression resulting in OS command execution.
• Microsoft Office Word MSDTJS by mekhalleh (RAMELLA Sébastien) and nao sec, which exploits CVE-2022-30190 – This PR adds a module supporting CVE-2022-30190 (AKA Follina), a Windows file format vulnerability.

Enhancements and features (2)

• #16651 from red0xff – The test_vulnerable methods in the various SQL injection libraries have been updated so that they will now use the specified encoder if one is specified, ensuring that characters are appropriately encoded as needed.
• #16661 from dismantl – The impersonate_ssl module has been enhanced to allow it to add Subject Alternative Names (SAN) fields to the generated SSL certificate.

Bugs fixed (4)

• #16615 from NikitaKovaljov – A bug has been fixed in the IPv6 library when creating solicited-multicast addresses by finding leading zeros in last 16 bits of link-local address and removing them.
• #16630 from zeroSteiner – The auxiliary/server/capture/smb module no longer stores duplicate Net-NTLM hashes in the database.
• #16643 from ojasookert – The exploits/multi/http/php_fpm_rce module has been updated to be compatible with Ruby 3.0 changes.
• #16653 from adfoster-r7 – :
  This PR fixes an issue where named pipe pivots failed to establish the named pipes in intermediate connections.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.1…6.2.2
• Full diff 6.2.1…6.2.2

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2022/01/21/metasploit-wrap-up-145/

while (j==shell); Log4j;

The Log4j loop continues as we release a module targeting vulnerable vCenter releases. This is a good time to suggest that you check your vCenter releases and maybe even increase the protection surrounding them, as it’s been a rough year-plus for vCenter.

Let your shell do the walking

bcoles sent us a module that targets Grandstream GXV3175IP phones that allows remote code execution. It’s always fun to get a shell on a phone.

New module content (2)

• Grandstream GXV3175 ‘settimezone’ Unauthenticated Command Execution by Brendan Scarvell, alhazred, and bcoles, which exploits CVE-2019-10655 – A new module has been added in that exploits CVE-2019-10655, an unauthenticated remote code execution bug in Grandstream GXV3175. Authentication is bypassed via a buffer overflow in the way the phonecookie cookie is parsed, after which a command injection vulnerability in the ‘settimezone’ action’s ‘timezone’ parameter is exploited to gain RCE as the root user.
• VMware vCenter Server Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and w3bd3vil, which exploits CVE-2021-44228 – This PR adds a vCenter-specific exploit leveraging the Log4Shell vulnerability to achieve unauthenticated RCE as root / SYSTEM. This exploit has been tested on both Windows and Linux targets.

Enhancements and features

• #16075 from bcoles – The post/multi/manage/sudo module has been enhanced to print out a warning message and exit early if the session type that is trying to be upgraded via sudo is Meterpreter, since Meterpreter does not support sudo elevation at present.

Bugs fixed

• #16029 from cdelafuente-r7 – A bug existed in the normalize function of lib/msf/core/opt_path.rb whereby the path parameter passed in wasn’t checked to see if it was empty prior to calling File.expand_path on it. In these cases the path returned would be that of the current directory, which could lead to unexpected results. This has been fixed with improved validation to ensure that the path parameter is not an empty string prior to expanding the path.
• #16058 from bcoles – This change fixes a bug where a stack trace was printed in post/multi/recon/local_exploit_suggester when an invalid session option was specified.
• #16063 from bcoles – A bug has been fixed in the local_admin_search_enum module whereby a typo was causing the module to crash on an undefined variable. The typo has been corrected and the module now accesses the correct variable. This has been addressed by fixing the typo, which should now make the module access the correct variable.
• #15727 from NeffIsBack – This PR adds more robust NTLM message parsing with better error handling and messaging when pulling out the NTLM hashes.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.25…6.1.26
• Full diff 6.1.25…6.1.26

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Brendan Watters original https://blog.rapid7.com/2021/09/17/metasploit-wrap-up-130/

Clone your way to code execution

We’ve had a busy week bringing you exploits, features, enhancements, and fixes. Exploit modules for Git and El Finder lead the pack this week with an information disclosure against Jira and a post exploitation module targeting Geutebruck white-labelled cameras to freeze them like every movie ever!

Git push upstream git-lfs:payload

Our own Jack Hysel and Shelby Pace had some fun creating an exploit module targeting Github, originally discovered by Dawid Golunski. The exploit requires a user to clone an infected Github repository to gain remote code execution, and before you ask, we promise it is safe to clone ours.

Jira users

Brian Halbach and Mikhail Klyuchnikov sent us a nice module exploiting CVE-2020-14181 to get a list of Jira users, helping those social engineers among us to get more targets or login scanners more data. Unfortunately, it does not track my tickets and keep them up to date.

New module content (4)

• Jira Users Enumeration by Brian Halbach and Mikhail Klyuchnikov, which exploits CVE-2020-14181 – This obtains user names on Jira Server by exploiting an information disclosure vulnerability that exists at the /ViewUserHover.jspa endpoint.
• elFinder Archive Command Injection by Shelby Pace and Thomas Chauchefoin, which exploits CVE-2021-32682 – This adds an exploit for CVE-2021-32682 which is an unauthenticated RCE in the elFinder PHP application. The vulnerability is due to a flaw that allows a malicious argument to be passed to the zip command when an archive action is performed.
• Git Remote Code Execution via git-lfs (CVE-2020-27955) by Dawid Golunski, jheysel-r7, and space-r7, which exploits CVE-2020-27955 – This adds an exploit for CVE-2020-27955 which is a vulnerability in the Git version control system. The module can be used to execute code in the context of a user that can be convinced to clone a malicious repository.
• Geutebruck Camera Deface by Ibrahim Ayadhi and Sébastien Charbonnier – A new post exploitation module has been added which allows one to take a session on a Geutebruck Camera shell and either freeze the current display stream, replace the current display stream with a static image, or restore the display stream such that it will display the current live feed from the camera.

Enhancements and features

• #15609 from adfoster-r7 – Adds additional metadata to exploit modules to specify Meterpreter command requirements. This information is used to add a descriptive warning when running modules with a Meterpreter implementation that doesn’t support the required command functionality.
• #15674 from digininja – Updates the Apache Tomcat Ghostcat module to correctly handle a larger range of possible success status codes when verifying if the module has succeeded

Bugs fixed

• #15667 from bwatters-r7 – Fix powershell_reverse_tcp file operations and update the file operations test module

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.5…6.1.6
• Full diff 6.1.5…6.1.6

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

• Image credit: Toni Barros from São Paulo, Brasil – Hello, Dolly!, CC BY-SA 2.0 https://creativecommons.org/licenses/by-sa/2.0, via Wikimedia Commons