All posts by Louis Sato

Metasploit Wrap-Up

Post Syndicated from Louis Sato original https://blog.rapid7.com/2021/09/10/metasploit-wrap-up-129/

Confluence Server OGNL Injection

Metasploit Wrap-Up

Our own wvu along with Jang added a module that exploits an OGNL injection (CVE-2021-26804)in Atlassian Confluence’s WebWork component to execute commands as the Tomcat user. CVE-2021-26804 is a critical remote code execution vulnerability in Confluence Server and Confluence Data Center and is actively being exploited in the wild. Initial discovery of this exploit was by Benny Jacob (SnowyOwl).

More Enhancements

In addition to the module, we would like to highlight some of the enhancements that have been added for this release. Contributor e2002e added the OUTFILE and DATABASE options to the zoomeye_search module allowing users to save results to a local file or local database along with improving the output of the module to provide better information about the target. Our own dwelch-r7 has added support for fully interactive shells against Linux environments with shell -it. In order to use this functionality, users will have to enable the feature flag with features set fully_interactive_shells true. Contributor pingport80 has added powershell support for write_file method that is binary safe and has also replaced explicit cat calls with file reads from the file library to provide broader support.

New module content (1)

Enhancements and features

  • #15278 from e2002e – The zoomeye_search module has been enhanced to add the OUTFILE and DATABASE options, which allow users to save results to a local file or to the local database respectively. Additionally the output saved has been improved to provide better information about the target and additional error handling has been added to better handle potential edge cases.
  • #15522 from dwelch-r7 – Adds support for fully interactive shells against Linux environments with shell -it. This functionality is behind a feature flag and can be enabled with features set fully_interactive_shells true
  • #15560 from pingport80 – This PR add powershell support for write_file method that is binary safe.
  • #15627 from pingport80 – This PR removes explicit cat calls and replaces them with file reads from the file library so that they have broader support.

Bugs fixed

  • #15634 from maikthulhu – This PR fixes an issue in exploit/multi/misc/erlang_cookie_rce where a missing bitwise flag caused the exploit to fail in some circumstances.
  • #15636 from adfoster-r7 – Fixes a regression in datastore serialization that caused some event processing to fail.
  • #15637 from adfoster-r7 – Fixes a regression issue were Metasploit incorrectly marked ipv6 address as having an ‘invalid protocol’
  • #15639 from gwillcox-r7 – This fixes a bug in the rename_files method that would occur when run on a non-Windows shell session.
  • #15640 from adfoster-r7 – Updates modules/auxiliary/gather/office365userenum.py to require python3
  • #15652 from jmartin-r7 – A missing dependency, py3-pip, was preventing certain external modules such as auxiliary/gather/office365userenum from working due to requests requiring py3-pip to run properly. This has been fixed by updating the Docker container to install the missing py3-pip dependency.
  • #15654 from space-r7 – A bug has been fixed in lib/msf/core/payload/windows/encrypted_reverse_tcp.rb whereby a call to recv() was not being passed the proper arguments to receive the full payload before returning. This could result in cases where only part of the payload was received before continuing, which would have resulted in a crash. This has been fixed by adding a flag to the recv() function call to ensure it receives the entire payload before returning.
  • #15655 from adfoster-r7 – This cleans up the MySQL client-side options that are used within the library code.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Metasploit Wrap-Up

Post Syndicated from Louis Sato original https://blog.rapid7.com/2021/01/29/metasploit-wrap-up-96/

MobileIron MDM Hessian-Based Java Deserialization RCE

Metasploit Wrap-Up

Our very own wvu-r7 has added exploits/linux/http/mobileiron_mdm_hessian_rce, which exploits an ACL bypass in MobileIron MDM products to execute a Java deserialization attack using a Groovy gadget against a Hessian based endpoint. (CVE-2020-15505). MDM helps organizations manage and control all employees’ devices, requiring it to be publicly reachable to synchronize devices, making this an appealing target. This exploit has been included on the U.S. National Security Agency’s list of vulnerabilities known to be exploited by Chinese state-sponsored threat actors. More information about this exploit can be found here.

PEAR Archive_Tar < 1.4.11 Arbitrary File Write

exploits/multi/fileformat/archive_tar_arb_file_write has been added by gwillcox-r7, which adds support for CVE-2020-28949. CVE-2020-28949 is a vulnerability which affects the Archive_Tar plugin of the PEAR PHP development framework and is caused by Archive_Tar’s lack of validation of file stream wrappers contained within filenames, which for allows the writing of an arbitrary file containing user controlled content to an arbitrary location on disk.

Micro Focus UCMDB Java Deserialization Unauthenticated Remote Code Execution

Community contributor Pedro Ribeiro has added exploits/multi/http/microfocus_ucmdb_unauth_deser, which exploits two vulnerabilities CVE-2020-11853 and CVE-2020-11854, that when chained allow an attacker to achieve unauthenticated remote code execution in Micro Focus UCMDB. CVE-2020-11854 is the use of a hardcoded password for the "diagnostics" user, which allows attackers to log into UCMDB. CVE-2020-11853 takes advantage of the fact that after authentication, almost all of the UCMDB client’s communication is done using Java serialized objects, allowing an authenticated attacker to inject a malicious Java serialized object into a POST body to one of the vulnerable endpoints to achieve remote code execution as root or SYSTEM.

New modules (5)

Enhancements and features

  • PR #14383 by h00die added two new external module examples in python, one as an exploit module example and the other as an auxiliary example.
  • PR #14651 by bcoles updates msftidy to verify that all modules have a module description.
  • PR #14564 by adfoster-r7 updates internal Metasploit libraries to dependency inject the currently active module when performing tab completion for users.
  • PR #14432 by cn-kali-team adds a new function report_creds to the kiwi.rb and priv/password.rb Meterpreter libraries. This function ensures that credentials dumped via Kiwi or via the hashdump command are now appropriately captured in the creds database, allowing users to replay them later on, or attempt to crack them and obtain the plain text password.

Bugs fixed

  • PR #14664 by s1e2b3i4 applies a fix to auxiliary/scanner/ssh/ssh_enumusers.rb to ensure that error messages that occur when a user doesn’t exist on the target system, or whom can’t connect remotely, are not displayed unless the VERBOSE flag is set.
  • PR #14657 by jmartin-r7 updates Metasploit’s docker build process to download pip from an alternative Github download source now that python2 will no longer be available after January 30th 2021.
  • PR #14650 by bcoles updates local_exploit_suggester to correctly store rhost information in the database, as previously this would crash.
  • PR #14647 by zeroSteiner addresses a typo introduced in #14582 whereby non-existent value is used to populate the tab completion array for the run command of modules that support actions as commands, resulting in msfconsole crashing when tab completion was attempted. Users should now be able to do tab completion using the run command without errors.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).