Post Syndicated from Shelby Pace original https://blog.rapid7.com/2023/04/14/metasploit-weekly-wrap-up-6/

Rocket Software UniRPC Exploits

Ron Bowes submitted two exploit modules for vulnerabilities he discovered in the UniRPC server for Rocket Software’s UniData product. The first exploit module, exploit/linux/misc/unidata_udadmin_auth_bypass exploits an authentication bypass to ultimately gain remote code execution as the root user. The vulnerable RPC service has a hardcoded username, :local: and a predictable password of the form <username>:<uid>:<gid>. Using the root username and its corresponding uid and gid, an attacker can authenticate to the RPC service and execute a shell via the service’s OsCommand command.

The second module, exploit/linux/misc/unidata_udadmin_password_stack_overflow exploits an unauthenticated stack-based buffer overflow through the vulnerable service’s password field. Due to a lack of bounds checking on the buffer that the password is placed into, the saved return pointer can be overwritten, resulting in code execution as the root user.

New SCTP Payloads

Along with SCTP session support, sempervictus added four new payloads that work over the aforementioned stream-based transport protocol. Included in this set are two Unix command payloads that work over socat, a Python command payload, and lastly, a reverse SCTP shell payload for Linux.

Persistent Certificates

This week, adfoster-r7 improved on Metasploit’s support for PKCS12 certificates issued by Active Directory Certificate Services (AD CS). The improvements cause the existing admin/dcerpc/icpr_cert module to store certificates in the same manner as other credentials are stored when a database is attached. Now certificates will be visible from the creds command, and new ones can be added using creds add user:alice pkcs12:/path/to/certificate.pfx. This will help users manage these certificates and reuse them for Kerberos authentication with the admin/kerberos/get_ticket module and the CERT_FILE option as well as LDAP modules such as gather/ldap_query with the LDAP::CertFile option.

New module content (6)

Rocket Software Unidata udadmin_server Authentication Bypass

Author: Ron Bowes
Type: Exploit
Pull request: #17832 contributed by rbowes-r7
AttackerKB reference: CVE-2023-28503

Description: This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on Linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).

Rocket Software Unidata udadmin_server Stack Buffer Overflow in Password

Author: Ron Bowes
Type: Exploit
Pull request: #17832 contributed by rbowes-r7
AttackerKB reference: CVE-2023-28502

Description: This adds two exploit modules that target UniData versions 8.2.4 (and earlier) on Linux. Due to a flaw in the udadmin service implementation, it is possible to get remote command execution as the root user. One module leverages a stack buffer overflow in a "password" field (CVE-2023-28502) and the other is an authentication bypass (CVE-2023-28503).

SCTP Sessions

Author: sempervictus
Type: Payload
Pull request: #17502 contributed by sempervictus

Description: This PR adds support for SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.

Enhancements and features (5)

• #17353 from adfoster-r7 – Adds support for persisting PKCS12 credentials in Metasploit, i.e. .pfx/.p12 files. The auxiliary/admin/dcerpc/icpr_cert and auxiliary/admin/dcerpc/cve_2022_26923_certifried modules will now persist requested certificates for future exploitation. The creds command can also directly persist certificates – for example: creds add user:alice pkcs12:/path/to/certificate.pfx.
• #17502 from sempervictus – This PR adds SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.
• #17804 from cgranleese-r7 – Fixes the metadata for multiple modules which had invalid reference names, incorrect rankings, missing notes, etc. Additionally, this adds automation for verifying module metadata is correct.
• #17821 from bcoles – This enables the import of Nuclei scan results using the db_import command. Both JSON and JSONL formats are supported.
• #17862 from bcoles – Updates msfvenom to require apktools version 2.7.0 or greater when attempting to modify Android apk files, as it includes security improvements and bug fixes.

Bugs fixed (4)

• #17851 from Ryuuuuu – Updates the exploits/linux/http/apache_couchdb_cmd_exec to no longer report the target host as being vulnerable when the CouchDB version could not be extracted..
• #17864 from Ryuuuuu – A bug has been fixed in auxiliary/admin/http/trendmicro_dlp_traversal and auxiliary/admin/http/tomcat_utf8_traversal whereby print_good was used when a file was missing instead of print_error.
• #17867 from Ryuuuuu – A bug has been fixed in the modules/auxiliary/scanner/http/surgenews_user_creds.rb module whereby the code did not properly check if there were no users in the nwauth.add file prior to proceeding to operate on it.
• #17872 from adfoster-r7 – Fixes a crash when modules relied on a hash identifying method that wasn’t always available. This method is now available as expected and modules will no longer crash.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.3.11…6.3.12
• Full diff 6.3.11…6.3.12

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2023/01/27/metasploit-weekly-wrap-up-190/

Cacti Unauthenticated Command Injection

Thanks to community contributor Erik Wynter, Metasploit Framework now has an exploit module for an unauthenticated command injection vulnerability in the Cacti network-monitoring software. The vulnerability is due to a proc_open() call that accepts unsanitized user input in remote_agent.php. Provided that the target server has data that’s tied to the POLLER_ACTION_SCRIPT_PHP action, the vulnerable proc_open() call can be reached with a single GET request. Successful exploitation will result in a session as the user running the Cacti server.

Python Meterpreter Gets a Few Upgrades

The latest release includes some improvements to Python Meterpreter which gets the payload a little closer to feature parity with Windows Meterpreter. For Windows Python Meterpreter, NtAlexio2 added the enumdesktops command, which like with Windows Meterpreter, enumerates all of the accessible desktops it can find. Our very own zeroSteiner added dual stack IPv4 / IPv6 TCP support for Python Meterpreter. Working across both Windows and Linux, this improvement enables Python Meterpreter to listen on all interfaces it can listen on, including ones that have IPv6 addresses.

New module content (1)

Cacti 1.2.22 unauthenticated command injection

Authors: Erik Wynter, Owen Gong, Stefan Schiller, and Steven Seeley
Type: Exploit
Pull request: #17407 contributed by ErikWynter
AttackerKB reference: CVE-2022-46169

Description: This adds an exploit that targets various versions of Cacti network-monitoring software. For versions 1.2.22 and below, there exists an unauthenticated command injection vulnerability in remote_agent.php that when exploited, will result in remote code execution as the user running the Cacti server.

Enhancements and features (3)

• #17340 from zeroSteiner – The Python Meterpreter has been updated to warn that the bind information is ignored when a reverse port forward is created to prevent confusion when this information is supplied by a user.
• #17518 from zeroSteiner – A new adapter has been added to run Python payloads on Windows. This is notably useful for testing Python payloads as SYSTEM or delivered on demand through an exploit module such as psexec.
• #17519 from jmartin-r7 – Improves the SMTP delivery error handling for the auxiliary/client/smtp/emailer module.

Bugs fixed (2)

• #17516 from zeroSteiner – The version of Metasploit-payloads has been bumped up to add support for dual IPv4/IPv6 stacks to Python Meterpreter, add support for enumerating desktops with the enumdesktops command to Python Meterpreter, and also add support for binding to the specified localhost to compiled versions of Meterpreter.
• #17525 from adfoster-r7 – Fixes a deprecation warning when using socks proxy support in Metasploit.

Documentation

You can find the latest Metasploit documentation on our docsite at docs.metasploit.com.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.36…ab60df7cda8594f03a3f95eb2329d57b75b3124e
• Full diff 6.2.36…ab60df7cda8594f03a3f95eb2329d57b75b3124e

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/10/28/metasploit-weekly-wrap-up-180/

GLPI htmLawed PHP Command Injection

Our very own bwatters-r7 wrote a module for an unauthenticated PHP command injection vulnerability that exists in various versions of GLPI. The vulnerability is due to a third-party vendor test script being present in default installations. A POST request to vendor/htmlawed/htmlawed/htmLawedTest.php directly allows an attacker to execute exec() through the hhook and test parameters, resulting in unauthenticated RCE as the www-data user. The GLPI project has released an advisory detailing patched versions available for download and also noting that this vulnerability has been seen exploited in the wild.

Vagrant Breakout Exploit

Community contributor bcoles added a module that exploits a built-in Vagrant feature to break out of a Vagrant box and gain access to the host system. Specifically, the shared project folder that exists on the host is mounted on the guest Vagrant box as a writable directory, and the project’s configuration file exists there. Every time a user on the host executes a vagrant command from within the project directory, the Ruby code within the config file gets executed. As a result, an attacker can add arbitrary code to the config file, wait for the user to run a vagrant command, and then gain a shell on the host system with the privileges of the user who ran the command. Since there is no intention to patch this issue, denying the shared folders feature for Vagrant projects is the best way to prevent this.

vCenter Secrets Dump Module

h00die and npm-cesium137-io submitted a post module that targets vCenter appliances. Using an elevated session, this module collects DC credentials, SSO user accounts and hashes, domain information, certificates, and more. The information gathered can be used to add new SSO admin users to vCenter, sign forged SAML assertions, and to dump more data via the auxiliary/gather/vmware_vcenter_vmdir_ldap module.

New module content (3)

• GLPI htmLawed php command injection by bwatters-r7 and cosad3s, which exploits CVE-2022-35914 – This PR adds a module for CVE-2022-35914, a php command injection vulnerability in GLPI versions up to and including 10.0.2.
• Vagrant Synced Folder Vagrantfile Breakout by bcoles – This PR adds a module that exploits a default Vagrant shared folder to append a Ruby payload to the Vagrant project Vagrantfile config file. The payload gets executed the next time the user runs a vagrant command.
• vCenter Secrets Dump by h00die and npm-cesium137-io – This PR adds the post/linux/gather/vcenter_secrets_dump module to dump vCenter vmdir dcAccountPassword and platform certificates.

Enhancements and features (7)

• #16979 from gwillcox-r7 – This improves the existing ldap_query module by allowing it to decode some data types into a human readable format.
• #17050 from usiegl00 – This updates the osx stager to no longer write artifacts to disk when performing in-memory code loading.
• #17071 from gwillcox-r7 – This adds additional predefined LDAP queries to the existing ldap_query module that can help enumerate specific information in support of certain attack paths.
• #17128 from cgranleese-r7 – Updates auxiliary/scanner/smb/smb_enumshares to support specifying a share name such as run smb://Account:Password@TargetIP spidershares=true showfiles=true share=TargetShareName. Useful files are now also highlighted automatically.
• #17164 from r3nt0n – This adds a new option, THEME_DIR to the exploit/multi/http/wp_crop_rce module that is useful when the current WordPress theme cannot be auto-detected by the module or when a user leverages other means of determining the theme.
• #17176 from llamasoft – This updates the Python Meterpreter stage to calculate the necessary data for AES encryption at runtime which reduces the stage size by about 6,000 bytes.
• #17185 from adfoster-r7 – Updates msfconsole’s tips command to include the analyze command, as well as hosts -R and services -R

Bugs fixed (2)

• #17172 from bcoles – Fixes a bug in Msf::Post::File.append_file which caused file contents to be overwritten on non-Windows sessions.
• #17187 from ErikWynter – Fixes an issue in the aerohive_netconfig_lfi_log_poison_rce exploit module that resulted in the vulnerable version 10.0r8 being flagged as non-vulnerable

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.23…6.2.24
• Full diff 6.2.23…6.2.24

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/08/26/metasploit-wrap-up-173/

Zimbra Auth Bypass to Shell

Ron Bowes added an exploit module that targets multiple versions of Zimbra Collaboration Suite. The module leverages an authentication bypass (CVE-2022-37042) and a directory traversal vulnerability (CVE-2022-27925) to gain code execution as the zimbra user. The auth bypass functionality correctly checks for a valid session; however, the function that performs the check does not return and instead proceeds with execution. Because of this, an attacker only needs a valid account to get a shell. The directory traversal vulnerability lives in Zimbra’s Zip file extraction functionality, enabling an attacker to write an arbitrary file to a web directory. Coupling those two vulnerabilities together, the module writes a JSP shell to the target via a POST request to the /mboximport endpoint. These vulnerabilities have been reported as exploited in the wild.

Another Deserialization Flaw in Exchange

Our very own zeroSteiner submitted a new module that exploits an authenticated .Net deserialization vulnerability in Microsoft Exchange. The vulnerability is due to a flaw in the ChainedSerializationBinder, a type validator for serialized data. Provided the attacker has credentials for at least a low-privileged user, this exploit will result in code execution as NT AUTHORITY\SYSTEM.

New module content (2)

• Zip Path Traversal in Zimbra (mboximport) (CVE-2022-27925) by Ron Bowes, Volexity Threat Research, and Yang_99’s Nest, which exploits CVE-2022-37042 – adds a module for CVE-2022-27925 and CVE-2022-37042. An attacker can exploit these issues to bypass authentication and then exploit a ZIP file path directory traversal vulnerability to gain RCE as the zimbra user.
• #16915 from zeroSteiner – A new module has been added for CVE-2022-23277 which is another ChainedSerializationBinder bypass that results in RCE on vulnerable versions of Exchange prior to the March 8th 2022 security updates.

Enhancements and features (6)

• #16701 from jbaines-r7 – This improves the original auxiliary/scanner/http/cisco_asa_asdm scanner module by adding the ability to brute force the Cisco ASA’s Clientless SSL VPN (webvpn) interface. The old module has been replaced by two new modules, this one and auxiliary/scanner/http/cisco_asa_asdm_bruteforce, which provide brute force of the Cisco ASA’s ASDM interface directly.
• #16898 from bcoles – This adds a Msf::Post::Windows::Accounts.domain_controller? method and removes is_dc? methods from several modules in favor of using the new method.
• #16899 from bcoles – This removes the domain_list_gen Meterpreter script which has been replaced by the post/windows/gather/enum_domain_group_users post module.
• #16907 from bcoles – This improves the MS10-092 LPE exploit module. It uses the new task manager mixin, adds additional module metadata, and documentation.
• #16912 from bcoles – This removes the sound recorder Meterpreter script. It has been replaced by the record_mic post module.
• #16938 from zeroSteiner – The ldap_query module has been updated to allow the stored query templates to specify a Base DN prefix. Additionally, two ADCS-related queries that then use this to enumerate certificate authorities and certificate templates.

Bugs fixed (4)

• #16925 from rbowes-r7 – This fixes some issues with the payload generation in the UnRAR generic exploit module (CVE-2022-30333). This also adds the option to provide its own custom payload.
• #16931 from bcoles – A bug has been fixed in Rex::Post::Meterpreter::Extensions::Stdapi::AudioOutput.play_file where a channel would be opened before the path parameter was verified. This could lead to dangling channels being opened which would not be closed until Meterpreter was shut down.
• #16935 from adfoster-r7 – Fixes multiple SSH warnings when loading msfconsole on Ubuntu 22.04 or the latest Kali version.
• #16936 from adfoster-r7 – Fixes a crash when using evasion modules when mingw is not present on the host machine for generating encrypted payloads.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.13…6.2.14
• Full diff 6.2.13…6.2.14

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/08/05/metasploit-weekly-wrap-up-170/

Log4Shell in MobileIron Core

Thanks to jbaines-r7 we have yet another Log4Shell exploit. Similar to the other Log4Shell exploit modules, the exploit works by sending a JNDI string that once received by the server will be deserialized, resulting in unauthenticated remote code execution as the tomcat user. Vulnerable versions of MobileIron Core have been reported as exploited in the wild.

VMware Workspace ONE Access LPE

Our very own Spencer McIntyre discovered and added a local privilege escalation module for CVE-2022-31660 in VMware Workspace ONE Access. By default, the horizon user has write permissions to the /opt/vmware/certproxy/bin/cert-proxy.sh script, and the sudo configuration does not require supplying a password when invoking the script. Due to this, an attacker can write arbitrary code to the /opt/vmware/certproxy/bin/cert-proxy.sh script and escalate their privileges to that of the root user by executing the certproxyService.sh with sudo. Because the horizon user runs the externally-facing web application in VMware Workspace ONE Access, CVE-2022-22954 can be leveraged for initial access to the target.

XML-RPC Unauthenticated RCE in Zoho Password Manager

Grant Willcox of the Metasploit team added a module that exploits a deserialization flaw in Zoho Password Manager Pro. Sending a single POST request containing XML-RPC data to the /xmlrpc endpoint will result in unauthenticated code execution as NT AUTHORITY\SYSTEM.

New module content (5)

• Cisco PVC2300 POE Video Camera configuration download by Craig Heffner and Erik Wynter – This adds a module targeting Cisco PVC2300 IP Cameras that will download the configuration file using hard-coded credentials.
• BACnet Scanner by Paz – This adds a new scanner module that discovers BACnet devices on the network and extracts model name, software version, firmware revision, and device description. Once the data is processed, it is displayed on screen and saved to a local xml file.
• MobileIron Core Unauthenticated JNDI Injection RCE (via Log4Shell) by RageLtMan, Spencer McIntyre, jbaines-r7, and rwincey, which exploits CVE-2021-44228 – This adds an exploit for MobileIron which is affected by the Log4Shell vulnerability. The result is an unauthenticated remote code execution in the context of the web application user.
• VMware Workspace ONE Access CVE-2022-31660 by Spencer McIntyre, which exploits CVE-2022-31660 – This module exploits CVE-2022-31660, an LPE disclosed by VMware in VMSA-2022-0021. The underlying flaw is that the /opt/vmware/certproxy/bin/cert-proxy.sh script is writable by the horizon user who can also indirectly execute it by invoking the certproxyService.sh script via sudo which is permitted without a password, enabling escalation to root.
• Zoho Password Manager Pro XML-RPC Java Deserialization by Grant Willcox, Vinicius, and Y4er, which exploits CVE-2022-35405 – This PR adds in an exploit module for CVE-2022-35405 aka Zoho Password Manager Pro XML-RPC Unauthenticated RCE as SYSTEM.

Enhancements and features (3)

• #16833 from gwillcox-r7 – This PR adds an option to the host command to make it easier to delete host tags.
• #16840 from bcoles – This replaces some Meterpreter-only method calls with method calls that check the session type, which allows non-Meterpreter sessions to use read_profile_list
  and load_missing_hives. Also, this changes read_profile_list to be able to read profile information for all accounts.
• #16858 from adfoster-r7 – This updates ZeroLogon to have better error handling in the check method. This will cause the error from an invalid NetBIOS name to be reported with a meaningful message.

Bugs fixed (8)

• #16820 from gwillcox-r7 – This PR fixes an issue in the ldap_query module where if the datastore option "action" wasn’t set the module would fail.
• #16822 from adfoster-r7 – This fixes a bug in Rex::Ui::Text::Input::Buffer::BufferSock that was causing data to be occasionally lost due to the rsock monitor routine stopping abruptly.
• #16825 from rbowes-r7 – The IMAP credential capture module did not appropriately handle literal strings as specified by RFC3501. The code has been updated to handle these strings efficiently.
• #16832 from gwillcox-r7 – This fix removes an unnecessary echo statement from the ms10_092_schelevator module.
• #16839 from bcoles – Fixes shell_registry_enumvals/getvaldata error checking.
• #16844 from bcoles – This PR updates the post/multi/gather module to support non-meterpreter sessions like shell and powershell.
• #16846 from jmartin-r7 – Updates auxiliary/scanner/ssh/ssh_login to gracefully handle Errno::EPIPE exceptions.
• #16848 from jmartin-r7 – Fix a crash when updating session information in Meterpreter.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.2.10…6.2.11
• Full diff 6.2.10…6.2.11

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest.
To install fresh without using git, you can use the open-source-only Nightly Installers or the
binary installers (which also include the commercial edition).

Post Syndicated from Shelby Pace original https://blog.rapid7.com/2022/04/29/metasploit-wrap-up-153/

Redis Sandbox Escape

Our very own Jake Baines wrote a module that performs a sandbox escape on Redis versions between 5.0.0 and 6.1.0 and achieves remote code execution as the redis user. Redis installations can be password protected, so this module supports exploiting the vulnerability with and without authentication.

While this module targets Redis software, the vulnerability (CVE-2022-0543) only presents itself on Debian-based Linux distributions due to the Lua package interface remaining enabled. The existence of the Lua package interface means that arbitrary libraries can be loaded and used to evade the protections of the sandbox. This vulnerability has been reported as being exploited in the wild.

Antivirus Enumeration

Thanks to sempervictus we now have a post module for enumerating installed antivirus products on Windows systems. Using either a Meterpreter or shell session, the module detects these installations through WMI queries and saves the information to the database. Some of the data returned includes versioning information, possibly clueing a user in on a potential next target for privilege escalation.

New module content (2)

• Redis Lua Sandbox Escape by Reginaldo Silva and jbaines-r7, which exploits CVE-2022-0543 – This exploit achieves remote code execution as the redis user via a sandbox escape in several Redis versions distributed through Debian-based Linux distributions.
• Windows Installed AntiVirus Enumeration by rageltman – This adds a module that enumerates all installed AV products on Windows.

Enhancements and features (1)

• #16486 from adfoster-r7 – This adds an initial set of pen testing docs to https://docs.metasploit.com/docs/pentesting/

Bugs fixed (2)

• #16450 from ORelio – This updates exploit/multi/vnc/vnc_keyboard_exec to include a delay that increases reliability when getting a shell and typing out long commands.
• #16509 from adfoster-r7 – This ensures proper escaping of HTML in code blocks that are produced by the info -d command.

Get it

As always, you can update to the latest Metasploit Framework with msfupdate
and you can get more details on the changes since the last blog post from
GitHub:

• Pull Requests 6.1.39…6.1.40
• Full diff 6.1.39…6.1.40

If you are a git user, you can clone the Metasploit Framework repo (master branch) for the latest. To install fresh without using git, you can use the open-source-only Nightly Installers or the binary installers (which also include the commercial edition).